[🚀 Feature]: Consider Adopting NPM Trusted Publishing

[Cevan00]

Description

Overview

Recent supply chain attacks on npm have highlighted the need for stronger package publishing security. The September 2025 Shai-Hulud worm compromised 500+ packages through stolen maintainer tokens, showing the risks of token-based publishing.

Trusted publishing helps by eliminating long-lived tokens that can be stolen or accidentally exposed; generating automatic provenance provides cryptographic proof of where/how packages are built; and is an industry standard adopted by PyPI, RubyGems, crates.io, NuGet, etc...

NPM is planning to deprecate legacy tokens and make trusted publishing the preferred method.

If assistance is welcome, please let me know and I can assist and/or get
further assistance as needed.

Reference

References:

• NPM trusted publishing documentation
• Announcement blog post
• Provenance statements guide

Have you considered any alternatives or workarounds?

No response

[selenium-ci]

@Cevan00, thank you for creating this issue. We will troubleshoot it as soon as we can.

Selenium Triage Team: remember to follow the Triage Guide

[cgoldberg]

We should definitely do this for NPM and any other package repository we publish to.

I am going to work on something similar for Python soon: #16082

If assistance is welcome, please let me know and I can assist

@Cevan00
I don't know how familiar you are with our build system, but we basically build and publish everything with Bazel and GitHub Actions... so that is where the work will need to be done. The main ./README.md has some information about Bazel, and all the GHA workflows are under ./.github/workflows/

Feel free to stop by #selenium-tlc channel on Slack for assistance or questions:

• https://www.selenium.dev/support/#ChatRoom

[Cevan00]

Thanks for the quick reply! I will get started on this.