security: scope release oidc publishing

.github/workflows/release.yml

@@ -5,13 +5,16 @@ on:
     tags: ['v*']
 
 permissions:
-  contents: write
-  id-token: write
+  contents: read
 
 jobs:
-  release:
-    name: Create Release
+  verify:
+    name: Verify Release
     runs-on: ubuntu-latest
+    outputs:
+      already_published: ${{ steps.npm_publish_state.outputs.already_published }}
+      dist_tag: ${{ steps.npm_publish_state.outputs.dist_tag }}
+      package_file: ${{ steps.pack.outputs.package_file }}
 
     steps:
       - name: Checkout
@@ -97,6 +100,42 @@ jobs:
           - For migration tips and compatibility notes, see README and CHANGELOG.
           EOF
 
+      - name: Pack npm artifact
+        id: pack
+        run: |
+          npm pack --json > npm-pack.json
+          PACKAGE_FILE=$(node -e "const fs = require('fs'); const data = JSON.parse(fs.readFileSync('npm-pack.json', 'utf8')); console.log(data[0].filename)")
+          echo "package_file=${PACKAGE_FILE}" >> "$GITHUB_OUTPUT"
+
+      - name: Upload release artifacts
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: ecc-release-artifacts
+          path: |
+            release_body.md
+            ${{ steps.pack.outputs.package_file }}
+          if-no-files-found: error
+
+  publish:
+    name: Publish Release
+    runs-on: ubuntu-latest
+    needs: verify
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+      - name: Download release artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: ecc-release-artifacts
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: '20.x'
+          registry-url: 'https://registry.npmjs.org'
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         with:
@@ -106,7 +145,7 @@ jobs:
           make_latest: ${{ contains(github.ref_name, '-') && 'false' || 'true' }}
 
       - name: Publish npm package
-        if: steps.npm_publish_state.outputs.already_published != 'true'
+        if: needs.verify.outputs.already_published != 'true'
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npm publish --access public --provenance --tag "${{ steps.npm_publish_state.outputs.dist_tag }}"
+        run: npm publish "${{ needs.verify.outputs.package_file }}" --access public --provenance --tag "${{ needs.verify.outputs.dist_tag }}"

.github/workflows/reusable-release.yml

@@ -28,13 +28,16 @@ on:
         default: true
 
 permissions:
-  contents: write
-  id-token: write
+  contents: read
 
 jobs:
-  release:
-    name: Create Release
+  verify:
+    name: Verify Release
     runs-on: ubuntu-latest
+    outputs:
+      already_published: ${{ steps.npm_publish_state.outputs.already_published }}
+      dist_tag: ${{ steps.npm_publish_state.outputs.dist_tag }}
+      package_file: ${{ steps.pack.outputs.package_file }}
 
     steps:
       - name: Checkout
@@ -114,6 +117,42 @@ jobs:
           - Claude marketplace/plugin identifier: \`everything-claude-code@everything-claude-code\`
           EOF
 
+      - name: Pack npm artifact
+        id: pack
+        run: |
+          npm pack --json > npm-pack.json
+          PACKAGE_FILE=$(node -e "const fs = require('fs'); const data = JSON.parse(fs.readFileSync('npm-pack.json', 'utf8')); console.log(data[0].filename)")
+          echo "package_file=${PACKAGE_FILE}" >> "$GITHUB_OUTPUT"
+
+      - name: Upload release artifacts
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: ecc-release-artifacts
+          path: |
+            release_body.md
+            ${{ steps.pack.outputs.package_file }}
+          if-no-files-found: error
+
+  publish:
+    name: Publish Release
+    runs-on: ubuntu-latest
+    needs: verify
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+      - name: Download release artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: ecc-release-artifacts
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: '20.x'
+          registry-url: 'https://registry.npmjs.org'
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         with:
@@ -124,7 +163,7 @@ jobs:
           make_latest: ${{ contains(inputs.tag, '-') && 'false' || 'true' }}
 
       - name: Publish npm package
-        if: steps.npm_publish_state.outputs.already_published != 'true'
+        if: needs.verify.outputs.already_published != 'true'
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npm publish --access public --provenance --tag "${{ steps.npm_publish_state.outputs.dist_tag }}"
+        run: npm publish "${{ needs.verify.outputs.package_file }}" --access public --provenance --tag "${{ needs.verify.outputs.dist_tag }}"