chore: enable trusted publishing for npm packages (#4053)

Author: 2heal1

.github/workflows/preview.yml

@@ -0,0 +1,51 @@
+# https://github.com/stackblitz-labs/pkg.pr.new
+name: Preview Release
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  preview:
+    if: github.repository == 'module-federation/core'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 25
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 22
+          cache: 'pnpm'
+
+      # Update npm to the latest version to enable OIDC
+      # Use corepack to install pnpm
+      - name: Setup Package Managers
+        run: |
+          npm install -g npm@latest
+          npm --version
+          npm install -g corepack@latest --force
+          corepack prepare [email protected] --activate
+          corepack enable
+
+      - name: Install deps
+        run: pnpm install
+
+      - name: Build and test Packages
+        run: |
+          git fetch origin main
+          npx nx run-many --targets=build --projects=tag:type:pkg --skip-nx-cache
+          ls -l packages/*/dist packages/*/package.json
+
+      - name: Publish Preview
+        run: |
+          npm i -g [email protected]
+          pkg-pr-new publish --compact --pnpm ./packages/*

.github/workflows/release.yml

@@ -25,23 +25,29 @@ jobs:
     name: Release
     if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'push' }}
     runs-on: ubuntu-latest
+    environment: npm
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 25
 
-      - name: Install Pnpm
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 22
+          cache: 'pnpm'
+
+      # Update npm to the latest version to enable OIDC
+      # Use corepack to install pnpm
+      - name: Setup Package Managers
         run: |
+          npm install -g npm@latest
+          npm --version
+          npm install -g corepack@latest --force
           corepack prepare [email protected] --activate
           corepack enable
 
-      - name: Setup Node.js 18
-        uses: actions/setup-node@v3
-        with:
-          node-version: '18'
-          cache: 'pnpm'
-
       - name: Install deps
         run: pnpm install
 
@@ -52,15 +58,17 @@ jobs:
           npx nx run-many --targets=build --projects=tag:type:metro
           ls -l packages/*/dist packages/*/package.json
 
-      - name: Release
-        uses: module-federation/actions@v2
+      - uses: actions/github-script@v7
+        id: version_to_release
         with:
-          version: ${{ github.event.inputs.version  || 'next' }}
-          branch: ${{ github.event.inputs.branch }}
-          type: 'release'
-          tools: 'changeset'
-        env:
-          GITHUB_TOKEN: ${{ secrets.REPO_SCOPED_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          REPOSITORY: ${{ github.repository }}
-          REF: ${{ github.ref }}
+          result-encoding: string
+          script: |
+            const fs = require('fs');
+            const packageJson = JSON.parse(fs.readFileSync('./packages/runtime/package.json', 'utf8'));
+            return 'v' + packageJson.version;
+
+      - name: Publish to npm
+        run: |
+          git tag ${{ steps.version_to_release.outputs.result }}
+          git push origin ${{ steps.version_to_release.outputs.result }}
+          pnpm -r publish --tag ${{ github.event.inputs.npm_tag }} --publish-branch ${{ github.event.inputs.branch }}

packages/cli/package.json

@@ -37,7 +37,6 @@
   },
   "publishConfig": {
     "access": "public",
-    "provenance": true,
     "registry": "https://registry.npmjs.org/"
   }
 }

packages/rsbuild-plugin/package.json

@@ -70,7 +70,6 @@
   },
   "publishConfig": {
     "access": "public",
-    "provenance": true,
     "registry": "https://registry.npmjs.org/"
   }
 }