ci(npm): migrate publishing to OIDC authentication (#1026)

Sylfwood · web-flow · commit 2cedc05722b9 · 2025-10-30T08:40:10.000-04:00
Issue: DEVOPS-3952
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,7 +5,7 @@ on:
     branches:
       - master
   pull_request:
-    types: [ opened, synchronize, reopened ]
+    types: [opened, synchronize, reopened]
   workflow_dispatch:
 
 env:
@@ -56,12 +56,12 @@ jobs:
 
   checks:
     name: Checks [${{ matrix.os }}]
+    needs: [formatting]
     runs-on: ${{ matrix.runner }}
-    needs: formatting
     strategy:
       fail-fast: false
       matrix:
-        os: [ windows, linux, macos ]
+        os: [windows, linux, macos]
         include:
           - os: windows
             runner: windows-latest
@@ -75,17 +75,17 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Install devel packages
-        if: runner.os == 'Linux'
+        if: ${{ runner.os == 'Linux' }}
         run: |
           sudo apt-get -y install libasound2-dev
 
       - name: Install NASM
-        if: runner.os == 'Windows'
-        shell: pwsh
+        if: ${{ runner.os == 'Windows' }}
         run: |
           choco install nasm
           $Env:PATH += ";$Env:ProgramFiles\NASM"
           echo "PATH=$Env:PATH" >> $Env:GITHUB_ENV
+        shell: pwsh
 
       - name: Rust cache
         uses: Swatinem/rust-cache@v2.7.3
@@ -118,8 +118,8 @@ jobs:
 
   fuzz:
     name: Fuzzing
+    needs: [formatting]
     runs-on: ubuntu-latest
-    needs: formatting
 
     steps:
       - uses: actions/checkout@v4
@@ -147,8 +147,8 @@ jobs:
 
   web:
     name: Web Client
+    needs: [formatting]
     runs-on: ubuntu-latest
-    needs: formatting
 
     steps:
       - uses: actions/checkout@v4
@@ -173,8 +173,8 @@ jobs:
 
   ffi:
     name: FFI
+    needs: [formatting]
     runs-on: ubuntu-latest
-    needs: formatting
 
     steps:
       - uses: actions/checkout@v4
@@ -202,20 +202,14 @@ jobs:
 
   success:
     name: Success
-    runs-on: ubuntu-latest
     if: ${{ always() }}
-    needs:
-      - formatting
-      - typos
-      - checks
-      - fuzz
-      - web
-      - ffi
+    needs: [formatting, typos, checks, fuzz, web, ffi]
+    runs-on: ubuntu-latest
 
     steps:
       - name: Check success
-        shell: pwsh
         run: |
           $results = '${{ toJSON(needs.*.result) }}' | ConvertFrom-Json
           $succeeded = $($results | Where { $_ -Ne "success" }).Count -Eq 0
           exit $(if ($succeeded) { 0 } else { 1 })
+        shell: pwsh
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -5,7 +5,7 @@ on:
     branches:
       - master
   pull_request:
-    types: [ opened, synchronize, reopened ]
+    types: [opened, synchronize, reopened]
   workflow_dispatch:
 
 env:
@@ -32,19 +32,19 @@ jobs:
         run: cargo xtask cov install -v
 
       - name: Generate PR report
-        if: github.event.number != ''
+        if: ${{ github.event.number != '' }}
+        run: cargo xtask cov report-gh --repo "${{ github.repository }}" --pr "${{ github.event.number }}" -v
         env:
           GH_TOKEN: ${{ github.token }}
-        run: cargo xtask cov report-gh --repo "${{ github.repository }}" --pr "${{ github.event.number }}" -v
 
       - name: Configure Git Identity
-        if: github.ref == 'refs/heads/master'
+        if: ${{ github.ref == 'refs/heads/master' }}
         run: |
           git config --local user.name "github-actions[bot]"
           git config --local user.email "github-actions[bot]@users.noreply.github.com"
 
       - name: Update coverage data
-        if: github.ref == 'refs/heads/master'
+        if: ${{ github.ref == 'refs/heads/master' }}
+        run: cargo xtask cov update -v
         env:
           GH_TOKEN: ${{ secrets.DEVOLUTIONSBOT_TOKEN }}
-        run: cargo xtask cov update -v
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
@@ -36,12 +36,12 @@ jobs:
 
   fuzz:
     name: Fuzzing ${{ matrix.target }}
+    needs: [corpus-download]
     runs-on: ubuntu-latest
-    needs: corpus-download
     strategy:
       fail-fast: false
       matrix:
-        target: [ pdu_decoding, rle_decompression, bitmap_stream, cliprdr_format, channel_processing ]
+        target: [pdu_decoding, rle_decompression, bitmap_stream, cliprdr_format, channel_processing]
 
     steps:
       - uses: actions/checkout@v4
@@ -108,9 +108,9 @@ jobs:
 
   corpus-merge:
     name: Corpus merge artifacts
-    runs-on: ubuntu-latest
-    needs: fuzz
     if: ${{ always() && !cancelled() }}
+    needs: [fuzz]
+    runs-on: ubuntu-latest
 
     steps:
       - name: Merge Artifacts
@@ -122,9 +122,9 @@ jobs:
 
   corpus-upload:
     name: Upload corpus
-    runs-on: ubuntu-latest
-    needs: corpus-merge
     if: ${{ always() && !cancelled() }}
+    needs: [corpus-merge]
+    runs-on: ubuntu-latest
     env:
       AZURE_STORAGE_KEY: ${{ secrets.CORPUS_AZURE_STORAGE_KEY }}
 
