chore: Port the v5 publish workflow to main

[csandman]

Summary

Brings main to parity with v5's publishing setup from #405, adapted for the post-stable release flow on this branch. Three commits:

1. docs: fill out SECURITY.md — replaces the GitHub-templated stub with a real policy: support matrix tied to the @chakra-ui/react major peer (v5/v6 supported, v4 and earlier not), private reporting via GitHub Security Advisories, out-of-scope pointers to react-select / Chakra UI.
2. Downgrade codemod types/node — incidental: aligns the dev type to the locally installed Node version.
3. chore: Port the v5 publish workflow to main — the main event.

Publish workflow (.github/workflows/publish.yml)

Three-job test → build → publish flow scaffolded from @e18e/setup-publish per the e18e publishing guide, copied verbatim from v5 with two adjustments:

• Conditional dist-tag: v5 hardcoded --tag chakra2. On main, stable releases publish to latest; GitHub-flagged prereleases publish to next:

  - name: Publish to npm
    env:
      PRERELEASE: ${{ github.event.release.prerelease }}
    run: |
      if [ "$PRERELEASE" = "true" ]; then
        npm publish --provenance --access public --tag next "$TARBALL"
      else
        npm publish --provenance --access public "$TARBALL"
      fi

  Uses an env: indirection to avoid the template-injection class that zizmor flags.
• pnpm test added to the test job: v5 omitted it because the test suite didn't exist there at the time of chore: Adopt e18e publishing practices (OIDC trusted publishing + provenance) (v5) #405. On main (PR Add an integration test suite #412) it does, and dropping that gate when migrating from prepublishOnly to CI would be a regression.

Security baseline (per e18e hardening):

• Top-level permissions: {}; each job opts in minimally (contents: read on test/build, id-token: write only on publish).
• All actions pinned to full-length commit SHAs (matching what lint.yml / pkg-pr.yml already use).
• persist-credentials: false on every checkout.
• pnpm install --frozen-lockfile --ignore-scripts in every job.
• Node 24 throughout (required for OIDC trusted publishing).
• Build job isolated from credentials; only publish has id-token: write. The publish job is scoped to environment: publish for an approval gate.

Departure from v5: drop .npmrc ignore-scripts=true

v5 ships .npmrc with ignore-scripts=true per the e18e tip. This PR removes it on main, because the protection it provides is now covered better by pnpm's allowBuilds whitelist (only esbuild is permitted to run install scripts). The publish workflow still passes --ignore-scripts to pnpm install explicitly, which is the load-bearing protection for the high-stakes publish path.

Removing the blanket setting lets husky's prepare script run automatically on fresh clones — no more pnpm prepare rake.

Updates that fall out:

• CONTRIBUTING.md: replaces the pnpm prepare note with one pointing at allowBuilds as the dep-script gate.
• .vscode/settings.json: drops the now-obsolete .npmrc → ini file association.

package.json script cleanup

Two scripts are obsolete under CI-driven publishing (per #405's rationale):

• prepublishOnly: "pnpm build && pnpm lint && pnpm test" — CI publishes from a pre-built tarball, which doesn't run local lifecycle scripts. The equivalent gating now lives in the publish workflow's test job (with pnpm test added — see above).
• postpublish: "git push --follow-tags" — CI shouldn't push tags. The intended flow is pnpm version locally → git push --follow-tags → create GitHub release → workflow fires.

Pre-flight checklist (manual setup outside the repo)

These must be in place before the first publish from main, or the workflow will fail at the publish step:

• GitHub Environment publish — add main to allowed-branches alongside v5 (Settings → Environments → publish). Per e18e guidance, hardcode exact branch names; do not use patterns.
• npm Trusted Publisher — verify the entry for publish.yml + environment publish at https://www.npmjs.com/package/chakra-react-select/access. Per-workflow/environment binding should already cover main; check that the entry exists.
• Tag protection ruleset for v* — already in place from v5 setup.
• npm "Require 2FA and disallow tokens" — flip on if not yet enabled, after the first successful trusted-publish run from either branch.

Release flow after merge

1. pnpm version <patch|minor|major> on main → git push --follow-tags origin main.
2. Releases → Draft a new release → pick the new tag → Generate release notes → Publish release.
3. The workflow fires. You'll get a GitHub notification to approve the publish environment deployment.
4. Approve (this is the 2FA gate). Publish runs; ~30s.
5. Verify: npm dist-tag ls chakra-react-select shows latest updated; chakra2 and next unchanged. npm view chakra-react-select@<version> --json shows dist.attestations populated.

Test plan

• CI on this PR: lint, test (Node 20 & 24), pkg-pr, zizmor, package-size-report all green.
• zizmor is the key check — it lints the new publish.yml for template injection, excessive permissions, unpinned actions. Any flags here should be fixed before merge.
• The publish workflow itself does not run on this PR — it triggers only on release: published. Expected.
• After merge + pre-flight checklist: cut a low-stakes patch release and walk through the release flow above.

🤖 Generated with Claude Code

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[pkg-pr-new]

• chakra-react-select-demo

  npm i https://pkg.pr.new/chakra-react-select@413
  

commit: 7fbcaca

[github-actions]

📊 Package size report   -0.07%↓

File	Before	After
package.json	2.8 kB	-3.79%↓2.7 kB
Total (Includes all files)	152.8 kB	-0.07%↓152.7 kB
Tarball size	30.1 kB	-0.12%↓30.0 kB

Unchanged files

File	Size
dist/index.d.mts	20.1 kB
dist/index.d.ts	20.1 kB
dist/index.js	31.1 kB
dist/index.mjs	29.5 kB
LICENSE.md	1.1 kB
README.md	48.1 kB

_{🤖 This report was automatically generated by pkg-size-action}