|
1 | 1 | # Releasing |
2 | 2 |
|
3 | | -This repo publishes an npm package: `codebase-context`. |
| 3 | +This repo publishes `codebase-context` to npm. |
4 | 4 |
|
5 | | -We use a clean OSS-style flow: |
| 5 | +## How it works |
6 | 6 |
|
7 | | -- PRs merge into `master` (nothing publishes on merge) |
8 | | -- A release is created by a dedicated **Release PR** opened/updated automatically |
9 | | -- When the Release PR is merged, CI creates a git tag like `v1.2.3` |
10 | | -- When a release tag is created, CI publishes to npm automatically |
| 7 | +- Merge PRs to `master` with conventional commit messages (`feat:`, `fix:`, etc.) |
| 8 | +- Release Please bot opens/updates a release PR automatically |
| 9 | +- When you merge the release PR, it publishes to npm with provenance |
11 | 10 |
|
12 | | -## One-time setup (maintainers) |
| 11 | +## Setup (one-time) |
13 | 12 |
|
14 | | -1. Add a repository secret: `NPM_TOKEN` |
15 | | - - Create an npm access token with publish rights for `codebase-context` |
16 | | - - Add it in GitHub: Settings > Secrets and variables > Actions > New repository secret |
17 | | - - If your npm tokens expire (for example after 90 days), rotate the token and update this secret before it expires |
| 13 | +**1. Configure npm Trusted Publisher:** |
| 14 | +- Go to https://www.npmjs.com/package/codebase-context/access |
| 15 | +- Add GitHub Actions trusted publisher: |
| 16 | + - Organization: `PatrickSys` |
| 17 | + - Repository: `codebase-context` |
| 18 | + - Workflow: `release-please.yml` |
| 19 | + - Environment: (leave empty) |
18 | 20 |
|
19 | | -2. (Recommended) Protect `master` |
20 | | - - Require PRs (no direct pushes) |
21 | | - - Require the `Tests` workflow to pass |
| 21 | +That's it! No tokens, no rotation, just OIDC. |
22 | 22 |
|
23 | | -3. Allow Release Please to open PRs |
24 | | - - GitHub: Settings > Actions > General |
25 | | - - Set Workflow permissions to "Read and write" |
26 | | - - Enable "Allow GitHub Actions to create and approve pull requests" |
| 23 | +**2. Allow Release Please to work:** |
| 24 | +- GitHub Settings > Actions > General |
| 25 | +- Enable "Read and write permissions" |
| 26 | +- Enable "Allow GitHub Actions to create and approve pull requests" |
27 | 27 |
|
28 | | -## Normal release flow |
| 28 | +## Releasing |
29 | 29 |
|
30 | | -1. Merge changes into `master` via PRs. |
31 | | - - Recommended: use **Squash and merge** so the PR title becomes the commit message. |
32 | | - - Release automation relies on Conventional-Commits style messages like `feat: ...` / `fix: ...`. |
| 30 | +1. Merge PRs to master |
| 31 | +2. Wait for release PR to appear |
| 32 | +3. Merge the release PR |
| 33 | +4. Done - package is published with provenance |
33 | 34 |
|
34 | | -2. Wait for the bot PR named like `release-please--branches--master`. |
35 | | - - It bumps `package.json` and updates `CHANGELOG.md` |
36 | | - - If it already exists, it gets updated automatically as new PRs merge |
| 35 | +## Verify |
37 | 36 |
|
38 | | -3. When you're ready to ship, merge the Release PR. |
39 | | - - This creates a git tag `vX.Y.Z` and a GitHub Release |
40 | | - - The `Release Please` workflow publishes to npm as part of the same run |
| 37 | +```bash |
| 38 | +npm view codebase-context@X.Y.Z |
| 39 | +npm view codebase-context@X.Y.Z --json | jq .dist.attestations |
| 40 | +``` |
41 | 41 |
|
42 | | -## Notes |
| 42 | +## Troubleshooting |
43 | 43 |
|
44 | | -- If a version is already published on npm, CI skips the publish step (useful when seeding historical tags). |
| 44 | +If publish fails, check: |
| 45 | +- Node 24+ in workflow (required for npm Trusted Publishers) |
| 46 | +- `id-token: write` permission in workflow |
| 47 | +- `registry-url` is set in setup-node |
| 48 | +- Trusted publisher config matches exactly on npmjs.com |
0 commit comments