ci: update deployment workflow to use npm trusted publishers (#950)

Author: petebacondarwin

.github/actions/install-dependencies/action.yml

@@ -1,5 +1,9 @@
 name: "Install Dependencies"
 description: "Install dependencies, fetching from cache when possible"
+inputs:
+  node-version:
+    description: the version of Node.js to install
+    default: 20.18.0
 
 runs:
   using: "composite"
@@ -9,10 +13,10 @@ runs:
       with:
         version: 9
 
-    - name: Install Node.js
+    - name: Install Node.js ${{ inputs.node-version }}
       uses: actions/setup-node@v4
       with:
-        node-version: 20.18.0
+        node-version: ${{ inputs.node-version }}
         cache: "pnpm"
         registry-url: "https://registry.npmjs.org"
 

.github/workflows/changesets.yml

@@ -5,6 +5,10 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   release:
     if: ${{ github.repository_owner == 'opennextjs' }}
@@ -20,6 +24,10 @@ jobs:
 
       - name: Install Dependencies
         uses: ./.github/actions/install-dependencies
+        with:
+          # Needs 24 to get a version of npm that can handle trusted publishers
+          # See https://docs.npmjs.com/trusted-publishers
+          node-version: 24
 
       - name: Build Cloudflare package
         run: pnpm run build
@@ -31,5 +39,4 @@ jobs:
           publish: pnpm exec changeset publish
         env:
           GITHUB_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
           NODE_ENV: "production"