build: configure release as trusted publisher (#165)

Author: scolladon

.github/actions/install/action.yml

@@ -10,7 +10,7 @@ runs:
       run: echo "dir=$(npm config get cache)" >> "$GITHUB_OUTPUT"
       shell: bash
 
-    - uses: actions/cache@v4
+    - uses: actions/cache@v5
       with:
         path: ${{ steps.cache-dir.outputs.dir }}
         key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}

.github/workflows/manual-deprecate-versions.yml

@@ -0,0 +1,185 @@
+---
+name: NPM Service
+
+on:
+  release:
+    types: [published]
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, reopened, closed]
+    paths-ignore:
+      - "**.md"
+  workflow_dispatch:
+    inputs:
+      version-alias:
+        description: version alias to map to a version number
+        required: true
+        type: choice
+        options:
+          - stable
+          - latest
+          - latest-rc
+      version-number:
+        description: version number (semver format)
+        required: true
+        default: vX.Y.Z
+        type: string
+
+permissions:
+  contents: read
+  id-token: write
+
+# Manage concurrency to stop running jobs and start new ones in case of new commit pushed
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  publish:
+    if: github.event_name == 'release' || (github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' && github.event.pull_request.merged == false)
+    runs-on: ubuntu-latest
+    outputs:
+      channel: ${{ steps.publish.outputs.channel }}
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 20
+          registry-url: "https://registry.npmjs.org"
+      - run: npm install -g npm@latest
+      - uses: ./.github/actions/install
+
+      # Dev version setup (PR only)
+      - name: Compute dev version
+        if: github.event_name == 'pull_request'
+        id: version
+        run: |
+          CURRENT_VERSION=$(jq -r '.version' package.json)
+          DEV_CHANNEL="dev-${{ github.event.pull_request.number }}"
+          DEV_VERSION="${CURRENT_VERSION}-${DEV_CHANNEL}.${{ github.run_id }}-${{ github.run_attempt }}"
+          echo "channel=$DEV_CHANNEL" >> "$GITHUB_OUTPUT"
+          echo "version=$DEV_VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Set dev version
+        if: github.event_name == 'pull_request'
+        env:
+          DEV_CHANNEL: ${{ steps.version.outputs.channel }}
+        run: |
+          git config --global user.email "${DEV_CHANNEL}@github.com"
+          git config --global user.name "$DEV_CHANNEL"
+          npm version "${{ steps.version.outputs.version }}" --no-git-tag-version
+
+      # Publish (unified with conditional channel)
+      - name: Publish
+        id: publish
+        env:
+          DEV_CHANNEL: ${{ steps.version.outputs.channel }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+          EVENT_NAME: ${{ github.event_name }}
+        run: |
+          if [ "$EVENT_NAME" = "pull_request" ]; then
+            CHANNEL="$DEV_CHANNEL"
+          else
+            CHANNEL="latest-rc"
+          fi
+          npm publish --provenance --access public --tag "$CHANNEL"
+          # For e2e: PR uses dev channel, release uses tag name (e.g., v1.5.0)
+          if [ "$EVENT_NAME" = "pull_request" ]; then
+            echo "channel=$DEV_CHANNEL" >> "$GITHUB_OUTPUT"
+          else
+            echo "channel=$RELEASE_TAG" >> "$GITHUB_OUTPUT"
+          fi
+
+      # Comment PR (PR only)
+      - name: Comment PR
+        if: github.event_name == 'pull_request'
+        uses: thollander/actions-comment-pull-request@v3
+        env:
+          DEV_CHANNEL: ${{ steps.version.outputs.channel }}
+        with:
+          message: |
+            Published under `${{ env.DEV_CHANNEL }}` npm channel.
+            ```sh
+            $ sf plugins install sf-git-merge-driver@${{ env.DEV_CHANNEL }}
+            ```
+          comment-tag: dev-publish
+          mode: recreate
+
+  e2e-tests:
+    needs: [publish]
+    uses: ./.github/workflows/run-e2e-tests.yml
+    with:
+      channel: ${{ needs.publish.outputs.channel }}
+
+  manage-version:
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v6
+
+      - name: Setup node
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20
+          registry-url: "https://registry.npmjs.org"
+
+      - run: npm install -g npm@latest
+
+      - name: Add dist-tag
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version-number }}
+          VERSION_ALIAS: ${{ github.event.inputs.version-alias }}
+        run: npm dist-tag add "sf-git-merge-driver@${VERSION_NUMBER}" "$VERSION_ALIAS"
+
+  cleanup:
+    if: ${{ github.event.pull_request.merged }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v6
+      
+      - uses: jwalton/gh-find-current-pr@master
+        id: pr-number
+        with:
+          state: closed
+
+      - name: Set dev channel value
+        id: set-dev-channel
+        run: |
+          DEV_CHANNEL="dev-${{ steps.pr-number.outputs.pr }}"
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 20
+          registry-url: "https://registry.npmjs.org"
+
+      - run: npm install -g npm@latest
+
+      - name: Remove dist-tag
+        run: npm dist-tag rm sf-git-merge-driver "${DEV_CHANNEL}" || true
+
+      - name: Deprecate related dev versions
+        run: |
+          npm view sf-git-merge-driver versions --json | jq -r '.[]' | grep "\-dev-${DEV_CHANNEL}\." | xargs -I {} npm deprecate "sf-git-merge-driver@{}" "Deprecated dev version" || true
+
+      - name: Delete package dev channel PR comment
+        uses: thollander/actions-comment-pull-request@v3
+        with:
+          message: |
+            Published under `${DEV_CHANNEL}` npm channel.
+            ```sh
+            $ sf plugins install sf-git-merge-driver@${DEV_CHANNEL}
+            ```
+          comment-tag: dev-publish
+          mode: delete

.github/workflows/manual-manage-versions.yml

@@ -8,6 +8,9 @@ on:
     paths-ignore:
       - "**.md"
 
+permissions:
+  contents: 'read'
+
 jobs:
   build:
     uses: ./.github/workflows/reusable-build.yml
@@ -16,42 +19,11 @@ jobs:
   prepare-release:
     needs: [build]
     runs-on: ubuntu-latest
-    outputs:
-      release_created: ${{ steps.release.outputs.release_created }}
-      prs_created: ${{ steps.release.outputs.prs_created }}
-      version: ${{ steps.release.outputs.version }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: googleapis/release-please-action@v4
-        id: release
         with:
           token: ${{ secrets.RELEASE_PAT }}
           release-type: node
-
-  release:
-    needs: [prepare-release]
-    runs-on: ubuntu-latest
-    if: ${{ needs.prepare-release.outputs.release_created == 'true' }}
-    steps:
-      - name: Checkout sources
-        uses: actions/checkout@v6
-
-      - name: Setup node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          registry-url: 'https://registry.npmjs.org'
-
-      - name: Setup dependencies, cache and install
-        uses: ./.github/actions/install
-
-      - name: Publish to npm
-        run: npm publish --access public --tag latest-rc
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-  test-release:
-    uses: ./.github/workflows/run-e2e-tests.yml
-    needs: [prepare-release, release]
-    with:
-      channel: ${{ needs.prepare-release.outputs.version }}
-    secrets: inherit