ci(release): automate release PRs and npm publishing (#35)

* ci(release): automate release PRs and npm publishing

* fix(audit): patch high severity dependency vulnerabilities

Author: fbosch

.github/workflows/release-please.yml

@@ -0,0 +1,70 @@
+name: Release Please
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  release-please:
+    name: Prepare Release
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      tag_name: ${{ steps.release.outputs.tag_name }}
+
+    steps:
+      - name: Run release-please
+        id: release
+        uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          config-file: release-please-config.json
+          manifest-file: .release-please-manifest.json
+
+  publish-npm:
+    name: Publish to npm
+    needs: release-please
+    if: ${{ needs.release-please.outputs.release_created == 'true' }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - name: Checkout release tag
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.release-please.outputs.tag_name }}
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          run_install: false
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          registry-url: https://registry.npmjs.org
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Publish package
+        run: pnpm publish --access public --no-git-checks --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+	".": "0.5.10"
+}

package.json

@@ -99,7 +99,7 @@
 		"fast-glob": "^3.3.2",
 		"log-update": "^7.0.2",
 		"picocolors": "^1.1.1",
-		"picomatch": "^4.0.3",
+		"picomatch": "^4.0.4",
 		"zod": "^4.3.6"
 	},
 	"devDependencies": {
@@ -138,7 +138,10 @@
 	},
 	"pnpm": {
 		"overrides": {
-			"minimatch@>=10.0.0 <10.2.3": "10.2.4"
+			"defu@<=6.1.4": "6.1.5",
+			"lodash@>=4.0.0 <=4.17.23": "4.18.0",
+			"minimatch@>=10.0.0 <10.2.3": "10.2.4",
+			"picomatch@<2.3.2": "2.3.2"
 		}
 	}
 }

pnpm-lock.yaml

@@ -0,0 +1,10 @@
+{
+	"$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+	"packages": {
+		".": {
+			"release-type": "node",
+			"include-component-in-tag": false,
+			"include-v-in-tag": true
+		}
+	}
+}