ci: switch npm publish to trusted publishing (OIDC) (#695)

The @launchdarkly/ldcli npm package now has trusted publishing
configured on the npm side, which rejects legacy NODE_AUTH_TOKEN
publishes (npm returns 404 to obscure auth failures). Align the
release-please and manual-publish workflows with the OIDC pattern
already used by js-client-sdk, observability-sdk, and launchdarkly-
toolbar:

  * bump actions/setup-node v3 -> v4
  * install npm 11.6.2 (trusted publishing requires >= 11.5.1)
  * drop the SSM-sourced NODE_AUTH_TOKEN; npm CLI picks up the OIDC
    token automatically via the existing id-token: write permission

No changes to scripts/publish-npm.sh (already uses --provenance
--access public, same as the sibling repos).

Made-with: Cursor

Author: nieblara

.github/workflows/manual-publish.yml

@@ -83,6 +83,10 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ inputs.dry-run-npm == false }}
     needs: [release-ldcli]
+    # id-token: write lets npm CLI exchange the GITHUB_TOKEN for an OIDC token
+    # that the npm registry trusts via the trusted publisher config. The npm
+    # trusted publisher must be configured with this workflow filename
+    # (manual-publish.yml) for publishes from this path to succeed.
     permissions:
       actions: read
       id-token: write
@@ -92,15 +96,14 @@ jobs:
         name: Checkout
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 20.x
           registry-url: 'https://registry.npmjs.org'
-      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.0.1
-        name: 'Get NPM token'
-        with:
-          aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
-          ssm_parameter_pairs: '/production/common/releasing/npm/token = NODE_AUTH_TOKEN'
+      - name: Update npm
+        shell: bash
+        # npm CLI requires >= 11.5.1 for trusted publishing (OIDC) support.
+        run: npm install -g npm@11.6.2
       - id: publish-npm
         name: Publish NPM Package
         uses: ./.github/actions/publish-npm

.github/workflows/release-please.yml

@@ -107,21 +107,24 @@ jobs:
   release-ldcli-npm:
     runs-on: ubuntu-latest
     needs: [release-please, release-ldcli]
+    # id-token: write lets npm CLI exchange the GITHUB_TOKEN for an OIDC token
+    # that the npm registry trusts via the trusted publisher config for this
+    # workflow. No static NPM token is needed (or wanted: if NODE_AUTH_TOKEN is
+    # set, npm prefers the token path and skips OIDC).
     permissions:
       id-token: write
       contents: write
     if: needs.release-please.outputs.release_created == 'true'
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 20.x
           registry-url: 'https://registry.npmjs.org'
-      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.0.1
-        name: 'Get NPM token'
-        with:
-          aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
-          ssm_parameter_pairs: '/production/common/releasing/npm/token = NODE_AUTH_TOKEN'
+      - name: Update npm
+        shell: bash
+        # npm CLI requires >= 11.5.1 for trusted publishing (OIDC) support.
+        run: npm install -g npm@11.6.2
       - id: publish-npm
         name: Publish NPM Package
         uses: ./.github/actions/publish-npm