[Feature] Publish packages to NPM via OIDC

[mxschmitt]

Motivation: Authentication flows are more and more secret-free / secret-less. OIDC provides a way to say in simple terms: allow publishing from GitHub repository github.com/foo/bar with branch 'main' to a new NPM version.

This is similar to how the authentication flow from GitHub Actions to Azure works and is recommended nowadays. There you set the OIDC subject to a similar value.

Similar to npm/feedback#872

Scope: npmjs.com

[Shegox]

I fully support this suggestion. Enabling OIDC federation between GitHub.com and npmjs.com would be incredibly beneficial, similar to how PyPI handles it: Configuring OpenID Connect in PyPI.

Our specific use case involves multiple repositories managed by different teams, all releasing packages under the same scope on npmjs. To manage permissions, we currently create granular access tokens and distribute them to the GitHub Actions Secrets of individual repositories. Since these granular access tokens cannot be created via API, the process must be done manually, including the manual rotation of these tokens, which is cumbersome.

Additionally, I would like to highlight a notable feature of the PyPI setup: the ability to configure OIDC for a not yet existing package. With npmjs.com, you must first create a dummy version before generating a granular access token for the package. If OIDC is implemented, it would be fantastic if we could directly set it up for packages that don't yet exist.