feat(publish): Use trusted publishing (OIDC) for canary releases (facebook#11712)

* Fix canary publish, use trusted publishing (OIDC)

* verbose lerna publish logs

* test upgrade Lerna

* refactor: apply lint autofix

* do not checkout main, get verbose logs

* test publish

* cleanup workflow

* downgrade Lerna for nodejs compatibility reason

* downgrade Lerna for nodejs compatibility reason

* use Lerna 9 only in publish workflow

* use Lerna 9 only in publish workflow

* cleanup publish script

* cleanup script

* downgrade lerna

* refactor: apply lint autofix

* empty

---------

Co-authored-by: slorber <749374+slorber@users.noreply.github.com>

Author: slorber

.github/workflows/canary-release.yml .github/workflows/publish.yml.github/workflows/canary-release.yml renamed to .github/workflows/publish.yml

@@ -1,4 +1,4 @@
-name: Canary Release
+name: Publish
 
 on:
   workflow_dispatch:
@@ -7,12 +7,13 @@ on:
       - main
       - docusaurus-v**
     paths:
-      - .github/workflows/canary-release.yml
+      - .github/workflows/publish.yml
       - package.json
-      - packages/**
+      - packages/*
 
 permissions:
   contents: read
+  id-token: write # For OIDC, see https://docs.npmjs.com/trusted-publishers
 
 jobs:
   publish-canary:
@@ -32,18 +33,14 @@ jobs:
         run: |
           git config --global user.name "Docusaurus Canary"
           git config --global user.email "canary@docusaurus.io"
-          git fetch
-          git checkout main
-          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
-          cat .npmrc
-          echo "npm whoami"
-          npm whoami
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
       - name: Installation
         run: yarn || yarn || yarn
+        # TODO Docusaurus v4: remove after we upgrade the Node version
+      - name: Upgrade Lerna
+        run: |
+          yarn add -D -W lerna@9.0.3 --ignore-scripts
+          git commit -am "chore: upgrade lerna"
       - name: Publish Canary release
         run: |
-          yarn canary
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
+          yarn canary:bumpVersion
+          yarn canary:publish

lerna.json

@@ -1,7 +1,6 @@
 {
   "version": "3.9.2",
   "npmClient": "yarn",
-  "useWorkspaces": true,
   "useNx": false,
   "changelog": {
     "repo": "facebook/docusaurus",

package.json

@@ -50,8 +50,8 @@
     "canary": "yarn canary:bumpVersion && yarn canary:publish",
     "canary:getCoreVersion": "node -p \"require('./packages/docusaurus/package.json').version\"",
     "canary:version": "echo `yarn --silent canary:getCoreVersion`-canary-`git rev-list --count HEAD`+`git rev-parse --short HEAD`",
-    "canary:bumpVersion": "yarn lerna version `yarn --silent canary:version` --exact --no-push --yes",
-    "canary:publish": "yarn lerna publish from-package --dist-tag canary --yes --no-verify-access",
+    "canary:bumpVersion": "yarn lerna version `yarn --silent canary:version` --exact --no-push --yes --loglevel verbose",
+    "canary:publish": "yarn lerna publish from-package --dist-tag canary --yes --no-verify-access --loglevel verbose",
     "changelog": "lerna-changelog",
     "postinstall": "patch-package && yarn lock:update && yarn build:packages",
     "prepare": "husky install",
@@ -111,7 +111,7 @@
     "jest-environment-jsdom": "^30.2.0",
     "jest-serializer-ansi-escapes": "^4.0.0",
     "jest-serializer-react-helmet-async": "^1.0.21",
-    "lerna": "^6.6.2",
+    "lerna": "^7.4.2",
     "lerna-changelog": "^2.2.0",
     "lint-staged": "~13.2.3",
     "lockfile-lint": "^4.14.0",