Releases are managed with Changesets and .github/workflows/release.yml.
Publishing only runs from main; pull requests never publish.
The release workflow is designed for npm Trusted Publishing with OIDC and npm
provenance. It does not require NPM_TOKEN when trusted publishing is
configured.
Configure the package on npmjs.com:
- Open the package settings for
@api-wrappers/api-core. - Add a GitHub Actions trusted publisher.
- Set the repository owner and repository name.
- Set the workflow filename to
release.yml. - Set the environment name to
npm. - After a successful trusted publish, set publishing access to require 2FA and disallow traditional tokens.
The workflow grants id-token: write, uses Node.js 24, verifies the npm CLI is
at least 11.5.1, and publishes with npm publish --provenance. GitHub
Actions are pinned to current release tags rather than deprecated major
versions. Dependabot is configured to keep workflow action pins current.
If trusted publishing is not available, use NPM_TOKEN as the repository secret
name and wire it to NODE_AUTH_TOKEN before publishing.
- Add a changeset for user-facing changes:
bun run changeset- Merge the change to
main. - The release workflow validates the package and opens a Changesets version PR.
- Review and merge the version PR.
- The next
mainrun validates again, publishes to npm with provenance, and creates GitHub release notes.
Maintainers can manually run the release workflow with dry_run: true to verify
the install, validation, and package dry-run steps without publishing.
.github/workflows/ci.yml runs on pull requests, pushes to main, and manual
dispatch. It runs:
- non-mutating Biome check
- Bun test suite
- package build
- ESM and CommonJS smoke tests
- npm package dry-run
- dependency review on pull requests
Pushes to main also upload a short-lived .tgz package artifact for manual
inspection.