ci: use OIDC

Author: Mercy811

.github/workflows/release.yml

@@ -3,20 +3,38 @@ name: Release
 on:
   workflow_dispatch:
     inputs:
-      dryRun:
-        description: 'Do a dry run to preview instead of a real release'
+      releaseType:
+        type: choice
+        description: Release type
         required: true
-        default: 'true'
+        default: dry-run
+        options:
+          - release
+          - dry-run
 
 jobs:
   authorize:
     name: Authorize
     runs-on: ubuntu-latest
     steps:
+      - name: Check branch protection
+        run: |
+          if [ "${{ github.event.inputs.releaseType }}" == "dry-run" ]; then
+            echo "✅ Branch check skipped: dry-run mode allows any branch"
+            echo "Current branch: ${{ github.ref_name }}"
+            exit 0
+          fi
+          if [ "${{ github.ref_name }}" != "v8.x" ]; then
+            echo "❌ This workflow can only be triggered from the v8.x branch."
+            echo "Current branch: ${{ github.ref_name }}"
+            exit 1
+          fi
+          echo "✅ Branch check passed: running from v8.x"
+
       - name: ${{ github.actor }} permission check to do a release
-        uses: "lannonbr/repo-permission-check-action@2.0.2"
+        uses: 'lannonbr/repo-permission-check-action@2.0.2'
         with:
-          permission: "write"
+          permission: 'write'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -25,17 +43,22 @@ jobs:
     runs-on: ubuntu-latest
     needs: [authorize]
     permissions:
-      id-token: write
+      id-token: write # Required for OIDC
       contents: write
     env:
       GIT_AUTHOR_NAME: amplitude-sdk-bot
       GIT_AUTHOR_EMAIL: amplitude-sdk-bot@users.noreply.github.com
       GIT_COMMITTER_NAME: amplitude-sdk-bot
       GIT_COMMITTER_EMAIL: amplitude-sdk-bot@users.noreply.github.com
+    strategy:
+      matrix:
+        node-version: [24.x] # Ensure npm 11.5.1 or later is installed for OIDC
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v1
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
@@ -53,13 +76,14 @@ jobs:
         uses: actions/setup-python@v2
         with:
           python-version: '3.8.x'
+
       - name: Install boto3 for deploy_s3.python
         run: pip install boto3==1.14.63
 
       - name: Setup Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: 16.x
+          node-version: ${{ matrix.node-version }}
 
       - name: Install dependencies
         run: yarn install --frozen-lockfile
@@ -68,17 +92,15 @@ jobs:
         run: make test
 
       - name: Release --dry-run # Uses release.config.js
-        if: ${{ github.event.inputs.dryRun == 'true'}}
+        if: ${{ github.event.inputs.releaseType == 'dry-run' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }}
         run: npx semantic-release --dry-run
 
       - name: Release # Uses release.config.js
-        if: ${{ github.event.inputs.dryRun == 'false'}}
+        if: ${{ github.event.inputs.releaseType == 'release' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }}
         run: npx semantic-release