Set up release workflow for trusted publishing

[jeremywiebe]

Summary:

This PR makes a few changes to the Github Actions release workflow to support Trusted Publishing. It removes the NPM_TOKEN is that is not needed (and relieves us from rotating tokens or having insecure, long-lived tokens in use).

It also adds a step to upgrade npm CLI as we need at least v11.5.1 to support OpenID Connect (which is used for Trusted Publishing).

Issue: LEMS-3681

Test plan:

Land this PR and cut a release. All packages are marked with a patch changeset but should not be functionally different than the currently published versions. It will just allow us to ensure trusted publishing is working properly.

[changeset-bot]

🦋 Changeset detected

Latest commit: a277aa6

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 8 packages

Name	Type
@khanacademy/eslint-config	Patch
@khanacademy/eslint-plugin	Patch
@khanacademy/wonder-stuff-ci	Patch
@khanacademy/wonder-stuff-core	Patch
@khanacademy/wonder-stuff-i18n	Patch
@khanacademy/wonder-stuff-logging	Patch
@khanacademy/wonder-stuff-sentry	Patch
@khanacademy/wonder-stuff-testing	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

Size Change: 0 B

Total Size: 4.58 kB

ℹ️ View Unchanged

Filename	Size
packages/wonder-stuff-core/dist/browser/es/index.js	1.9 kB
packages/wonder-stuff-sentry/dist/browser/es/index.js	1.58 kB
packages/wonder-stuff-testing/dist/browser/es/index.js	1.1 kB

_{compressed-size-action}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (8972b36) to head (a277aa6).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main     #1214   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           52        52           
  Lines          724       724           
  Branches       209       210    +1     
=========================================
  Hits           724       724           

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8972b36...a277aa6. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[khan-actions-bot]

Gerald

Required Reviewers

• @Khan/frontend-infra for changes to .changeset/odd-owls-smile.md, .changeset/swift-coats-wonder.md, .github/workflows/release.yml

---

Don't want to be involved in this pull request? Comment #removeme and we won't notify you of further changes.

[somewhatabstract]

LGTM

Some inline questions that may mean a change or two is needed before landing.

[somewhatabstract]

question: Permissions edits are not additive to the defaults but replace them entirely; does this include all the default permissions that would be granted if we were not overriding things?

[jeremywiebe]

In the Perseus repo, I see the repo setting is that Actions have read/write permissions for all scopes, by default.

I suspect this is what this repo also has. In Perseus, this set of permissions was sufficient, so I think this will work here also. We'll know as soon as we cut a release if I've missed one.