chore: add a new workflow for npm publish with trusted publishing

[sarayev]

Description of changes

Adding a new workflow to onboard the amplify-js packages to trusted publishing from npm, following the onboarding guide here.

Issue #, if available

Description of how you validated changes

It is close to impossible to test this without merging the changes first, and verifying them as part of the 'normal' release we make to the NPM. As the test will follow in this way:

1. Merge this pull request.
2. Update NPM registry to add the new workflow as trusted publisher.
3. Disable/remove the existing granular access token we have in the environment.
4. Merge a change to the main branch, to see if the release gets published in NPM successfully.

As NPM requires the worklfow to be present, and it will only allow to publish from aws-amplify/amplify-js repo, it is not straight-forward to test it with forks.

Checklist

• PR description included
• yarn test passes
• [N/A] Unit Tests are changed or added
• [N/A] Relevant documentation is changed or added (and PR referenced)

Checklist for repo maintainers

• Verify E2E tests for existing workflows are working as expected or add E2E tests for newly added workflows
• New source file paths included in this PR have been added to CODEOWNERS, if appropriate

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[osama-rizk]

Can you please add more information about testing/verifying thees changes?

[sarayev]

Can you please add more information about testing/verifying thees changes?

It is close to impossible to test this without merging the changes first, and verifying them as part of the 'normal' release we make to the NPM. As the test will follow in this way:

Merge this pull request.
Update NPM registry to add the new workflow as trusted publisher.
Disable/remove the existing granular access token we have in the environment.
Merge a change to the main branch, to see if the release gets published in NPM successfully.

As NPM requires the worklfow to be present, and it will only allow to publish from aws-amplify/amplify-js repo, it is not straight-forward to test it with forks.

[adrianjoshua-strutt]

Maybe I am misunderstanding something. Why are we still manually handling tokens via NPM_TOKEN? I thought that trusted publishers would allow us to register callable-npm-publish-trusted.yml with NPM and GitHub would automatically verify our call via an oidc token. This is done by setting id-token: write permissions.

Also I am not able to tell where the NPM_TOKEN is supposed to be coming from here. I fear that we would always run in the else branch, resulting in an error. If I am understanding this correctly, we would therefore need to remove the npm-auth step and also update ./amplify-js/.github/actions/npm-publish to not require npm_token anymore.