ci: fix CFA publishing on GHA (#121)

.github/workflows/publish-npm.yml

@@ -0,0 +1,56 @@
+name: Publish npm Release
+
+on:
+  push:
+    tags:
+      - v[0-9]+.[0-9]+.[0-9]+
+
+jobs:
+  test:
+    uses: ./.github/workflows/test.yml
+    with:
+      electron-version: ${{ github.ref_name }}
+  release:
+    runs-on: ubuntu-latest
+    needs: test
+    environment: npm
+    permissions:
+      contents: write # for creating new release
+      id-token: write # for CFA
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: "Use Node.js ${{ matrix.node-version }}"
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        with:
+          node-version: "20.16.0"
+      - name: Update Version
+        run: node script/update-version.js ${{ github.ref_name }}
+      - name: Confirm Version Updated
+        run: node -e "if (require('./package.json').version === '0.0.0-development') process.exit(1)"
+      - name: Obtain OIDC token
+        id: oidc
+        run: |
+          token=$(curl --fail -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=continuousauth.dev" | jq -r '.value')
+          echo "::add-mask::${token}"
+          echo "token=${token}" >> $GITHUB_OUTPUT
+      - name: Obtain GitHub credentials
+        id: github_creds
+        run: |
+          token=$(curl --fail "https://continuousauth.dev/api/request/${{ secrets.CFA_PROJECT_ID }}/github/credentials" \
+            -X POST \
+            -H "Content-Type: application/json" \
+            -H "Authorization: bearer ${{ secrets.CFA_SECRET }}" \
+            --data "{\"token\":\"${{ steps.oidc.outputs.token }}\"}" | jq -r '.GITHUB_TOKEN')
+          echo "::add-mask::${token}"
+          echo "token=${token}" >> $GITHUB_OUTPUT
+      - name: Set NPM Credentials
+        run: echo //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }} > ~/.npmrc
+      - name: Check NPM Credentials
+        run: npm whoami
+      - name: CFA Publish
+        run: node script/publish.js
+      - name: Create Release
+        env:
+          GITHUB_TOKEN: ${{ steps.github_creds.outputs.token }}
+        run: gh release create ${{ github.ref_name }} -t ${{ github.ref_name }}

.github/workflows/release.yml

@@ -7,31 +7,23 @@ on:
           description: Electron version to use with "v" prefix (e.g. v30.0.0)
           required: true
 
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
 jobs:
   test:
     uses: ./.github/workflows/test.yml
     with:
       electron-version: ${{ github.event.inputs.version }}
-  release:
+  tag_new_version:
     runs-on: ubuntu-latest
     needs: test
-    environment: npm
     permissions:
-      id-token: write # for CFA and npm provenance
+      contents: write # for pushing new tag
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          persist-credentials: false
-      - name: "Use Node.js ${{ matrix.node-version }}"
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
-        with:
-          node-version: "20.16.0"
-      - name: Update Version
-        run: node script/update-version.js ${{ github.event.inputs.version }}
-      - name: Confirm Version Updated
-        run: node -e "if (require('./package.json').version === '0.0.0-development') process.exit(1)"
-      - uses: continuousauth/action@4396fa3eb7c9790548b9e2b6e4f527df5b861add # v1.0.1
-        with:
-          project-id: ${{ secrets.CFA_PROJECT_ID }}
-          secret: ${{ secrets.CFA_SECRET }}
-          npm-token: ${{ secrets.NPM_TOKEN }}
+      # Tag here, the publish-npm.yml workflow will trigger on the new tag and do the CFA publish
+      - name: Push New Tag
+        run: |
+          git tag ${{ github.event.inputs.version }}
+          git push origin ${{ github.event.inputs.version }}