Merge pull request #97 from sourcefuse/GH-96

chore(ci-cd): trusted publishing using oidc

Author: yeshamavani

.github/workflows/release.yaml

@@ -1,23 +1,32 @@
 # This Manually Executable Workflow is for NPM Releases
-
 name: Release [Manual]
 on: workflow_dispatch
+
 permissions:
   contents: write
+  id-token: write   # REQUIRED for trusted publishing
+
 jobs:
   Release:
     runs-on: ubuntu-latest
+    # Specify environment if you configured one in npm
+    # environment: production  # Uncomment if you set an environment name in npm trusted publisher settings
+
     steps:
       - uses: actions/checkout@v3
         with:
           # fetch-depth is necessary to get all tags
           # otherwise lerna can't detect the changes and will end up bumping the versions for all packages
           fetch-depth: 0
           token: ${{ secrets.RELEASE_COMMIT_GH_PAT }}
+
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4  # UPDATED to v4
         with:
-          node-version: '20.x'
+          node-version: '22'
+          registry-url: 'https://registry.npmjs.org'
+          always-auth: false  # important for trusted publishing
+
       - name: Configure CI Git User
         run: |
           git config --global user.name $CONFIG_USERNAME
@@ -27,26 +36,22 @@ jobs:
           GITHUB_PAT: ${{ secrets.RELEASE_COMMIT_GH_PAT }}
           CONFIG_USERNAME: ${{ vars.RELEASE_COMMIT_USERNAME }}
           CONFIG_EMAIL: ${{ vars.RELEASE_COMMIT_EMAIL }}
-      - name: Authenticate with Registry
-        run: |
-          echo "@${NPM_USERNAME}:registry=https://registry.npmjs.org/" > .npmrc
-          echo "registry=https://registry.npmjs.org/" >> .npmrc
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> .npmrc
-          npm whoami
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NPM_USERNAME: ${{ vars.NPM_USERNAME }}
 
       - name: Install 📌
-        run: |
-          npm install
+        run: npm install
+
       - name: Test 🔧
         run: npm run test
+
+      # ✅ CHANGED THIS SECTION
       - name: Semantic Publish to NPM 🚀
-        # "HUSKY=0" disables pre-commit-msg check (Needed in order to allow semantic-release perform the release commit)
-        run: HUSKY=0 npx semantic-release
+        run: |
+          npm config set provenance true
+          HUSKY=0 npx semantic-release
         env:
           GH_TOKEN: ${{ secrets.RELEASE_COMMIT_GH_PAT }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          # REMOVED: NPM_TOKEN is not needed with trusted publishing
+          # The id-token: write permission above handles authentication
+
       - name: Changelog 📝
         run: cd src/release_notes && HUSKY=0 node release-notes.js