chore: npmjs trusted publishing [KHCP-17661]

.github/workflows/pr-closed.yaml

@@ -7,8 +7,6 @@ jobs:
   remove-pr-preview-comment:
     name: Remove PR preview comment from PR
     runs-on: ubuntu-latest
-    env:
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }}
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0

.github/workflows/publish.yaml

@@ -7,13 +7,23 @@ on:
       - alpha
       - beta
 
+  pull_request:
+    branches:
+      - main
+      - alpha
+      - beta
+
+permissions:
+  id-token: write
+  contents: read
+  actions: read
+
+
 jobs:
   run-tests:
     name: Tests
     uses: ./.github/workflows/test.yaml
-    # Must pass in secrets here so that the calling workflow can pass in the NPM_TOKEN needed to install private packages.
     secrets:
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }}
       VITE_AUTH_URL: ${{ secrets.VITE_AUTH_URL }}
   publish:
     needs: run-tests
@@ -24,35 +34,100 @@ jobs:
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
+
+      - name: Remove preview consumption comment
+        if: github.event_name == 'pull_request'
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
+        with:
+          header: pr_preview_consumption
+          delete: true
+          GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }}
+
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           token: ${{ secrets.KONGPONENTS_BOT_PAT }}
+          fetch-depth: 0
 
       - name: Use Node.js
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
+          registry-url: https://registry.npmjs.org
           node-version-file: '.nvmrc'
 
       - name: Install dependencies
         run: yarn install --frozen-lockfile
 
-      - name: Lint
-        run: yarn lint
-
       - name: Build
         run: yarn build
 
-      - name: Create .npmrc
+      - name: Publish package preview
+        id: package-preview
+        # Do not run for `alpha` or `beta` branches
+        if: github.event_name == 'pull_request' && github.actor != 'renovate[bot]' && !contains(github.head_ref || github.ref_name, 'alpha') && !contains(github.head_ref || github.ref_name, 'beta')
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }}
-        # Reference the env variable NPM_TOKEN here, not the secret
-        run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
+          GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }}
+        run: |
+          git config user.email "konnectx-engineers+kongponents-bot@konghq.com"
+          git config user.name "Kong UI Bot"
+
+          preid="pr.${{ github.event.pull_request.number }}.$(git rev-parse --short ${{ github.event.pull_request.head.sha }})"
+          tag="pr-${{ github.event.pull_request.number }}"
+          echo "preid=${preid}"
+
+          git checkout ${{ github.head_ref }}
+
+          yarn version --prerelease --preid ${preid} --allow-branch ${{ github.head_ref }} --no-git-tag-version --yes --amend
+
+          package_version=$(jq -r ".version" package.json)
+          package=@kong/kong-auth-elements@"${package_version}"
+
+          npm show "${package}" >/dev/null 2>&1 && npm_show_status=0 || npm_show_status=1
+          if [ $npm_show_status -eq 0 ]; then
+            echo "Package ${package} is already published. Skipping publishing."
+            exit 0
+          fi
+
+          npm_instructions=""
+
+          pkg=$(npm publish --no-git-checks --access public --report-summary --tag "${tag}" | grep "+ "| sed 's/+ //')
+
+          if [[ -z "${pkg}" ]]; then
+            echo "Error publishing package"
+            exit -1
+          fi
+
+          npm_instructions="@$(echo ${pkg}|cut -d'@' -f2)@${tag}"
+
+          echo "npm_instructions<<EOF" >> $GITHUB_OUTPUT
+          echo -e "$npm_instructions" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Provide preview link info
+        if: ${{ steps.package-preview.outputs.npm_instructions != '' }}
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
+        with:
+          header: pr_preview_consumption
+          message: |
+             ### Install the preview package from this PR in your consuming application
+
+             In your host project, you may install the preview package version generated by this PR:
+
+             ```sh
+             ${{ steps.package-preview.outputs.npm_instructions }}
+             ```
+          GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }}
 
       - name: Semantic Release
         uses: cycjimmy/semantic-release-action@16ca923e6ccbb50770c415a0ccd43709a8c5f7a4 # v4.2.2
+        if: github.event_name == 'push'
         env:
           # Since branch protections are on (pushing commits) you need to use a bot PAT
           GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }}
 
+      # as of now cycjimmy/semantic-release-action is not publishing  to npmjs as
+      # trusted publishing is not yet supported, so we want to do a publish as separate step
+      - name: Publish to npm
+        if: github.event_name == 'push'
+        run: |
+          npm publish