@@ -156,13 +156,13 @@ jobs:
 
   notify:
     name: Notify failure
-    runs-on: ubuntu-latest
     if: ${{ always() && contains(needs.*.result, 'failure') && github.event_name == 'schedule' }}
-    needs:
-      - fuzz
+    needs: [fuzz]
+    runs-on: ubuntu-latest
     env:
       SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_ARCHITECTURE }}
       SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+
     steps:
       - name: Send slack notification
         id: slack
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -21,7 +21,6 @@ jobs:
     steps:
       - name: Get dry run
         id: get-dry-run
-        shell: pwsh
         run: |
           $IsDryRun = '${{ github.event.inputs.dry-run }}' -Eq 'true' -Or '${{ github.event_name }}' -Eq 'schedule'
 
@@ -30,13 +29,12 @@ jobs:
           } else {
             echo "dry-run=false" >> $Env:GITHUB_OUTPUT
           }
+        shell: pwsh
 
   build:
     name: Build package [${{matrix.library}}]
+    needs: [preflight]
     runs-on: ubuntu-latest
-    needs:
-      - preflight
-
     strategy:
       fail-fast: false
       matrix:
@@ -49,33 +47,33 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup wasm-pack
-        shell: bash
         run: |
           curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh
+        shell: bash
 
       - name: Install dependencies
-        shell: pwsh
         run: |
           Set-Location -Path "./web-client/${{matrix.library}}/"
           npm install
+        shell: pwsh
 
       - name: Build package
-        shell: pwsh
         run: |
           Set-PSDebug -Trace 1
 
           Set-Location -Path "./web-client/${{matrix.library}}/"
           npm run build
           Set-Location -Path ./dist
           npm pack
+        shell: pwsh
 
       - name: Harvest package
-        shell: pwsh
         run: |
           Set-PSDebug -Trace 1
 
           New-Item -ItemType "directory" -Path . -Name "npm-packages"
           Get-ChildItem -Path ./web-client/ -Recurse *.tgz | ForEach { Copy-Item $_ "./npm-packages" }
+        shell: pwsh
 
       - name: Upload package artifact
         uses: actions/upload-artifact@v4
@@ -85,8 +83,8 @@ jobs:
 
   npm-merge:
     name: Merge artifacts
+    needs: [build]
     runs-on: ubuntu-latest
-    needs: build
 
     steps:
       - name: Merge Artifacts
@@ -98,12 +96,13 @@ jobs:
 
   publish:
     name: Publish package
-    runs-on: ubuntu-latest
-    if: github.event_name == 'workflow_dispatch'
     environment: publish
-    needs:
-      - preflight
-      - npm-merge
+    if: ${{ github.event_name == 'workflow_dispatch' }}
+    needs: [preflight, npm-merge]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
 
     steps:
       - name: Checkout repository
@@ -117,12 +116,7 @@ jobs:
           name: npm
           path: npm-packages
 
-      - name: Prepare npm
-        shell: pwsh
-        run: npm config set "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}"
-
       - name: Publish
-        shell: pwsh
         run: |
           Set-PSDebug -Trace 1
 
@@ -168,15 +162,10 @@ jobs:
             $publishCmd = $publishCmd -Join ' '
             Invoke-Expression $publishCmd
           }
+        shell: pwsh
 
       - name: Create version tags
         if: ${{ needs.preflight.outputs.dry-run == 'false' }}
-        shell: bash
-        env:
-          GIT_AUTHOR_NAME: github-actions
-          GIT_AUTHOR_EMAIL: github-actions@github.com
-          GIT_COMMITTER_NAME: github-actions
-          GIT_COMMITTER_EMAIL: github-actions@github.com
         run: |
           set -e
 
@@ -202,6 +191,12 @@ jobs:
             git tag "$tag" "$GITHUB_SHA"
             git push origin "$tag"
           done
+        shell: bash
+        env:
+          GIT_AUTHOR_NAME: github-actions
+          GIT_AUTHOR_EMAIL: github-actions@github.com
+          GIT_COMMITTER_NAME: github-actions
+          GIT_COMMITTER_EMAIL: github-actions@github.com
 
       - name: Update Artifactory Cache
         if: ${{ needs.preflight.outputs.dry-run == 'false' }}
@@ -213,14 +208,13 @@ jobs:
 
   notify:
     name: Notify failure
-    runs-on: ubuntu-latest
     if: ${{ always() && contains(needs.*.result, 'failure') && github.event_name == 'schedule' }}
-    needs:
-      - preflight
-      - build
+    needs: [preflight, build]
+    runs-on: ubuntu-latest
     env:
       SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_ARCHITECTURE }}
       SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+
     steps:
       - name: Send slack notification
         id: slack
diff --git a/.github/workflows/nuget-publish.yml b/.github/workflows/nuget-publish.yml
diff --git a/.github/workflows/release-crates.yml b/.github/workflows/release-crates.yml
