From a393ac604a160c60b677daf2f12658abd25c5f65 Mon Sep 17 00:00:00 2001
From: Gar <gar+gh@danger.computer>
Date: Fri, 12 Apr 2024 07:45:29 -0700
Subject: [PATCH] chore: enable auto publish (#78)

---
 .github/workflows/release-integration.yml | 24 +++++++++++++++--------
 .github/workflows/release.yml             |  6 +++++-
 package.json                              |  3 ++-
 3 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/release-integration.yml b/.github/workflows/release-integration.yml
index 6406559..3663758 100644
--- a/.github/workflows/release-integration.yml
+++ b/.github/workflows/release-integration.yml
@@ -15,17 +15,24 @@ on:
         required: true
         type: string
         description: 'A json array of releases. Required fields: publish: tagName, publishTag. publish check: pkgName, version'
+    secrets:
+      PUBLISH_TOKEN:
+        required: true
 
 jobs:
   publish:
-    name: Check Publish
+    name: Publish
     runs-on: ubuntu-latest
     defaults:
       run:
         shell: bash
+    permissions:
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          ref: ${{ fromJSON(inputs.releases)[0].tagName }}
       - name: Setup Git User
         run: |
           git config --global user.email "npm-cli+bot@github.com"
@@ -42,12 +49,16 @@ jobs:
           node: ${{ steps.node.outputs.node-version }}
       - name: Install Dependencies
         run: npm i --ignore-scripts --no-audit --no-fund
-      - name: Check If Published
+      - name: Set npm authToken
+        run: npm config set '//registry.npmjs.org/:_authToken'=\${PUBLISH_TOKEN}
+      - name: Publish
+        env:
+          PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
         run: |
           EXIT_CODE=0
 
           function each_release {
-            if npm view "$@" --loglevel=error > /dev/null; then
+            if npm publish --provenance --tag="$1"; then
               echo 0
             else
               echo 1
@@ -55,13 +66,10 @@ jobs:
           }
 
           for release in $(echo '${{ inputs.releases }}' | jq -r '.[] | @base64'); do
-            SPEC="$(echo "$release" | base64 --decode | jq -r .pkgName)@$(echo "$release" | base64 --decode | jq -r .version)"
-            STATUS=$(each_release "$SPEC")
+            PUBLISH_TAG=$(echo "$release" | base64 --decode | jq -r .publishTag)
+            STATUS=$(each_release "$PUBLISH_TAG")
             if [[ "$STATUS" -eq 1 ]]; then
               EXIT_CODE=$STATUS
-              echo "$SPEC ERROR"
-            else
-              echo "$SPEC OK"
             fi
           done
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a410ccf..a05c444 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -131,7 +131,7 @@ jobs:
         id: comment-text
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: npm exec --offline -- template-oss-release-manager --pr="${{ needs.release.outputs.pr-number }}" --backport="" --defaultTag="latest"
+        run: npm exec --offline -- template-oss-release-manager --pr="${{ needs.release.outputs.pr-number }}" --backport="" --defaultTag="latest" --publish
       - name: Append Release Manager Comment
         uses: peter-evans/create-or-update-comment@v3
         with:
@@ -243,6 +243,10 @@ jobs:
     name: Release Integration
     if: needs.release.outputs.releases
     uses: ./.github/workflows/release-integration.yml
+    permissions:
+      id-token: write
+    secrets:
+      PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
     with:
       releases: ${{ needs.release.outputs.releases }}
 
diff --git a/package.json b/package.json
index f3e82bb..973f2a7 100644
--- a/package.json
+++ b/package.json
@@ -33,7 +33,8 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.21.3"
+    "version": "4.21.3",
+    "publish": true
   },
   "tap": {
     "nyc-arg": [