chore(deploy): migrating to leverage electron GHA to isolate CI/CD token scopes

[mmaietta]

Adding additional security to the repo with 2 new electron org actions that generate dynamic tokens as replacements for GITHUB_TOKEN and NPM_TOKEN setups

      # Auto-setup of NPM_TOKEN
      - name: Authenticate to npm registry
        uses: electron/npm-trusted-auth-action@v1
        with:
          package-name: 'electron-builder'

      - name: Generate GitHub App token
        uses: electron/[email protected]
        id: generate-token
        with:
          creds: ${{ secrets.creds_from_github_app }}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9e8590b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	stat-mode@​1.0.0
	simple-update-notifier@​2.0.0
	sanitize-filename@​1.6.3
	sax@​1.4.1
	resedit@​1.7.0
	source-map-support@​0.5.21
	request@​2.88.2
	semver@​6.3.0 ⏵ 7.7.2	+1	+22	+1	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		[email protected] is a Possible typosquat attack. Did you mean: [quarchived by ownery-ast](https://socket.dev/npm/package/archived by owner) From: pnpm-lock.yaml → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is a typosquat? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has Obfuscated code. Confidence: 0.94 Location: Package overview From: pnpm-lock.yaml → npm/[email protected] → npm/[email protected] → npm/@changesets/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] is Deprecated. Reason: request has been deprecated, see https://github.com/request/request/issues/3142 From: pnpm-lock.yaml → npm/[email protected] ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] is Deprecated. Reason: Rimraf versions prior to v4 are no longer supported From: pnpm-lock.yaml → npm/[email protected] ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[MarshallOfSound]

Pin to SHA

[MarshallOfSound]

Not 100% sure about package structure, is this really the only package that gets published here. I thought this was a monorepo that had a few packages in it?

[mmaietta]

Hmmm, I need a single token that is able to publish the monorepo topographically via pnpm publish -r. Is there a way to provide a single token for a list of package-names?

[MarshallOfSound]

Pin to SHA