feat: adopt trusted publishers (#378)

adopt https://docs.npmjs.com/trusted-publishers to publish releases
using Github Actions / OIDC auth.

Author: mnahkies

.github/workflows/publish-docs.yml

@@ -9,9 +9,6 @@ permissions:
 jobs:
   publish_docs:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [24.x]
 
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -21,12 +18,10 @@ jobs:
       - name: Install pnpm
         uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
 
-      - name: Use Node.js ${{ matrix.node-version }}
+      - name: Use Node.js
         uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
-          registry-url: "https://registry.npmjs.org"
-          node-version: ${{ matrix.node-version }}
-          cache: 'pnpm'
+          node-version-file: '.nvmrc'
 
       - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         id: nextjs-cache
@@ -37,7 +32,9 @@ jobs:
             ${{ runner.os }}-nextjs-${{ hashFiles('pnpm-lock.yaml') }}-
 
       - run: pnpm install --frozen-lockfile
+
       - run: pnpm ci-build
+
       - name: Publish documentation
         run: |
           git config user.name "github-actions[bot]"

.github/workflows/publish-npm.yml

@@ -0,0 +1,56 @@
+name: Publish NPM
+on:
+  push:
+    tags:
+      - v*
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish_npm:
+    runs-on: ubuntu-latest
+    environment: prod
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+
+      - name: Use Node.js
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        with:
+          node-version-file: '.nvmrc'
+
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        id: nextjs-cache
+        with:
+          path: packages/documentation/.next/cache
+          key: ${{ runner.os }}-nextjs-${{ hashFiles('pnpm-lock.yaml') }}-${{ hashFiles('**/*.js', '**/*.jsx', '**/*.ts', '**/*.tsx') }}
+          restore-keys: |
+            ${{ runner.os }}-nextjs-${{ hashFiles('pnpm-lock.yaml') }}-
+
+      - name: Validate tag matches package.json versions
+        run: |
+          TAG_VERSION="${{ github.ref_name }}"
+
+          node scripts/validate-package-version.mjs "${TAG_VERSION}"
+
+      - run: pnpm install --frozen-lockfile
+
+      - run: pnpm ci-build
+
+      - name: Publish packages
+        run: |
+          TAG_VERSION="${{ github.ref_name }}"
+
+          if [[ $TAG_VERSION == *"alpha"* ]]; then
+            NPM_DIST_TAG=alpha
+          else
+            NPM_DIST_TAG=latest
+          fi
+
+          pnpm publish -r --dry-run --tag $NPM_DIST_TAG

CONTRIBUTING.md

@@ -118,16 +118,16 @@ workplace's Github organisation.
 
 ## Publishing
 
-For now, publishing the package is a manual process. There are two scripts to
-assist:
+The package is published using Github Actions as a [trusted publisher](https://docs.npmjs.com/trusted-publishers).
 
-```shell
-# Publish a pre-release, eg: 0.0.2-alpha.107
-pnpm publish:alpha
-# Publish a release, eg: 0.0.1
-pnpm publish:release
-```
+The release process is as follows:
 
-These will build and test before asking for publish confirmation.
+1. Repository admin runs `pnpm publish:alpha` / `pnpm publish:release` against `main`
+   * bumps the package versions
+   * generates changelogs
+   * commits and tags
+2. When happy with the release commit / tags, push to `main`
+3. The [publish-npm](./.github/workflows/publish-npm.yml) action will be triggered by the version tag, build and publish the packages to npm.
+   * A repository admin will need to manually approve the workflow run.
 
 After publishing a release, manually create a release in Github.

biome.jsonc

@@ -1,5 +1,5 @@
 {
-  "$schema": "https://biomejs.dev/schemas/2.2.5/schema.json",
+  "$schema": "https://biomejs.dev/schemas/2.2.6/schema.json",
   "vcs": {
     "enabled": true,
     "clientKind": "git",
@@ -13,8 +13,8 @@
     }
   },
   "files": {
-    "maxSize": 10485760,
     // 10MB
+    "maxSize": 10485760,
     "includes": [
       "**",
       "!**/packages/openapi-code-generator/src/core/schemas/openapi-3.0-specification-validator.js",

