Allow GitHub Actions to publish without requiring an access token

[dtinth]

I maintain many npm packages, and the publish process is handled by GitHub Actions. Right now I had to add the NPM_TOKEN to the secrets of each repository. It would be a hassle to rotate and manage the access tokens.

Existing approaches and their respective problems:

• Approach A: I could use a single NPM_TOKEN in every repository, but then I cannot add anyone as a collaborator to my repos, because they would then also have access to the NPM_TOKEN secret, which gives them access to all npm packages that I publish.

• Approach B: I could create a fine-grained access token and use a different token in each repository. However, this is an extra manual step because there is no documented API for automatically generating these tokens. A user can only have 50 fine-grained tokens, however I have more than 50 npm packages. Moreover, I would have to rotate the access tokens regularly as they automatically expire after 365 days.

• Approach C: I could create a new bot account on npm for each package. Then there is a hassle of managing emails, usernames, and passwords for each account.

Right now I use a combination of these approaches (start with approach A, and migrate to approach C when the project is shared). It makes everything more complicated.

GitHub Actions can generate OIDC tokens which can be used to securely identify the workload. It would be great if npm allowed giving access to GitHub repositories in addition to npm users, similar to how AWS, Azure, and Google Cloud allows using GitHub Actions OIDC tokens to manage a cloud resource without storing secret credentials in the repository config.

[MylesBorins]

We are currently in the process of investigating OIDC support for npm. As we get more clarity on how long it will take to build we'll update the public roadmap (and I'll update this discussion)