feat: migrate to Trusted Publishing for npm packages

Major changes:
- Migrate from classic npm tokens to OIDC-based Trusted Publishing
- Add automatic provenance attestation generation
- Update GitHub Actions workflows for enhanced security

Workflow improvements:
- Add id-token: write and contents: read permissions for OIDC
- Add contents: write and pull-requests: write for release automation
- Make auth-token optional in publish action (OIDC when not provided)
- Update npm to latest version before publishing (required for OIDC)

GitHub Actions fixes:
- Add gpg-key-signing parameter to github-config action
- Use printf instead of echo for base64 decoding (prevents shell expansion)
- Upgrade actions/upload-artifact and actions/download-artifact from v3 to v4
- Update Node.js from 16 to 20 (required for npm 11.5+)

Build configuration:
- Add objectAssign option to buble plugin for object spread support
- Fix repository URL case (macpaw → MacPaw) for provenance validation

Benefits:
- No long-lived tokens to manage or rotate
- Automatic cryptographic proof of package origin
- Short-lived OIDC credentials that can't be extracted
- Better security and audit trail

Author: onikiienko

.github/actions/github-config/action.yml

@@ -1,18 +1,21 @@
-name: 'github config'
-description: 'Update GIT config with signing key'
+name: "github config"
+description: "Update GIT config with signing key"
 inputs:
   gpg-key-base64:
-    description: 'Base64 GPG key'
+    description: "Base64 GPG key"
+    required: true
+  gpg-key-signing:
+    description: "Git signing key"
     required: true
 runs:
   using: "composite"
   steps:
     - run: |
         mkdir -p ${GITHUB_WORKSPACE}/.gpg
-        echo ${{ inputs.gpg-key-base64 }} | base64 -d > ${GITHUB_WORKSPACE}/.gpg/private.key
+        printf '%s' "${{ inputs.gpg-key-base64 }}" | base64 -d > ${GITHUB_WORKSPACE}/.gpg/private.key
         gpg --import ${GITHUB_WORKSPACE}/.gpg/private.key
 
-        git config --global user.signingkey <user-signingkey>
+        git config --global user.signingkey ${{ inputs.gpg-key-signing }}
         git config --global commit.gpgsign true
         git config user.name ci-macpaw
         git config user.email [email protected]

.github/actions/prepare-packages/action.yml

@@ -57,7 +57,7 @@ runs:
       run:  tar -czf /tmp/artifact.tar.gz .
 
     - name: Upload artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: ${{ inputs.artifact-name }}
         path: /tmp/artifact.tar.gz

.github/actions/publish/action.yml

@@ -24,7 +24,7 @@ inputs:
     default: ''
   auth-token:
     description: 'The auth token to use'
-    required: true
+    required: false
   use-public-flag:
     description: 'Whether to use the public flag'
     required: false
@@ -43,15 +43,20 @@ runs:
         scope: ${{ inputs.scope }}
 
     - name: Download artifact
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: ${{ inputs.artifact-name }}
 
     - name: Unpack artifact
       shell: bash
       run: tar xf artifact.tar.gz
 
-    - name: Publish
+    - name: Update npm
+      shell: bash
+      run: npm install -g npm@latest
+
+    - name: Publish (with token)
+      if: ${{ inputs.auth-token != '' }}
       shell: bash
       run: |
         if [ "${{ inputs.use-public-flag }}" = "true" ]; then
@@ -61,3 +66,13 @@ runs:
         fi
       env:
         NODE_AUTH_TOKEN: ${{ inputs.auth-token }}
+
+    - name: Publish (with OIDC)
+      if: ${{ inputs.auth-token == '' }}
+      shell: bash
+      run: |
+        if [ "${{ inputs.use-public-flag }}" = "true" ]; then
+          npm publish --access public
+        else
+          npm publish
+        fi

