From 2ea2c9d9eec8c007002dd5d06c7bc0d7b3bf82c8 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Thu, 18 Dec 2025 12:02:36 +0100
Subject: [PATCH 1/2] ci: use trusted publishing to publish our npm package

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/publish.yml | 41 +++++++++++++++++++++++++++++------
 dev.Dockerfile                | 21 ------------------
 docker-bake.hcl               | 17 ---------------
 3 files changed, 34 insertions(+), 45 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 99a5b96e..0dbb23c9 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,5 +1,9 @@
 name: publish
 
+permissions:
+  id-token: write  # required for OIDC
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -9,17 +13,40 @@ on:
     tags:
       - 'v*'
 
+env:
+  NODE_VERSION: "24" # at least Node 24 is required for Trusted Publishing with OIDC
+
 jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
       -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        name: Checkout
+        uses: actions/checkout@v6
       -
-        name: Publish
-        uses: docker/bake-action@v6
+        name: Enable corepack
+        run: |
+          corepack enable
+          yarn --version
+      -
+        name: Setup Node
+        uses: actions/setup-node@v6
         with:
-          targets: publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'yarn'
+      -
+        name: Print versions
+        run: |
+          node --version
+          npm --version
+          yarn --version
+      -
+        name: Build
+        run: |
+          yarn install
+          yarn run build
+      -
+        name: Publish
+        run: |
+          npm version --no-git-tag-version ${GITHUB_REF#refs/tags/v}
+          npm publish --access public
diff --git a/dev.Dockerfile b/dev.Dockerfile
index 8b72dcf4..42946f16 100644
--- a/dev.Dockerfile
+++ b/dev.Dockerfile
@@ -101,24 +101,3 @@ RUN --mount=type=bind,target=.,rw \
 
 FROM scratch AS test-coverage
 COPY --from=test /tmp/coverage /
-
-FROM base AS publish
-ARG GITHUB_REF
-RUN --mount=type=bind,target=.,rw \
-    --mount=type=cache,target=/src/.yarn/cache \
-    --mount=type=cache,target=/src/node_modules \
-    --mount=type=secret,id=NODE_AUTH_TOKEN,env=NODE_AUTH_TOKEN <<EOT
-  set -e
-  if ! [[ $GITHUB_REF =~ ^refs/tags/v ]]; then
-    echo "GITHUB_REF is not a tag"
-    exit 1
-  fi
-  yarn install
-  yarn run build
-  npm config set //registry.npmjs.org/:_authToken $NODE_AUTH_TOKEN
-  npm version --no-git-tag-version ${GITHUB_REF#refs/tags/v}
-  npm publish --access public
-
-  # FIXME: Can't publish with yarn berry atm: https://github.com/changesets/changesets/pull/674
-  #yarn publish --no-git-tag-version --new-version ${GITHUB_REF#refs/tags/v}
-EOT
diff --git a/docker-bake.hcl b/docker-bake.hcl
index 1a3169d9..6c7d93aa 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -99,23 +99,6 @@ target "test-coverage" {
   secret = ["id=GITHUB_TOKEN,env=GITHUB_TOKEN"]
 }
 
-# GITHUB_REF is the actual ref that triggers the workflow and used as version
-# when a tag is pushed: https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables
-variable "GITHUB_REF" {
-  default = ""
-}
-
-target "publish" {
-  inherits = ["_common"]
-  dockerfile = "dev.Dockerfile"
-  args = {
-    GITHUB_REF = GITHUB_REF
-  }
-  target = "publish"
-  output = ["type=cacheonly"]
-  secret = ["id=NODE_AUTH_TOKEN,env=NODE_AUTH_TOKEN"]
-}
-
 target "license-validate" {
   inherits = ["_common"]
   dockerfile = "./hack/dockerfiles/license.Dockerfile"

From 1ded4163047ecabba00eaacb230727c3f5b12815 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Thu, 18 Dec 2025 12:03:29 +0100
Subject: [PATCH 2/2] ci(publish): generate provenance attestation

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0dbb23c9..4fe610f8 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -49,4 +49,4 @@ jobs:
         name: Publish
         run: |
           npm version --no-git-tag-version ${GITHUB_REF#refs/tags/v}
-          npm publish --access public
+          npm publish --provenance --access public