[FEAT]: Use Trusted Publishing for releases to NPMJS

[AdnaneKhan]

Describe the need

The release.yml workflow still appears to use an NPM token to publish to NPMJS instead of trusted publishing.

Since it is an official GitHub package, it would be good to see Octokit.js serve as an example for other package maintainers to use trusted publishing.

SDK Version

No response

API Version

No response

Relevant log output

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

[wolfy1339]

Unfortunately, GitHub isn't really spending money on open-source projects like octokit. These projects are pretty much maintenance only.

I don't have the required access to do any config changes on npm

[AdnaneKhan]

Unfortunately, GitHub isn't really spending money on open-source projects like octokit. These projects are pretty much maintenance only.

I don't have the required access to do any config changes on npm

Oh darn :( I figured they would because Octokit is a dependency for the official actions js libraries.

I guess someone from GitHub will have to change npm config at least to rotate the token because of the expiration changes + revocation of all classic NPM tokens.

[wolfy1339]

The same thing is unfortunately happening with action.js; it's even been made official and explicit with a notice in the readme

[wolfy1339]

@nickfloyd Would you be able to help out with this?