RC npm: do not recommend publishing from CI

[ljharb]

Automation publish tokens are explicitly one-factor, which imo is less secure than publishing directly from a dev's laptop.

If npm supported staged builds, then publishing a staged build from CI, and then a human using 2FA locally to "promote" it, would be the most secure way to publish - but lacking that, the best I think we can get is using CI to generate a tagged release commit, and then having a publisher locally download it, run npm install or npm ci, and npm publish.

[lumjjb]

I think what you say is true for some scenarios. I do think that this is a little more nuanced, depending on the use cases and environment/setup.

Having strong authentication (including 2fa) and tightly scoped tokens implemented for the request of the release pipeline would provide a similar (and if some cases, stronger - by allowing de-privileging builders) trust model.

However, I do agree that there is definitely a nice QOL in being able to take a look of the release that comes out before finalization it. I think there is a place for it.

Depending on how the api around CI releasing is done, I think generalizing it as "less secure" is a bit too strong of a statement.

[jeffmendoza]

Closed with #27