chore: use npm trusted publishing (#8675)

**Motivation**

Use more secure way publish a release.

**Description**

- Use `npm` [trusted
publishing](https://docs.npmjs.com/trusted-publishers)

---------

Co-authored-by: Matthew Keil <me@matthewkeil.com>

.github/workflows/publish-dev.yml

@@ -5,9 +5,12 @@ concurrency:
   group: cd-publish-dev
 
 on:
-  push:
-    branches:
-      - unstable
+  workflow_call:
+
+permissions:
+  contents: write # Required for OIDC
+  id-token: write # Required to create a Github release
+  pull-requests: write # Required to add tags to pull requests
 
 jobs:
   npm:
@@ -15,7 +18,7 @@ jobs:
     runs-on: buildjet-4vcpu-ubuntu-2204
     steps:
       # <common-build> - Uses YAML anchors in the future
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - uses: actions/setup-node@v4
@@ -57,7 +60,7 @@ jobs:
         # This "temp" commit doesn't change the actually release commit which is captured above.
         # git-data is also correct, since it's generated at build time, before `lerna version` run.
         run: |
-          node_modules/.bin/lerna version ${{ steps.version.outputs.version }} \
+          yarn lerna version ${{ steps.version.outputs.version }} \
           --force-publish \
           --exact \
           --yes \
@@ -92,15 +95,13 @@ jobs:
         #
         # NOTE: Using --preid dev.$(git rev-parse --short=7 HEAD) results in `0.24.3-dev.3ddb91d.0+3ddb91d`
         run: |
-          node_modules/.bin/lerna publish from-package \
+          yarn lerna publish from-package \
           --yes \
           --no-verify-access \
           --dist-tag next \
           --no-git-reset \
           --force-publish \
           --exact
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
     outputs:
       version: ${{ steps.version.outputs.version }}
 

.github/workflows/publish-nextfork.yml

@@ -5,9 +5,12 @@ concurrency:
   group: cd-publish-nextfork
 
 on:
-  push:
-    branches:
-      - peerDAS # Nextfork branch
+  workflow_call:
+
+permissions:
+  contents: write # Required for OIDC
+  id-token: write # Required to create a Github release
+  pull-requests: write # Required to add tags to pull requests
 
 env:
   NEXT_FORK: peerDAS
@@ -18,7 +21,7 @@ jobs:
     runs-on: buildjet-4vcpu-ubuntu-2204
     steps:
       # <common-build> - Uses YAML anchors in the future
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - uses: actions/setup-node@v4
@@ -60,7 +63,7 @@ jobs:
         # This "temp" commit doesn't change the actually release commit which is captured above.
         # git-data is also correct, since it's generated at build time, before `lerna version` run.
         run: |
-          node_modules/.bin/lerna version ${{ steps.version.outputs.version }} \
+          yarn lerna version ${{ steps.version.outputs.version }} \
           --force-publish \
           --exact \
           --yes \
@@ -95,15 +98,13 @@ jobs:
         #
         # NOTE: Using --preid dev.$(git rev-parse --short=7 HEAD) results in `0.24.3-dev.3ddb91d.0+3ddb91d`
         run: |
-          node_modules/.bin/lerna publish from-package \
+          yarn lerna publish from-package \
           --yes \
           --no-verify-access \
           --dist-tag next \
           --no-git-reset \
           --force-publish \
           --exact
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
     outputs:
       version: ${{ steps.version.outputs.version }}
 

.github/workflows/publish-rc.yml

@@ -5,9 +5,12 @@ concurrency: cd-publish-rc
 
 # See for rationale https://github.com/ChainSafe/lodestar/blob/unstable/RELEASE.md
 on:
-  push:
-    tags:
-      - v*
+  workflow_call:
+
+permissions:
+  contents: write # Required for OIDC
+  id-token: write # Required to create a Github release
+  pull-requests: write # Required to add tags to pull requests
 
 jobs:
   tag:
@@ -55,7 +58,7 @@ jobs:
     needs: [tag, binaries]
     if: needs.tag.outputs.is_rc == 'true'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0 # Needs full depth for changelog generation
 
@@ -67,7 +70,7 @@ jobs:
         run: node scripts/generate_changelog.mjs ${{ needs.tag.outputs.prev_tag }} ${{ needs.tag.outputs.tag }} CHANGELOG.md
 
       - name: Get binaries
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           path: dist/
           merge-multiple: true
@@ -91,7 +94,7 @@ jobs:
         # This "temp" commit doesn't change the actually release commit which is captured above.
         # git-data is also correct, since it's generated at build time, before `lerna version` run.
         run: |
-          node_modules/.bin/lerna version ${{ needs.tag.outputs.version }} \
+          yarn lerna version ${{ needs.tag.outputs.version }} \
           --force-publish \
           --exact \
           --yes \
@@ -101,15 +104,8 @@ jobs:
           git config user.email 'temp@github.com'
           git commit -am "${{ needs.tag.outputs.version }}"
 