e2e/package.json

@@ -21,7 +21,7 @@
     "@nahkies/typescript-koa-runtime": "workspace:*",
     "axios": "^1.12.2",
     "express": "^5.1.0",
-    "koa": "^3.0.1",
+    "koa": "^3.0.3",
     "zod": "^3.25.74"
   },
   "devDependencies": {

integration-tests/typescript-angular/package.json

@@ -12,23 +12,23 @@
   },
   "private": true,
   "dependencies": {
-    "@angular/animations": "^20.3.4",
-    "@angular/common": "^20.3.4",
-    "@angular/compiler": "^20.3.4",
-    "@angular/core": "^20.3.4",
-    "@angular/forms": "^20.3.4",
-    "@angular/platform-browser": "^20.3.4",
-    "@angular/platform-browser-dynamic": "^20.3.4",
-    "@angular/router": "^20.3.4",
+    "@angular/animations": "^20.3.6",
+    "@angular/common": "^20.3.6",
+    "@angular/compiler": "^20.3.6",
+    "@angular/core": "^20.3.6",
+    "@angular/forms": "^20.3.6",
+    "@angular/platform-browser": "^20.3.6",
+    "@angular/platform-browser-dynamic": "^20.3.6",
+    "@angular/router": "^20.3.6",
     "rxjs": "~7.8.2",
     "tslib": "^2.8.1",
     "zone.js": "~0.15.1"
   },
   "devDependencies": {
-    "@angular-devkit/build-angular": "^20.3.5",
-    "@angular/cli": "^20.3.5",
-    "@angular/compiler-cli": "^20.3.4",
-    "@types/jasmine": "~5.1.9",
+    "@angular-devkit/build-angular": "^20.3.6",
+    "@angular/cli": "^20.3.6",
+    "@angular/compiler-cli": "^20.3.6",
+    "@types/jasmine": "~5.1.12",
     "jasmine-core": "~5.12.0",
     "karma": "~6.4.4",
     "karma-chrome-launcher": "~3.2.0",

integration-tests/typescript-koa/package.json

@@ -13,7 +13,7 @@
     "@koa/router": "^14.0.0",
     "@nahkies/typescript-koa-runtime": "workspace:*",
     "joi": "^18.0.1",
-    "koa": "^3.0.1",
+    "koa": "^3.0.3",
     "tslib": "^2.8.1",
     "zod": "^3.25.74"
   },

package.json

@@ -39,9 +39,9 @@
     "prepare": "husky"
   },
   "devDependencies": {
-    "@biomejs/biome": "2.2.5",
+    "@biomejs/biome": "2.2.6",
     "@biomejs/js-api": "3.0.0",
-    "@biomejs/wasm-nodejs": "2.2.5",
+    "@biomejs/wasm-nodejs": "2.2.6",
     "@commander-js/extra-typings": "^14.0.0",
     "@jest/reporters": "^30.2.0",
     "@swc/core": "^1.13.5",
@@ -56,7 +56,7 @@
     "husky": "^9.1.7",
     "jest": "^30.2.0",
     "json5": "^2.2.3",
-    "lerna": "^8.2.3",
+    "lerna": "^9.0.0",
     "lint-staged": "^16.2.4",
     "prettier": "^3.6.2",
     "remark": "^15.0.1",

packages/documentation/package.json

@@ -46,7 +46,7 @@
     "@types/lodash": "^4.17.20",
     "@types/node": "22.16.5",
     "@types/react": "^19.2.2",
-    "@types/react-dom": "^19.2.1",
+    "@types/react-dom": "^19.2.2",
     "gh-pages": "^6.3.0",
     "null-loader": "^4.0.1",
     "tsx": "^4.20.6",

packages/openapi-code-generator/package.json

@@ -56,9 +56,9 @@
     "tsx": "^4.20.6"
   },
   "dependencies": {
-    "@biomejs/biome": "2.2.5",
+    "@biomejs/biome": "2.2.6",
     "@biomejs/js-api": "3.0.0",
-    "@biomejs/wasm-nodejs": "2.2.5",
+    "@biomejs/wasm-nodejs": "2.2.6",
     "@commander-js/extra-typings": "^14.0.0",
     "ajv": "^8.17.1",
     "ajv-draft-04": "^1.0.0",