Merge pull request #89 from BitGo/DX-2098-trusted-publisher

ci: migrate to OIDC Trusted Publishing

Author: tanjeemh

.github/workflows/main_ci.yml

@@ -65,7 +65,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
         with:
-          node-version: 20
+          node-version: 22
           registry-url: https://registry.npmjs.org/
           cache: 'npm'
       - run: npm ci
@@ -76,7 +76,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
         with:
-          node-version: 20
+          node-version: 22
           registry-url: https://registry.npmjs.org/
           cache: 'npm'
       - run: npm ci
@@ -87,7 +87,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
         with:
-          node-version: 20
+          node-version: 22
           registry-url: https://registry.npmjs.org/
           cache: 'npm'
       - run: npm ci
@@ -98,7 +98,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
         with:
-          node-version: 20
+          node-version: 22
           registry-url: https://registry.npmjs.org/
           cache: 'npm'
       - run: npm ci
@@ -109,7 +109,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
         with:
-          node-version: 20
+          node-version: 22
           registry-url: https://registry.npmjs.org/
           cache: 'npm'
       - run: npm ci
@@ -120,7 +120,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
         with:
-          node-version: 20
+          node-version: 22
           registry-url: https://registry.npmjs.org/
           cache: 'npm'
       - run: npm ci
@@ -129,6 +129,7 @@ jobs:
   release:
     if: github.repository_owner == 'BitGo' && github.event_name == 'push' && github.ref_name == 'master'
     runs-on: ubuntu-latest
+    environment: publish-bitcoinjslib
     needs:
       - unit
       - integration
@@ -138,14 +139,19 @@ jobs:
       - gitdiff
       - lint
       - lint-tests
+    permissions:
+      id-token: write
+      contents: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4
         with:
-          node-version: 20
+          node-version: 22
           cache: 'npm'
+      - name: Ensure npm 11.5.1
+        run: |
+          npm install -g [email protected]
       - run: npm ci
       - run: ./node_modules/.bin/semantic-release
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.nsprc

@@ -2,6 +2,16 @@
   "GHSA-rc47-6667-2j5j": {
     "active": true,
     "notes": "ignore until a fix is introduced to semantic-release. See https://github.com/semantic-release/npm/issues/574",
-    "expiry": 1676926476000
+    "expiry": 1790000000000
+  },
+  "1109536": {
+    "active": true,
+    "notes": "cipher-base: Patched version exists, but upstream dependancies are pinned to vulnerable versions and have not been updated. See https://github.com/advisories/GHSA-cpq7-6gpm-g9rc",
+    "expiry": 1790000000000
+  },
+  "1109535": {
+    "active": true,
+    "notes": "sha.js: Patched version exists, but upstream dependancies are pinned to vulnerable versions and have not been updated. See https://github.com/advisories/GHSA-95m3-7q98-8xr5",
+    "expiry": 1790000000000
   }
 }