feat: support tokenless trusted publishers (#90)

* feat: support tokenless trusted publishers

* docs: add trusted publisher usage

* fix: prevent error in dry-run publication due to collision with an already published version

* style: typo

* fix: update npm only if needed

* style: use "preferred/legacy" instead of "deprecated"

Author: PierreJeanjacquot

.github/workflows/publish-npm.yml

@@ -81,7 +81,7 @@ on:
         type: boolean
     secrets:
       npm-token:
-        description: "NPM auth token (required unless `dry-run: true`)"
+        description: "NPM auth token (required unless `dry-run: true` or workflow is called by a trusted publisher)"
         required: false
 
 jobs:
@@ -93,16 +93,6 @@ jobs:
       packages: write
       id-token: write
     steps:
-      - name: Ensure npm-token
-        if: ${{ !inputs.dry-run }}
-        run: |
-          if [ -n "${{ secrets.npm-token }}" ]; then
-            echo "`npm-token` secret is set"
-          else
-            echo "Missing `npm-token` secret (required unless `dry-run: true`)"
-            exit 1
-          fi
-
       - name: Download extra artifact
         if: ${{ inputs.artifact-name != '' }}
         uses: actions/download-artifact@v4
@@ -118,6 +108,18 @@ jobs:
           registry-url: ${{ inputs.registry }}
           scope: ${{ inputs.scope }}
 
+      - name: Ensure npm version
+        if: ${{ !inputs.dry-run }}
+        run: |
+          if [ -n "${{ secrets.npm-token }}" ]; then
+            echo "npm-token secret is set not using OIDC"
+          elif [ $(npx semver -r ">=11.5.1" $(npm -v)) ]; then
+            echo "OIDC trusted publishing supported by current npm version"
+          else
+            echo "OIDC trusted publishing requires npm >= 11.5.1, updating npm"
+            npm install -g npm@11
+          fi
+
       - name: Install dependencies
         working-directory: ${{ inputs.working-directory }}
         run: ${{ inputs.install-command }}
@@ -161,7 +163,8 @@ jobs:
 
           DRY_RUN_OPT=""
           if [ "${{ inputs.dry-run }}" = "true" ]; then
-            DRY_RUN_OPT="--dry-run"
+            npm pkg set version=$(npm pkg get version | sed 's/"//g')-dry-run
+            DRY_RUN_OPT="--dry-run --tag dry-run"
           fi
 
           PROVENANCE_OPT=""

publish-npm/README.md

@@ -43,9 +43,9 @@ for the package scope, Node.js version, registry URL, and other options. The wor
 
 ### Secrets 🔐
 
-| **Secret**    | **Description**                                    | **Required** |
-| ------------- | -------------------------------------------------- | ------------ |
-| **npm-token** | NPM auth token (required unless `dry-run: true`)". | No           |
+| **Secret**    | **Description**                                                                                | **Required** |
+| ------------- | ---------------------------------------------------------------------------------------------- | ------------ |
+| **npm-token** | NPM auth token (required unless `dry-run: true` or workflow is called by a trusted publisher). | No           |
 
 ## Job and Steps ⚙️
 
@@ -60,10 +60,52 @@ for the package scope, Node.js version, registry URL, and other options. The wor
 
 ## How to Use This Reusable Workflow 🔄
 
-1. **Save the Workflow File**  
-   Place this YAML file (e.g., `publish-npm.yml`) in the `.github/workflows/` directory of your repository. 💾
+### With Trusted Publishers (preferred)
+
+> ⚠️ this method uses npm >= 11.5.1 ensure your project supports a compatible version of npm if not please use the method with npm token.
+
+1. **Call the Reusable Workflow**
+
+   In another workflow file (e.g., triggered by a release), invoke this reusable workflow like so:
+
+   ```yaml
+   name: Call Publish Package NPM Workflow
+   on:
+     release:
+       types: [published]
+
+   permissions:
+     id-token: write # Required for OIDC
+     packages: write
+     contents: read
+
+   jobs:
+     publish:
+       uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/publish-npm.yml@main
+       with:
+         node-version: "22"
+         build-command: "npm run build:prod"
+         run-tests: true
+         test-command: "npm run test:ci"
+         lint-command: "npm run lint"
+         type-check-command: "npm run check-types"
+         format-check-command: "npm run check-format"
+         # Optional: Download an artifact before building
+         # artifact-name: 'my-build-artifact'
+         # artifact-path: './dist'
+   ```
+
+2. **Configure Trusted Publisher on NPM**
+
+   On [npmjs.com](https://www.npmjs.com/), configure the root publish workflow of your GitHub repository as a trusted publisher for your package.
+   ![trusted publisher](trusted-publisher.png)
+
+   NB: You can have only one trusted publisher per package, if you need multiple publication triggers (workflow_dispatch, release, etc.), you need to merge them into a single workflow referenced as trusted publisher.
+
+### With npm token (legacy)
+
+1. **Call the Reusable Workflow**
 
-2. **Call the Reusable Workflow**  
    In another workflow file (e.g., triggered by a release), invoke this reusable workflow like so:
 
    ```yaml
@@ -90,7 +132,8 @@ for the package scope, Node.js version, registry URL, and other options. The wor
          npm-token: ${{ secrets.NPM_TOKEN }}
    ```
 
-3. **Configure Secrets**  
+2. **Configure Secrets**
+
    Ensure that the `NPM_TOKEN` secret is added to your repository’s settings. This token is required to authenticate
    with the NPM registry during publishing. 🔑