.github/actions/release/action.yml

@@ -2,47 +2,51 @@ name: "Release package action"
 description: "Matches changesets if they are in the release branch, creates a release PR with version updates, otherwise if there are versions update, it will create a release."
 inputs:
   node-version:
-    description: 'The version of Node.js to use'
+    description: "The version of Node.js to use"
     required: true
   node-cache:
-    description: 'The cache key to use for caching Node.js'
+    description: "The cache key to use for caching Node.js"
     required: false
   package-manager:
-    description: 'The package manager to use'
+    description: "The package manager to use"
     required: false
-    default: 'npm'
+    default: "npm"
   registry-url:
-    description: 'The registry URL to use'
+    description: "The registry URL to use"
     required: false
   release-pr-title:
-    description: 'The title of the release PR'
+    description: "The title of the release PR"
     required: false
-    default: 'ci(changesets): :package: version packages'
+    default: "ci(changesets): :package: version packages"
   release-commit-message:
-    description: 'The commit message of the release PR'
+    description: "The commit message of the release PR"
     required: false
-    default: 'ci(changesets): version packages'
+    default: "ci(changesets): version packages"
   github-token:
-    description: 'The github token to use'
+    description: "The github token to use"
     required: true
-  release-command: 
-    description: 'The command to use to release'
+  release-command:
+    description: "The command to use to release"
     required: false
-    default: 'release'
+    default: "release"
   gpg-key-base64:
-    description: 'The base64 encoded GPG key to use'
+    description: "The base64 encoded GPG key to use"
+    required: true
+  gpg-key-signing:
+    description: "The GPG signing key ID"
     required: true
 outputs:
   release-ready:
     description: "Random number"
     value: ${{ steps.output-generator.outputs.release-ready }}
 runs:
   using: composite
-  steps:    
+  steps:
     - name: Configure git user
       uses: ./.github/actions/github-config
       with:
         gpg-key-base64: ${{ inputs.gpg-key-base64 }}
+        gpg-key-signing: ${{ inputs.gpg-key-signing }}
 
     - name: Prepare node
       uses: ./.github/actions/prepare-node

.github/workflows/release.yml

@@ -10,6 +10,9 @@ jobs:
     name: Create release
     runs-on: ubuntu-latest
     continue-on-error: false
+    permissions:
+      contents: write # Required to create release branches and tags
+      pull-requests: write # Required to create release PRs
     outputs:
       releaseReady: ${{ steps.releaseOutputs.outputs.releaseReady }}
     steps:
@@ -23,12 +26,13 @@ jobs:
         uses: ./.github/actions/release
         id: release
         with:
-          node-version: 16
-          release-pr-title: 'chore(release): :package: version update for packages'
-          release-commit-message: 'chore(release): version update for packages'
+          node-version: 20
+          release-pr-title: "chore(release): :package: version update for packages"
+          release-commit-message: "chore(release): version update for packages"
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          release-command: 'changes:release'
+          release-command: "changes:release"
           gpg-key-base64: ${{ secrets.CI_GITHUB_GPG_KEY_BASE64 }}
+          gpg-key-signing: ${{ secrets.CI_GITHUB_GPG_KEY_SIGNING }}
 
       - name: Generate outputs
         id: releaseOutputs
@@ -51,14 +55,17 @@ jobs:
       - name: Prepare
         uses: ./.github/actions/prepare-packages
         with:
-          node-version: 16
-          build-command: 'build'
+          node-version: 20
+          build-command: "build"
 
   publish-npm:
     name: Publish to NPM Registry
     needs: prepare
     runs-on: ubuntu-latest
     continue-on-error: false
+    permissions:
+      id-token: write # Required for OIDC/Trusted Publishing
+      contents: read # Required to checkout code
     steps:
       - name: Cancel previous jobs
         uses: styfle/[email protected]
@@ -69,11 +76,10 @@ jobs:
       - name: Publish to NPM
         uses: ./.github/actions/publish
         with:
-          node-version: 16
-          registry-url: 'https://registry.npmjs.org/'
-          artifact-name: 'package-artifact'
-          scope: '@macpaw'
-          auth-token: ${{ secrets.NPM_TOKEN }}
+          node-version: 20
+          registry-url: "https://registry.npmjs.org/"
+          artifact-name: "package-artifact"
+          scope: "@macpaw"
 
   publish-github:
     name: Publish to Github Registry
@@ -83,15 +89,15 @@ jobs:
     steps:
       - name: Cancel previous jobs
         uses: styfle/[email protected]
-      
+
       - name: Checkout
         uses: actions/checkout@v3
 
       - name: Publish to NPM
         uses: ./.github/actions/publish
         with:
-          node-version: 16
+          node-version: 20
           registry-url: https://npm.pkg.github.com/
-          artifact-name: 'package-artifact'
-          scope: '@macpaw'
+          artifact-name: "package-artifact"
+          scope: "@macpaw"
           auth-token: ${{ secrets.GITHUB_TOKEN }}

rollup.config.js

@@ -7,7 +7,11 @@ const config = {
     format: 'cjs',
     indent: false
   },
-  plugins: [buble()],
+  plugins: [
+    buble({
+      objectAssign: 'Object.assign',
+    }),
+  ],
 };
 
 export default config;