Release npm trusted providers (#1268)

* Update release to trusted providers and combine into 1 workflow

* Add upload versions action

* Add permissions

* Update npm version

* remove continue

* Update node version

Author: jonrohan

.github/actions/upload-versions/action.yml

@@ -0,0 +1,36 @@
+name: 'Upload Versions'
+description: 'Upload version information for public packages'
+runs:
+  using: 'composite'
+  steps:
+    - name: Set up Node
+      uses: actions/setup-node@v6
+      with:
+        node-version: 24
+        cache: 'npm'
+
+    - name: Write workspace versions as JSON file
+      uses: actions/github-script@a3e7071a34d7e1f219a8a4de9a5e0a34d1ee1293
+      with:
+        script: |
+          const fs = require('node:fs');
+
+          const output = {
+            packages: [],
+          };
+
+          const contents = fs.readFileSync('./package.json', 'utf8');
+          const packageJson = JSON.parse(contents);
+
+          const pkg = {
+            name: packageJson.name,
+            version: packageJson.version,
+          };
+          output.packages.push(pkg);
+
+          fs.writeFileSync('versions.json', JSON.stringify(output, null, 2));
+    - name: Upload version file
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+      with:
+        name: versions
+        path: versions.json

.github/workflows/release.yml

@@ -1,12 +1,20 @@
 name: Release
 on:
   push:
-    branches:
-      - 'main'
-      - 'next-major'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write # Required for OIDC
+  contents: read
+  checks: write
+  statuses: write
+
 jobs:
-  release_candidate:
-    name: Release for latest version
+  release:
+    name: Main
     if: ${{ github.repository == 'primer/primitives' && github.ref_name == 'main' }}
 
     runs-on: ubuntu-latest
@@ -18,10 +26,10 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
+      - name: Set up Node
+        uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           cache: 'npm'
 
       - name: Install dependencies
@@ -46,7 +54,6 @@ jobs:
           publish: npm run release
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
-          NPM_TOKEN: ${{ secrets.NPM_AUTH_TOKEN_SHARED }}
 
       - name: Output release version to summary
         if: ${{ steps.changesets.outputs.published}} = 'true'
@@ -57,9 +64,9 @@ jobs:
           echo "### Latest release" >> $GITHUB_STEP_SUMMARY
           echo "[v$VERSION](https://unpkg.com/$PACKAGE_NAME@$VERSION/)" >> $GITHUB_STEP_SUMMARY
 
-  release_candidate_next_major:
-    name: Release for next version
-    if: ${{ github.repository == 'primer/primitives' && github.ref_name == 'next-major' }}
+  release-candidate:
+    name: Candidate
+    if: ${{ github.repository == 'primer/primitives' && github.ref_name == 'changeset-release/main' }}
 
     runs-on: ubuntu-latest
     steps:
@@ -68,43 +75,114 @@ jobs:
         with:
           # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
           fetch-depth: 0
-          persist-credentials: false
 
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
+      - name: Set up Node
+        uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           cache: 'npm'
 
       - name: Install dependencies
-        run: npm ci --no-audit --no-fund && pushd docs; npm ci --no-audit --no-fund; popd
+        run: npm ci --no-audit --no-fund --include=dev
 
       - name: Build tokens
-        run: npm run build
+        run: npm run build:tokens
 
-      - uses: actions/create-github-app-token@v1
-        id: app-token
+      - name: Publish release candidate
+        run: |
+          version=$(jq -r .version package.json)
+          echo "$( jq ".version = \"$(echo $version)-rc.$(git rev-parse --short HEAD)\"" package.json )" > package.json
+          npm publish --tag next
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Output candidate version number
+        id: commitStatus
+        uses: actions/github-script@v7
         with:
-          app-id: ${{ vars.PRIMER_APP_ID_SHARED }}
-          private-key: ${{ secrets.PRIMER_APP_PRIVATE_KEY_SHARED }}
+          script: |
+            const package = require(`${process.env.GITHUB_WORKSPACE}/package.json`)
+            github.rest.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: context.sha,
+              state: 'success',
+              context: `Published ${package.name}`,
+              description: package.version,
+              target_url: `https://unpkg.com/${package.name}@${package.version}/`
+            })
+            // Output the release version for next step
+            core.setOutput('packageVersion', package.version);
+            // Output the package name for next step
+            core.setOutput('packageName', package.name);
 
-      - name: Create release pull request or publish to npm
-        id: changesets
-        uses: changesets/[email protected]
-        continue-on-error: true
+      - name: Output candidate version to summary
+        env:
+          VERSION: ${{ steps.commitStatus.outputs.packageVersion }}
+          PACKAGE_NAME: ${{ steps.commitStatus.outputs.packageName }}
+        run: |
+          echo "### Latest release candidate" >> $GITHUB_STEP_SUMMARY
+          echo "[v$VERSION](https://unpkg.com/$PACKAGE_NAME@$VERSION/)" >> $GITHUB_STEP_SUMMARY
+      - uses: ./.github/actions/upload-versions
+
+  release-canary:
+    name: Canary
+    if: ${{ github.repository == 'primer/primitives' && github.ref_name != 'main' && github.ref_name != 'changeset-release/main' }}
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
         with:
-          title: Release Tracking (Next Major)
-          # This expects you to have a script called release which does a build for your packages and calls changeset publish
-          publish: npx changeset publish --tag next
+          # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
+          fetch-depth: 0
+
+      - name: Set up Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci --no-audit --no-fund --include=dev
+
+      - name: Build tokens
+        run: npm run build:tokens
+
+      - name: Publish canary version
+        run: |
+          echo "$( jq '.version = "0.0.0"' package.json )" > package.json
+          echo -e "---\n'@primer/primitives': patch\n---\n\nFake entry to force publishing" > .changeset/force-snapshot-release.md
+          npx changeset version --snapshot
+          npx changeset publish --tag canary
         env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
-          NPM_TOKEN: ${{ secrets.NPM_AUTH_TOKEN_SHARED }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Output release version to summary
-        if: ${{ steps.changesets.outputs.published}} = 'true'
+      - name: Output canary version number
+        id: commitStatus
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const package = require(`${process.env.GITHUB_WORKSPACE}/package.json`)
+            github.rest.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: context.sha,
+              state: 'success',
+              context: `Published ${package.name}`,
+              description: package.version,
+              target_url: `https://unpkg.com/${package.name}@${package.version}/`
+            })
+            // Output the release version for next step
+            core.setOutput('packageVersion', package.version);
+            // Output the package name for next step
+            core.setOutput('packageName', package.name);
+
+      - name: Output canary version to summary
         env:
-          VERSION: ${{ steps.changesets.outputs.publishedPackages[0].version }}
-          PACKAGE_NAME: ${{ steps.changesets.outputs.publishedPackages[0].name }}
+          VERSION: ${{ steps.commitStatus.outputs.packageVersion }}
+          PACKAGE_NAME: ${{ steps.commitStatus.outputs.packageName }}
         run: |
-          echo "### Latest release" >> $GITHUB_STEP_SUMMARY
+          echo "### Latest canary release" >> $GITHUB_STEP_SUMMARY
           echo "[v$VERSION](https://unpkg.com/$PACKAGE_NAME@$VERSION/)" >> $GITHUB_STEP_SUMMARY
+      - uses: ./.github/actions/upload-versions