increase security: have separate jobs for building tarballs and publishing them to npm

[NullVoxPopuli]

this is so we can avoid running install during the publish phase.

if there are infected dependencies, they don't get access to our npm token

jobs:
  # ...

  - name: pack
    # installs, no token access

  # ...

  - name: publish
    # no install, no dependencies, but has token access

[kategengler]

I don't believe the id-token to be used on install, but I will confirm. The examples all have install and publish in the same job.

[kategengler]

I don't believe this is an issue with OIDC. The tokens are short-lived per-package publish tokens that can only be requested by the CI job you authorize.

I cannot find exact documentation saying they are not used for install but in https://github.com/orgs/community/discussions/174507 you'll find complaints that id-token cannot be used for installing private packages as well as they cannot be used for updating dist-tags.

Environments can be used on the GitHub side to further lock down who can push through a deploy.

[mansona]

I think @kategengler is right on this one. OIDC means that you don't get a token until the actual publish stage, but even though this might be true splitting the pack and the publish stages are just going to be security theater since the "bad code" can still make it into the thing that we're packing up and shipping 🤷