.github/workflows/test.yaml

@@ -1,19 +1,10 @@
 name: Tests
 
 on:
-  pull_request:
-    branches:
-      - main
-      - alpha
-      - beta
 
   # Allow workflow to be called by another workflow
   workflow_call:
-    # Must define secrets here so that the calling workflow can pass in the NPM_TOKEN needed to install private packages.
     secrets:
-      NPM_TOKEN:
-        description: 'The NPM_TOKEN passed from the caller workflow as it is not available within workflow_call.'
-        required: true
       VITE_AUTH_URL:
         description: 'The base URL of the KAuth backend, e.g. https://global.api.konghq.tech'
         required: true
@@ -36,13 +27,6 @@ jobs:
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
-      - name: Remove preview consumption comment
-        if: github.event_name == 'pull_request'
-        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
-        with:
-          header: pr_preview_consumption
-          delete: true
-          GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }}
 
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -53,6 +37,7 @@ jobs:
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version-file: '.nvmrc'
+          registry-url: https://registry.npmjs.org
 
       - name: Install dependencies
         run: yarn install --frozen-lockfile
@@ -66,73 +51,6 @@ jobs:
       - name: Typecheck
         run: yarn typecheck
 
-      - name: Build
-        if: github.event_name == 'pull_request'
-        run: yarn build
-
-      - name: Create .npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }}
-        # Reference the env variable NPM_TOKEN here, not the secret
-        run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
-
-      - name: Publish package preview
-        id: package-preview
-        # Do not run for `alpha` or `beta` branches
-        if: github.event_name == 'pull_request' && github.actor != 'renovate[bot]' && !contains(github.head_ref || github.ref_name, 'alpha') && !contains(github.head_ref || github.ref_name, 'beta')
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }}
-        run: |
-          git config user.email "konnectx-engineers+kongponents-bot@konghq.com"
-          git config user.name "Kong UI Bot"
-
-          preid="pr.${{ github.event.pull_request.number }}.$(git rev-parse --short ${{ github.event.pull_request.head.sha }})"
-          tag="pr-${{ github.event.pull_request.number }}"
-          echo "preid=${preid}"
-
-          git checkout ${{ github.head_ref }}
-
-          yarn version --prerelease --preid ${preid} --allow-branch ${{ github.head_ref }} --no-git-tag-version --yes --amend
-
-          package_version=$(jq -r ".version" package.json)
-          package=@kong/kong-auth-elements@"${package_version}"
-
-          npm show "${package}" >/dev/null 2>&1 && npm_show_status=0 || npm_show_status=1
-          if [ $npm_show_status -eq 0 ]; then
-            echo "Package ${package} is already published. Skipping publishing."
-            exit 0
-          fi
-
-          npm_instructions=""
-
-          pkg=$(npm publish --no-git-checks --access public --report-summary --tag "${tag}" | grep "+ "| sed 's/+ //')
-
-          if [[ -z "${pkg}" ]]; then
-            echo "Error publishing package"
-            exit -1
-          fi
-
-          npm_instructions="@$(echo ${pkg}|cut -d'@' -f2)@${tag}"
-
-          echo "npm_instructions<<EOF" >> $GITHUB_OUTPUT
-          echo -e "$npm_instructions" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
-
-      - name: Provide preview link info
-        if: ${{ steps.package-preview.outputs.npm_instructions != '' }}
-        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
-        with:
-          header: pr_preview_consumption
-          message: |
-             ### Install the preview package from this PR in your consuming application
-
-             In your host project, you may install the preview package version generated by this PR:
-
-             ```sh
-             ${{ steps.package-preview.outputs.npm_instructions }}
-             ```
-          GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }}
-
       - name: Run Cypress component tests
         uses: cypress-io/github-action@b8ba51a856ba5f4c15cf39007636d4ab04f23e3c # v6.10.2
         with:

.nvmrc

@@ -1 +1 @@
-22.18.0
+24.6.0

package.json

@@ -128,7 +128,12 @@
           "changelogFile": "CHANGELOG.md"
         }
       ],
-      "@semantic-release/npm",
+      [
+        "@semantic-release/npm",
+        {
+          "npmPublish": false
+        }
+      ],
       [
         "@semantic-release/git",
         {
@@ -155,7 +160,7 @@
     "node": ">=22.18.0"
   },
   "volta": {
-    "node": "22.18.0",
+    "node": "24.6.0",
     "yarn": "1.22.22"
   }
 }