Api-Wrappers
diff --git a/‎.github/RELEASE.md‎
Lines changed: 54 additions & 0 deletions b/‎.github/RELEASE.md‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 14 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 87 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 99 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 99 additions & 0 deletions
@@ -0,0 +1,54 @@
+# Release Workflow
+
+Releases are published by `.github/workflows/release.yml` when a semver tag is
+pushed, for example `v1.2.3`.
+
+## npm Trusted Publishing
+
+The release workflow is designed for npm Trusted Publishing with OIDC. It does
+not use `NPM_TOKEN`.
+
+Configure the package on npmjs.com:
+
+1. Open the package settings for `@api-wrappers/api-core`.
+2. Add a GitHub Actions trusted publisher.
+3. Set the repository owner and repository name.
+4. Set the workflow filename to `release.yml`.
+5. Set the environment name to `npm`.
+6. After a successful trusted publish, set publishing access to require 2FA and
+   disallow traditional tokens.
+
+The workflow grants `id-token: write`, uses Node.js 24, and verifies the npm CLI
+is at least `11.5.1`, matching npm's trusted publishing requirements.
+GitHub Actions are pinned to current release tags rather than deprecated major
+versions. Dependabot is configured to keep workflow action pins current.
+
+## Release Steps
+
+1. Update `package.json` version.
+2. Commit the version change.
+3. Create and push a matching tag:
+
+```bash
+git tag v1.2.3
+git push origin v1.2.3
+```
+
+The workflow checks that `package.json` version matches the tag without the
+leading `v`, runs lint/tests/build, verifies package contents, publishes to npm,
+and creates a GitHub release with generated notes.
+
+## CI Workflow
+
+`.github/workflows/ci.yml` runs on pull requests, pushes to `main`, and manual
+dispatch. It runs:
+
+- non-mutating Biome check
+- Bun test suite
+- package build
+- ESM and CommonJS smoke tests
+- npm package dry-run
+- dependency review on pull requests
+
+Pushes to `main` also upload a short-lived `.tgz` package artifact for manual
+inspection.
@@ -0,0 +1,14 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "UTC"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
@@ -0,0 +1,87 @@
+name: CI
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: Check, test, build, and pack
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6.0.0
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2.0.2
+        with:
+          bun-version: latest
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6.3.0
+        with:
+          node-version: 24
+          package-manager-cache: false
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Check formatting and lint
+        run: bun run check:ci
+
+      - name: Run tests
+        run: bun test
+
+      - name: Build package
+        run: bun run build
+
+      - name: Smoke test built entrypoints
+        run: |
+          node --input-type=module -e "const m = await import('./dist/index.mjs'); if (typeof m.createClient !== 'function') throw new Error('missing ESM createClient')"
+          node -e "const m = require('./dist/index.cjs'); if (typeof m.createClient !== 'function') throw new Error('missing CJS createClient')"
+
+      - name: Verify package contents
+        run: npm pack --dry-run --json
+
+      - name: Pack artifact
+        if: github.event_name != 'pull_request'
+        run: npm pack --json
+
+      - name: Upload package artifact
+        if: github.event_name != 'pull_request'
+        uses: actions/upload-artifact@v7.0.1
+        with:
+          name: npm-package
+          path: "*.tgz"
+          if-no-files-found: error
+          retention-days: 7
+
+  dependency-review:
+    name: Dependency review
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      pull-requests: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6.0.0
+
+      - name: Review dependency changes
+        uses: actions/dependency-review-action@v4.9.0
@@ -0,0 +1,99 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Existing semver tag to release, for example v1.2.3"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+concurrency:
+  group: release-${{ github.ref_name }}
+  cancel-in-progress: false
+
+jobs:
+  publish:
+    name: Publish to npm and create GitHub release
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    environment: npm
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+      - name: Checkout tag
+        uses: actions/checkout@v6.0.0
+        with:
+          ref: ${{ github.event.inputs.tag || github.ref }}
+          fetch-depth: 0
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2.0.2
+        with:
+          bun-version: latest
+
+      - name: Setup Node.js for npm trusted publishing
+        uses: actions/setup-node@v6.3.0
+        with:
+          node-version: 24
+          registry-url: "https://registry.npmjs.org"
+          package-manager-cache: false
+
+      - name: Verify npm trusted publishing requirements
+        run: |
+          node --version
+          npm --version
+          node -e "const [major, minor] = process.versions.node.split('.').map(Number); if (major < 22 || (major === 22 && minor < 14)) throw new Error('npm trusted publishing requires Node 22.14.0 or newer')"
+          npm --version | node -e "let v=''; process.stdin.on('data', d => v += d); process.stdin.on('end', () => { const [major, minor, patch] = v.trim().split('.').map(Number); if (major < 11 || (major === 11 && (minor < 5 || (minor === 5 && patch < 1)))) throw new Error('npm trusted publishing requires npm 11.5.1 or newer'); })"
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Check formatting and lint
+        run: bun run check:ci
+
+      - name: Run tests
+        run: bun test
+
+      - name: Build package
+        run: bun run build
+
+      - name: Verify tag matches package version
+        run: |
+          TAG="${GITHUB_REF_NAME}"
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            TAG="${{ github.event.inputs.tag }}"
+          fi
+          VERSION="$(node -p "require('./package.json').version")"
+          if [ "${TAG#v}" != "$VERSION" ]; then
+            echo "Tag $TAG does not match package.json version $VERSION" >&2
+            exit 1
+          fi
+
+      - name: Verify package contents
+        run: npm pack --dry-run --json
+
+      - name: Publish to npm
+        run: npm publish --access public
+
+      - name: Create GitHub release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          TAG="${GITHUB_REF_NAME}"
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            TAG="${{ github.event.inputs.tag }}"
+          fi
+          if gh release view "$TAG" >/dev/null 2>&1; then
+            echo "GitHub release $TAG already exists"
+          else
+            gh release create "$TAG" --verify-tag --generate-notes
+          fi