feat: new release pipeline with trusted publishing (#1920)

* chore: fix release pipeline to support trusted publishing

Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>

* fix: resolve Next.js version mismatch for studio/preview

* fix: remove unnecessary type assertions in Studio and Preview

* chore: remove next.js package

Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>

* chore: remove @swc/core

Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>

* chore: reinstall packages

Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>

* chore: pin helpers to 0.2.0 version

Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>

* chore: fix tests

Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>

* chore: add repository URL

Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>

* chore: add changeset

Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>

---------

Signed-off-by: Shurtu-gal <ashishpadhy1729@gmail.com>
Co-authored-by: kartikayy007 <kartikayy6969@gmail.com>

Author: Shurtu-gal

.changeset/shaggy-masks-rescue.md

@@ -0,0 +1,16 @@
+---
+'@asyncapi/cli': major
+---
+
+## Major release with important security updates
+
+- Keeping in mind the recent Shai-Hulud attack, we have adopted trusted publishing with NPM.
+- This requires us to use node >= 24 and npm >= 11
+- Next.js version is in sync with Studio, and is currently 14.2.35 deemed safe by CVE. [For more details](https://nextjs.org/blog/CVE-2025-66478)
+
+### Breaking Changes
+- Node.js version 24 or higher is now required.
+- NPM version 11 or higher is now required.
+- Next.js version is now 14.2.35 or higher.
+
+Please make sure to update your environment accordingly before upgrading to this version.

.github/workflows/release-with-changesets.yml

@@ -32,9 +32,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        # Using macos-13 instead of latest (macos-14) due to an issue with Puppeteer and such runner.
-        # See: https://github.com/puppeteer/puppeteer/issues/12327 and https://github.com/asyncapi/parser-js/issues/1001
-        os: [ubuntu-latest, macos-13, windows-latest]
+        os: [ubuntu-latest, macos-latest, windows-latest]
     steps:
       - name: Set git to use LF # To once and for all finish the never-ending fight between Unix and Windows
         run: |
@@ -82,6 +80,10 @@ jobs:
     needs: [test-nodejs]
     name: Publish to any of NPM, GitHub, or Docker Hub
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      pull-requests: write
     steps:
       - name: Set git to use LF # To once and for all finish the never-ending fight between Unix and Windows
         run: |
@@ -97,10 +99,13 @@ jobs:
         name: Check package-lock version
         uses: asyncapi/.github/.github/actions/get-node-version-from-package-lock@master
         id: lockversion
+        with:
+          node-version: ${{ vars.NODE_VERSION }}
       - if: steps.packagejson.outputs.exists == 'true'
         name: Setup Node.js
         uses: actions/setup-node@v4
         with:
+          registry-url: "https://registry.npmjs.org"
           node-version: "${{ steps.lockversion.outputs.version }}"
       - if: steps.packagejson.outputs.exists == 'true'
         name: Install dependencies
@@ -124,7 +129,6 @@ jobs:
           setupGitUser: false
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           GIT_AUTHOR_NAME: asyncapi-bot
           GIT_AUTHOR_EMAIL: info@asyncapi.io
           GIT_COMMITTER_NAME: asyncapi-bot