Update release workflows for NPM OIDC trusted publishing (#7100)

Author: jonrohan

.github/workflows/release.yml

@@ -2,9 +2,17 @@ name: Release
 
 on:
   push:
-    branches:
-      - main
-      - next-major
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write # Required for OIDC
+  contents: read
+  checks: write
+  statuses: write
 
 jobs:
   release-main:
@@ -46,19 +54,104 @@ jobs:
           publish: npm run release
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
-          NPM_TOKEN: ${{ secrets.NPM_AUTH_TOKEN_SHARED }}
       - uses: ./.github/actions/upload-versions
 
-  release-next-major:
-    if: github.ref_name == 'next-major'
-    name: Next major
-    uses: primer/.github/.github/workflows/release_with_app.yml@v2.0.0
-    with:
-      title: Release tracking (next major)
-    secrets:
-      npm_token: ${{ secrets.NPM_AUTH_TOKEN_SHARED }}
-      app-id: ${{ vars.PRIMER_APP_ID_SHARED }}
-      private-key: ${{ secrets.PRIMER_APP_PRIVATE_KEY_SHARED }}
-      client-id: ${{ vars.PRIMER_APP_CLIENT_ID_SHARED }}
-      client-secret: ${{ secrets.PRIMER_APP_CLIENT_SECRET_SHARED }}
-      installation-id: ${{ vars.PRIMER_APP_INSTALLATION_ID_SHARED }}
+  release-candidate:
+    if: github.ref_name == 'changeset-release/main'
+    name: Candidate (@next)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
+          fetch-depth: 0
+
+      - name: Set up Node
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Publish release candidate
+        run: |
+          if [[ -f '.changeset/pre.json' ]]; then
+            npx changeset pre exit
+            npx changeset version --snapshot
+          else
+            pkg_json_path=packages/react/package.json
+            version=$(jq -r .version $pkg_json_path)
+            echo "$( jq ".version = \"$(echo $version)-rc.$(git rev-parse --short HEAD)\"" $pkg_json_path )" > $pkg_json_path
+          fi
+
+          npx changeset publish --tag next
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Output candidate version
+        uses: actions/github-script@a3e7071a34d7e1f219a8a4de9a5e0a34d1ee1293
+        with:
+          script: |
+            const package = require(`${process.env.GITHUB_WORKSPACE}/packages/react/package.json`)
+            github.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: context.sha,
+              state: 'success',
+              context: `Published ${package.name}`,
+              description: package.version,
+              target_url: `https://unpkg.com/${package.name}@${package.version}/`
+            })
+      - uses: ./.github/actions/upload-versions
+
+  release-canary:
+    name: Canary
+    if: github.ref_name != 'main' && github.ref_name != 'changeset-release/main'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
+          fetch-depth: 0
+      - name: Set up Node
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'npm'
+      - name: Install dependencies
+        run: npm ci
+      - name: Build
+        run: npm run build --if-present
+      - name: Publish canary release
+        run: |
+          if [[ -f '.changeset/pre.json' ]]; then
+            npx changeset pre exit
+          fi
+
+          echo -e "---\n$( jq .name packages/react/package.json ): patch\n---\n\nFake entry to force publishing" > .changeset/force-snapshot-release.md
+          npx changeset version --snapshot
+          npx changeset publish --tag canary
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Output canary version
+        uses: actions/github-script@a3e7071a34d7e1f219a8a4de9a5e0a34d1ee1293
+        with:
+          script: |
+            const package = require(`${process.env.GITHUB_WORKSPACE}/packages/react/package.json`)
+            github.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: context.sha,
+              state: 'success',
+              context: `Published ${package.name}`,
+              description: package.version,
+              target_url: `https://unpkg.com/${package.name}@${package.version}/`
+            })
+      - uses: ./.github/actions/upload-versions

.github/workflows/release_canary.yml

@@ -23,6 +23,10 @@
     "src",
     "README.md"
   ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/primer/react.git"
+  },
   "scripts": {
     "clean": "rimraf dist",
     "build": "rollup -c",

.github/workflows/release_candidate.yml

@@ -51,7 +51,10 @@
     "type-check": "tsc --noEmit",
     "type-css-modules": "tcm -p src/**/*.module.css"
   },
-  "repository": "primer/react",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/primer/react.git"
+  },
   "keywords": [
     "react",
     "components",

packages/mcp/package.json

@@ -21,6 +21,10 @@
     "README.md",
     "dist"
   ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/primer/react.git"
+  },
   "scripts": {
     "build": "script/build",
     "clean": "rimraf dist",