From ee855a880316c47ceff4dff334c5c6f93d17f697 Mon Sep 17 00:00:00 2001
From: Luke Karrys <luke@lukekarrys.com>
Date: Mon, 6 May 2024 09:58:13 -0700
Subject: [PATCH] chore: auto publish (#64)

---
 .github/workflows/release-integration.yml | 23 ++++++++++++++++-------
 .github/workflows/release.yml             |  6 +++++-
 package.json                              |  3 ++-
 3 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release-integration.yml b/.github/workflows/release-integration.yml
index 9bb7bf2..130578e 100644
--- a/.github/workflows/release-integration.yml
+++ b/.github/workflows/release-integration.yml
@@ -15,17 +15,24 @@ on:
         required: true
         type: string
         description: 'A json array of releases. Required fields: publish: tagName, publishTag. publish check: pkgName, version'
+    secrets:
+      PUBLISH_TOKEN:
+        required: true
 
 jobs:
   publish:
-    name: Check Publish
+    name: Publish
     runs-on: ubuntu-latest
     defaults:
       run:
         shell: bash
+    permissions:
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ fromJSON(inputs.releases)[0].tagName }}
       - name: Setup Git User
         run: |
           git config --global user.email "npm-cli+bot@github.com"
@@ -42,19 +49,21 @@ jobs:
           node: ${{ steps.node.outputs.node-version }}
       - name: Install Dependencies
         run: npm i --ignore-scripts --no-audit --no-fund
-      - name: Check If Published
+      - name: Set npm authToken
+        run: npm config set '//registry.npmjs.org/:_authToken'=\${PUBLISH_TOKEN}
+      - name: Publish
+        env:
+          PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
+          RELEASES: ${{ inputs.releases }}
         run: |
           EXIT_CODE=0
 
           for release in $(echo $RELEASES | jq -r '.[] | @base64'); do
-            SPEC="$(echo "$release" | base64 --decode | jq -r .pkgName)@$(echo "$release" | base64 --decode | jq -r .version)"
-            npm view "$SPEC" --json
+            PUBLISH_TAG=$(echo "$release" | base64 --decode | jq -r .publishTag)
+            npm publish --provenance --tag="$PUBLISH_TAG"
             STATUS=$?
             if [[ "$STATUS" -eq 1 ]]; then
               EXIT_CODE=$STATUS
-              echo "$SPEC ERROR"
-            else
-              echo "$SPEC OK"
             fi
           done
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2761782..75acebb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -131,7 +131,7 @@ jobs:
         id: comment-text
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: npm exec --offline -- template-oss-release-manager --pr="${{ needs.release.outputs.pr-number }}" --backport="" --defaultTag="latest"
+        run: npm exec --offline -- template-oss-release-manager --pr="${{ needs.release.outputs.pr-number }}" --backport="" --defaultTag="latest" --publish
       - name: Append Release Manager Comment
         uses: peter-evans/create-or-update-comment@v3
         with:
@@ -243,6 +243,10 @@ jobs:
     name: Release Integration
     if: needs.release.outputs.releases
     uses: ./.github/workflows/release-integration.yml
+    permissions:
+      id-token: write
+    secrets:
+      PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
     with:
       releases: ${{ needs.release.outputs.releases }}
 
diff --git a/package.json b/package.json
index f19a6c0..e07fe8d 100644
--- a/package.json
+++ b/package.json
@@ -37,7 +37,8 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.22.0"
+    "version": "4.22.0",
+    "publish": true
   },
   "tap": {
     "nyc-arg": [