Merge pull request #1072 from NordicSemiconductor/push-vpnyyqtmqvws

Switch to trusted publishing for npm

Author: datenreisender

.github/workflows/auto-publish-shared.yml

@@ -1,8 +1,6 @@
 name: Auto-publish shared
 
-on:
-    push:
-        branches: [main]
+on: workflow_call
 
 jobs:
     check:

.github/workflows/npm-publish-switch.yml

@@ -0,0 +1,39 @@
+name: Release shared
+
+# With the trusted publisher model, npm now allows only a single workflow to
+# be registered as the trusted publisher. But this workflow can then invoke
+# other workflows, which may do the actual publishing.
+
+# So this workflow will act as a switch which:
+# - If run on main branch as a result of a push, will check try to
+#   automatically release a new version
+# - Can be run directly to explicitly publish a new version to npm (which only
+#   makes sense when running it on a branch apart from main, because there the
+#   auto-publish workflow will take care of it)
+#
+# The idea of this setup is also shown in
+# https://github.com/orgs/community/discussions/174507#discussioncomment-14723818
+
+on:
+    push:
+        branches: [main]
+    workflow_dispatch:
+        inputs:
+            ref:
+                description:
+                    Ref (Tag, branch, commit SHA) to release. Defaults to from
+                    where the workflow is triggered, usually the main branch.
+                required: false
+                type: string
+
+jobs:
+    auto-publish:
+        if: ${{ github.event_name == 'push' }}
+        uses: ./.github/workflows/auto-publish-shared.yml
+        secrets: inherit
+
+    explicit-publish:
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        uses: ./.github/workflows/release-shared.yml
+        with:
+            ref: ${{ inputs.ref }}

.github/workflows/release-shared.yml

@@ -1,15 +1,14 @@
 name: Release shared
 
 on:
-    workflow_dispatch:
+    workflow_call:
         inputs:
             ref:
                 description:
                     Ref (Tag, branch, commit SHA) to release. Defaults to from
                     where the workflow is triggered, usually the main branch.
                 required: false
                 type: string
-    workflow_call:
 
 jobs:
     release:
@@ -36,6 +35,7 @@ jobs:
                     exit 1
                   fi
 
+            - run: npm install --global npm@latest
             - run: npm ci
             - run: npm run check
             - run: npm test
@@ -60,6 +60,4 @@ jobs:
                     --notes-file release_notes.md
 
             - name: Publish to npm
-              env:
-                  NODE_AUTH_TOKEN: ${{ secrets.WAYLAND_NPM_TOKEN }}
-              run: npm publish --provenance
+              run: npm publish