Migrate to OIDC on publishing npm packages in GitHub Actions

[legendecas]

See https://docs.npmjs.com/trusted-publishers for documentations.

Note

Trusted publishing requires npm CLI version 11.5.1 or later.

TL;DR: add the following section in the workflow file to replace ${secrets.NPM_TOKEN}, and create OICD connection on https://www.npmjs.com/package/<package-name>/access:

permissions:
  id-token: write  # Required for OIDC
  contents: read

This should help us get rid of npm tokens in GitHub Actions for publishing packages.

Quick search on npm token usages: https://github.com/search?q=org%3Anodejs+path%3A%22.github%2Fworkflows%22+%22npm+publish%22&type=code

• nodejs/node-gyp
• nodejs/undici
• nodejs/corepack
• nodejs/amaro
• nodejs/caritat
• nodejs/node-core-test
• nodejs/node-api-headers
• nodejs/nodejs.org
• nodejs/require-in-the-middle
• nodejs/node-core-utils
• nodejs/node-addon-api
• nodejs/import-in-the-middle

[targos]

I've set up the connection for @node-core/utils:

[avivkeller]

https://github.com/nodejs/nodejs.org has been migrated to OIDC

[lukekarrys]

Another important note is that npm must be at least v11.5.1. So make sure to add npm install -g npm@latest or npm install -g npm@11 so that OIDC support is available in the npm CLI. I believe this was an issue on the latest node-gyp release nodejs/node-gyp#3201 which I'm attempting to fix in nodejs/node-gyp#3202

[lukekarrys]

@legendecas Would you be able to update the issue body with some mention of the required npm version?