Add CI auto-build

[paulmillr]

Add CI auto-build:

• Done in test/build directory using esbuild
• Whenever you create a new release in https://github.com/FiloSottile/typage/releases (takes 5 secs), it will auto-build age.js and upload it there
• No additional setup required

Lock CI action commits:

• Prevents supply chain attacks when git tag is replaced with another commit

Compared to 0.1.5, it's now 19x smaller:

• age-0.1.5.js: 1.46MB
  • minified: 963.3KB
  • minified + gzipped: 299.74KB
• age-noble.js: 77.73KB
  • minified: 38.5KB
  • minified + gzipped: 13.93KB

[FiloSottile]

Thank you! No need to lock the versions in the test Actions, they have

permissions:
  contents: read

and I set the default to read-only, too.

About the esbuild release artifact, can you help me understand what/how downstream users use it? The README has an example for creating a file that sets a global variable. This instead would be an ES module, right? It's for use as a <script type="module">?

[paulmillr]

The end-result would look like one in here: https://github.com/paulmillr/noble-curves/releases/tag/1.4.2

It has global variable "age".

Which means it would be for plain classic <script src="..."></script>, not script type module. But it could probably be used with modules as well.

[paulmillr]

I also usually do NPM publish using CI: publish-npm.yml

It will build the package and upload it to NPM, using transparency logs. This would require adding NPM_PUBLISH_TOKEN to the repository.

It allows to keep one less token which can be stolen from my machine.

[FiloSottile]

Thank you! I went for something similar (I do this a lot) based on your PR. Main differences are using two build stages to drop privileges in the one that runs esbuild (and to always upload an artifact for debugging and to notice breakages even if it's not a release), and avoiding the separate package.json.

Opening an issue for NPM publishing, I would definitely like not to have this bearer token sitting around.