-      # From https://github.com/lerna/lerna/issues/2404
-      - run: echo //registry.npmjs.org/:_authToken=${NPM_TOKEN} > .npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
       - name: Publish to npm registry
         run: yarn run release:publish --dist-tag rc
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       # In case of failure
       - name: Rollback on failure

.github/workflows/publish-stable.yml

@@ -5,9 +5,12 @@ concurrency: cd-publish-stable
 
 # See for rationale https://github.com/ChainSafe/lodestar/blob/unstable/RELEASE.md
 on:
-  push:
-    tags:
-      - v*
+  workflow_call:
+
+permissions:
+  contents: write # Required for OIDC
+  id-token: write # Required to create a Github release
+  pull-requests: write # Required to add tags to pull requests
 
 jobs:
   tag:
@@ -15,7 +18,7 @@ jobs:
     runs-on: buildjet-4vcpu-ubuntu-2204
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -91,15 +94,8 @@ jobs:
           name: Release ${{ needs.tag.outputs.tag }}
           prerelease: false
 
-      # From https://github.com/lerna/lerna/issues/2404
-      - run: echo //registry.npmjs.org/:_authToken=${NPM_TOKEN} > .npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
       - name: Publish to npm registry (release)
         run: yarn run release:publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       # In case of failure
       - name: Rollback on failure

.github/workflows/publish.yml

@@ -0,0 +1,50 @@
+name: Publish
+
+# only one can run at a time
+concurrency: cd-publish
+
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      # - peerDAS # Nextfork branch
+      - unstable
+
+permissions:
+  contents: write # Required for OIDC
+  id-token: write # Required to create a Github release
+  pull-requests: write # Required to add tags to pull requests
+
+jobs:
+  call-publish-workflow:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Call publish-stable.yml
+        if: |
+          startsWith(github.ref, 'refs/tags/v') && (
+            !contains(github.ref_name, '-rc') && 
+            !contains(github.ref_name, '-beta') &&
+            !contains(github.ref_name, '-alpha')
+          )
+        uses: ./.github/workflows/publish-stable.yml
+
+      - name: Call publish-rc.yml
+        if: |
+          startsWith(github.ref, 'refs/tags/v') && (
+            contains(github.ref_name, '-rc') ||
+            contains(github.ref_name, '-beta') ||
+            contains(github.ref_name, '-alpha')
+          )
+        uses: ./.github/workflows/publish-rc.yml
+
+#      - name: Call publish-nextfork.yml
+#        if: github.ref == 'refs/heads/peerDAS'
+#        uses: ./.github/workflows/publish-next-fork.yml
+
+      - name: Call publish-dev.yml
+        if: github.ref == 'refs/heads/unstable'
+        uses: ./.github/workflows/publish-dev.yml

lerna.json

@@ -3,7 +3,6 @@
     "packages/*"
   ],
   "npmClient": "yarn",
-  "useNx": true,
   "version": "1.37.0",
   "stream": true,
   "command": {
@@ -11,5 +10,6 @@
       "message": "chore(release): %s"
     }
   },
-  "$schema": "node_modules/lerna/schemas/lerna-schema.json"
+  "useWorkspaces": true,
+  "$schema": "node_modules/@lerna-lite/cli/schemas/lerna-schema.json"
 }

package.json

@@ -45,6 +45,10 @@
     "@biomejs/biome": "^2.2.0",
     "@chainsafe/benchmark": "^1.2.3",
     "@chainsafe/biomejs-config": "^1.0.0",
+    "@lerna-lite/cli": "^4.9.4",
+    "@lerna-lite/publish": "^4.9.4",
+    "@lerna-lite/run": "^4.9.4",
+    "@lerna-lite/version": "^4.9.4",
     "@types/node": "^24.10.1",
     "@types/react": "^19.1.12",
     "@vitest/browser": "^4.0.7",
@@ -56,7 +60,6 @@
     "electron": "^26.2.2",
     "https-browserify": "^1.0.0",
     "jsdom": "^23.0.1",
-    "lerna": "^7.3.0",
     "libp2p": "2.9.0",
     "node-gyp": "^9.4.0",
     "npm-run-all": "^4.1.5",

tsconfig.build.json

@@ -40,5 +40,13 @@
       "../../node_modules/@types",
       "../../types", 
     ],
+
+    // TODO: This is a workaround to fix the error came after adding `@lerna-lite/version`
+    // Need to be cleared and cleaned this config later 
+    // 
+    // @lodestar/params: error TS2688: Cannot find type definition file for 'parse-path'.
+    // @lodestar/params:   The file is in the program because:
+    // @lodestar/params:     Entry point for implicit type library 'parse-path'
+    "types": ["node", "bun", "snappyjs", "mitt", "vitest"],
   }
 }