refactor: switched to trusted publishing (#731)

* Revert "refactor: revert previous tries (#727)"

This reverts commit e37b639.

* Add permissions for contents in publish workflow

* Add permissions for contents in publish workflow

* Modify permissions in publish.yml

Updated permissions for the publish workflow.

* Add npm whoami command before publishing

* Update tag extraction method in publish workflow

* Update 02-publish.yml

* Remove npm whoami from publish step

Remove npm whoami command from publish workflow

* Display npm version before publishing to npm

Added echo command to display npm version before publishing.

* Update 02-publish.yml

* Update 02-publish.yml

* Add PNPM initialization step in workflow

* Update 02-publish.yml

* Update 00-init.yml

* Update 00-init.yml

* Update 02-publish.yml

* Update publish.yml

* Update 02-publish.yml

* Update 02-publish.yml

* Update npm publish command in workflow

Remove provenance flag from npm publish command. This is automatically enabled when using trusted publishing.

* Update publish.yml

* Update 02-publish.yml

Author: mfranzke

.github/workflows/02-publish.yml

@@ -17,6 +17,11 @@ jobs:
       - name: 🔄 Init PNPM
         uses: ./.github/actions/pnpm-init
 
+      - name: Setup Node.js
+        uses: actions/setup-node@v5
+        with:
+            node-version-file: ".nvmrc"
+
       - name: ⏬ Download dist
         uses: actions/download-artifact@v5
         with:
@@ -25,16 +30,18 @@ jobs:
 
       - name: 🔀 Extract tag
         shell: bash
-        run: echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        run: echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT
         id: extractTag
 
       - name: 🔜 Publish to npm
         env:
           TAG: ${{ steps.extractTag.outputs.tag }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TAG: ${{ github.event.release.prerelease && 'next' || 'latest' }}
         run: |
+          echo "node, npm and release version:"
+          node -v
+          npm -v
           SEMVER_VERSION=$(npx find-versions-cli "$TAG")
           npm version --no-git-tag-version "$SEMVER_VERSION"
           npm config set registry https://registry.npmjs.org/
-          npm set //registry.npmjs.org/:_authToken "$NPM_TOKEN"
-          npm publish --provenance
+          npm publish --tag $NPM_TAG

.github/workflows/publish.yml

@@ -28,4 +28,4 @@ jobs:
     needs: [build, lint, test]
     secrets: inherit
     permissions:
-      id-token: write
+      id-token: write # Required for OIDC