NPM publish using CI

[FiloSottile]

I also usually do NPM publish using CI: publish-npm.yml

It will build the package and upload it to NPM, using transparency logs. This would require adding NPM_PUBLISH_TOKEN to the repository.

It allows to keep one less token which can be stolen from my machine.

Originally posted by @paulmillr in https://github.com/FiloSottile/typage/issues/21#issuecomment-2243071291

[paulmillr]

I see you're trying to do this in two steps, to limit malware, which can be uploaded by esbuild.

If esbuild version is locked, and all devDependencies are also locked (change from ^1.2.3 to 1.2.3), then the damage they can do is minimized. Their code is basically time-tested and there won't be a situation when a malwared update does something bad -- because you won't be doing regular updates. If you do this, committing lockfile (which contains checksums) to repo makes sense.

Also, NPM has granular tokens, which can be created per-package.

[fyears]

hi i notice the main branch has switched to noble pure js implementation, and the readme has been updated.

but may i ask when (in plan) would the new version be released?

thanks!