chore: Move to OIDC authentication for NPM publishing.

Author: kinyoklion

.github/workflows/manual-publish.yml

@@ -1,12 +1,81 @@
+# This workflow handles both automated and manual package publishing:
+#
+# AUTOMATED PUBLISHING (on push to main):
+#   - Triggered automatically when changes are pushed to the main branch
+#   - Uses release-please to create releases based on conventional commits
+#   - Publishes packages to npm automatically when release PRs are merged
+#   - All release-* jobs run in dependency order based on package dependencies
+#
+# MANUAL PUBLISHING (via workflow_dispatch):
+#   - Can be triggered manually from the Actions tab
+#   - Allows publishing a specific package to npm or jsr
+#   - Supports prerelease and dry-run modes
+#   - Runs the manual-publish job which builds, tests, and publishes the selected package
+#   - Primarily used for pre-release jobs, or to correct publishing errors during the automated process
+#
+# The workflow uses conditional logic to ensure only the appropriate jobs run:
+#   - release-please job: only runs on push events
+#   - release-* jobs: only run on push events when their package has a new release
+#   - manual-publish job: only runs on workflow_dispatch events
 on:
   push:
     branches:
       - main
+  workflow_dispatch:
+    inputs:
+      package_registry:
+        description: 'Publish to'
+        required: true
+        default: 'npm'
+        type: choice
+        options:
+          - npm
+          - jsr
+      workspace_path:
+        description: 'The workspace to publish'
+        required: true
+        default: 'packages/shared/common'
+        type: choice
+        options:
+          - packages/shared/common
+          - packages/shared/sdk-client
+          - packages/shared/sdk-server
+          - packages/shared/sdk-server-edge
+          - packages/shared/akamai-edgeworker-sdk
+          - packages/sdk/cloudflare
+          - packages/sdk/fastly
+          - packages/sdk/react-native
+          - packages/sdk/server-node
+          - packages/sdk/react-universal
+          - packages/sdk/vercel
+          - packages/sdk/akamai-base
+          - packages/sdk/akamai-edgekv
+          - packages/store/node-server-sdk-redis
+          - packages/store/node-server-sdk-dynamodb
+          - packages/telemetry/node-server-sdk-otel
+          - packages/tooling/jest
+          - packages/sdk/browser
+          - packages/sdk/server-ai
+          - packages/ai-providers/server-ai-openai
+          - packages/ai-providers/server-ai-vercel
+          - packages/ai-providers/server-ai-langchain
+          - packages/telemetry/browser-telemetry
+          - packages/sdk/combined-browser
+          - packages/sdk/shopify-oxygen
+      prerelease:
+        description: 'Is this a prerelease. If so, then the latest tag will not be updated in npm.'
+        type: boolean
+        required: true
+      dry_run:
+        description: 'Is this a dry run. If so no package will be published.'
+        type: boolean
+        required: true
 name: release-please
 
