chore: update NPM to ^11.5.1, switch to OIDC NPM Auth (#1256)

## This PR
- updates the NPM version to `^11.5.1` needed for OIDC NPM auth:
https://docs.npmjs.com/trusted-publishers/#github-actions-configuration
- Switches from NPM tokens to NPM OIDC auth so we can disable NPM
publish tokens.
- updates the base node version in actions to node 22 (current LTS)

<!-- av pr metadata
This information is embedded by the av CLI when creating PRs to track
the status of stacks when using Aviator. Please do not delete or edit
this section of the PR.
```
{"parent":"main","parentHead":"","trunk":"main"}
```
-->

---------

Signed-off-by: Jonathan Norris <[email protected]>

Author: jonathannorris

.github/workflows/audit-pending-releases.yml

@@ -1,7 +1,7 @@
 on:
   push:
     branches:
-      - 'release-please**'
+      - "release-please**"
 
 env:
   CORE_PACKAGE: core
@@ -29,6 +29,6 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version-file: ".nvmrc"
           registry-url: "https://registry.npmjs.org"
-          cache: 'npm'
+          cache: "npm"

.github/workflows/coverage.yml

@@ -15,9 +15,9 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          registry-url: 'https://registry.npmjs.org'
-          node-version: 20
-          cache: 'npm'
+          registry-url: "https://registry.npmjs.org"
+          node-version-file: ".nvmrc"
+          cache: "npm"
 
       - name: Install
         run: npm ci

.github/workflows/pr-checks.yaml

@@ -26,7 +26,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'npm'
+          cache: "npm"
 
       - name: Install
         run: npm ci
@@ -50,8 +50,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
-          cache: 'npm'
+          node-version-file: ".nvmrc"
+          cache: "npm"
 
       - name: Install
         run: npm ci
@@ -72,8 +72,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
-          cache: 'npm'
+          node-version-file: ".nvmrc"
+          cache: "npm"
 
       - name: Install
         run: npm ci

.github/workflows/release-please.yml

@@ -2,7 +2,9 @@ on:
   push:
     branches:
       - main
+
 name: Run Release Please
+
 jobs:
   release-please:
     runs-on: ubuntu-latest
@@ -27,28 +29,31 @@ jobs:
     if: ${{ fromJSON(needs.release-please.outputs.paths_released)[0] != null }}
     # Continues with the release process even if SBOM generation fails.
     continue-on-error: true
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
     strategy:
       matrix:
         release: ${{ fromJSON(needs.release-please.outputs.paths_released) }}
-    env:
-      TAG: ${{ fromJSON(needs.release-please.outputs.all)[format('{0}--tag_name', matrix.release)] }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version-file: ".nvmrc"
+      - name: Update npm to >=11.5.1 (for OIDC support)
+        run: npm install -g npm@^11.5.1
+      - name: Install dependencies
+        run: npm ci
       - name: Generate SBOM
-        run: |
-          npm install -g npm@^10.2.0
-          npm ci
-          npm sbom --sbom-format=cyclonedx --omit=dev --omit=peer --workspace=${{matrix.release}} > bom.json
-      - name: Attach SBOM to artifact
-        env:
-          GITHUB_TOKEN: ${{secrets.RELEASE_PLEASE_ACTION_TOKEN}}
-        run:
-          gh release upload $TAG bom.json
+        run: npm sbom --sbom-format=cyclonedx --omit=dev --omit=peer --workspace=${{ matrix.release }} > sbom.json
+      - name: Attest SBOM
+        uses: actions/attest-sbom@v3
+        with:
+          subject-path: ${{ matrix.release }}/package.json
+          sbom-path: ./sbom.json
 
   npm-release:
     needs: release-please
@@ -65,9 +70,11 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version-file: ".nvmrc"
           registry-url: "https://registry.npmjs.org"
-          cache: 'npm'
+          cache: "npm"
+      - name: Update npm (for OIDC auth)
+        run: npm install -g npm@^11.5.1
       - name: Build Packages
         run: |
           npm ci
@@ -77,7 +84,6 @@ jobs:
       # Our scripts only publish versions that do not already exist.
       - name: Publish to NPM
         env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
           # https://docs.npmjs.com/generating-provenance-statements
           NPM_CONFIG_PROVENANCE: true
         run: npm run publish-all

.gitignore

@@ -112,6 +112,7 @@ typedoc
 
 # IDE
 .idea
+.cursor/
 
 # license files copied from root
 packages/**/LICENSE

.nvmrc

@@ -0,0 +1,2 @@
+22
+