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    if: github.event_name == 'push'
     outputs:
       package-common-released: ${{ steps.release.outputs['packages/shared/common--release_created'] }}
       package-sdk-client-released: ${{ steps.release.outputs['packages/shared/sdk-client--release_created'] }}
@@ -544,3 +613,56 @@ jobs:
         with:
           workspace_path: packages/sdk/shopify-oxygen
           aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
+
+  manual-publish:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch'
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6
+        with:
+          node-version: 24.x
+          registry-url: 'https://registry.npmjs.org'
+      - name: 'Setup Redis'
+        if: ${{ inputs.workspace_path == 'packages/store/node-server-sdk-redis' }}
+        run: |
+          sudo apt-get update
+          sudo apt-get install redis-server
+          sudo service redis-server start
+
+      - name: 'Setup DynamoDB'
+        if: ${{ inputs.workspace_path == 'packages/store/node-server-sdk-dynamodb' }}
+        run: |
+          sudo docker run -d -p 8000:8000 amazon/dynamodb-local
+
+      - name: 'Set WORKSPACE_NAME variable'
+        run: |
+          WORKSPACE_NAME=$(./scripts/package-name.sh ${{ inputs.workspace_path }})
+          echo "WORKSPACE_NAME=$WORKSPACE_NAME" >> $GITHUB_ENV
+      - id: build-and-test
+        name: Build and Test
+        uses: ./actions/ci
+        with:
+          workspace_name: ${{ env.WORKSPACE_NAME }}
+          workspace_path: ${{ inputs.workspace_path }}
+      - id: publish-jsr
+        name: Publish Package to jsr
+        if: ${{ inputs.package_registry == 'jsr' }}
+        uses: ./actions/publish-jsr
+        with:
+          workspace_name: ${{ env.WORKSPACE_NAME }}
+          workspace_path: ${{ inputs.workspace_path }}
+          dry_run: ${{ inputs.dry_run }}
+      # Publishing credentials for NPM come from OIDC.
+      - id: publish-npm
+        name: Publish Package to npm
+        if: ${{ inputs.package_registry == 'npm' }}
+        uses: ./actions/publish
+        with:
+          workspace_name: ${{ env.WORKSPACE_NAME }}
+          workspace_path: ${{ inputs.workspace_path }}
+          prerelease: ${{ inputs.prerelease }}
+          dry_run: ${{ inputs.dry_run }}

.github/workflows/release-please.yml

@@ -20,22 +20,12 @@ runs:
       with:
         workspace_name: ${{ env.WORKSPACE_NAME }}
         workspace_path: ${{ inputs.workspace_path }}
-    - uses: ./actions/release-secrets
-      name: 'Get NPM token'
-      with:
-        aws_assume_role: ${{ inputs.aws_assume_role }}
-        ssm_parameter_pairs: '/production/common/releasing/npm/token = NODE_AUTH_TOKEN'
-    - name: Setup .yarnrc.yml
-      shell: bash
-      run: |
-        yarn config set npmScopes.launchdarkly.npmRegistryServer "https://registry.npmjs.org"
-        yarn config set npmScopes.launchdarkly.npmAlwaysAuth true
-        yarn config set npmScopes.launchdarkly.npmAuthToken $NODE_AUTH_TOKEN
     - uses: ./actions/publish-jsr
       with:
         workspace_name: ${{ env.WORKSPACE_NAME }}
         workspace_path: ${{ inputs.workspace_path }}
         dry_run: false
+    # Publishing credentials for NPM come from OIDC.
     - uses: ./actions/publish
       with:
         workspace_name: ${{ env.WORKSPACE_NAME }}

actions/full-release/action.yml

@@ -8,6 +8,20 @@ phases: initial package publishing phase and stable release phase.
 > still read through the [initial publishing](#initial-package-publishing)
 > and follow the relevant steps to initialize the CI implementation.
 
+## Publishing Workflows
+
+This repository uses the [`release-please.yml`](../.github/workflows/release-please.yml) workflow for all publishing operations:
+
+- **Automated Publishing**: When changes are pushed to `main`, release-please automatically creates release PRs based on conventional commits. When these PRs are merged, packages are automatically published to npm.
+
+- **Manual Publishing**: The workflow can be triggered manually via the GitHub Actions UI to publish a specific package. This is useful for:
+  - Pre-release versions
+  - Hotfixes or backports
+  - Correcting publishing errors
+  - Publishing to JSR (JavaScript Registry)
+
+  Manual triggers support prerelease flags and dry-run mode.
+
 ## Initial Package Publishing
 
 When publishing a package for the first time, developers must complete several steps not part of a typical package release. This phase is
@@ -48,7 +62,7 @@ Add the following to `.release-please-manifest.json`
 Add `PATH_TO_YOUR_PACKAGE` to the `on.workflow_dispatch.inputs.workspace_path.options`
 array in the following files:
 - [`manual-publish-docs.yml`](../.github/workflows/manual-publish-docs.yml)
-- [`manual-publish.yml`](../.github/workflows/manual-publish.yml)
+- [`release-please.yml`](../.github/workflows/release-please.yml) (manual publishing section)
 
 ## 4. Create a CI non-release workflow for just the project