Every merge to main should already be releasable.
GitHub Actions owns npm publishing and GitHub release notes. The pipeline runs the repo's Vite+ commands before publishing:
vp installvp run verifysemantic-release
The workflow uses .releaserc.json as the release source of truth.
Release jobs declare the protected GitHub Environment named release.
Environment entries:
- secrets:
PUTIO_RELEASE_BOT_PRIVATE_KEY - variables:
PUTIO_RELEASE_BOT_CLIENT_ID - approval: none; releases are continuous after the
maingate passes - refs: release branch/tag policy constrains what can publish
- deployment records: disabled with
deployment: falsebecause this is package publishing, not an app deploy
Release GitHub writes use putio-release-bot for version sync commits, v* tags, GitHub Releases, and release notes.
The npm package uses Trusted Publishing from GitHub Actions. On npm, configure owner putdotio, repository putio-sockjs, workflow ci.yml, and Environment named release for the package.
During the @semantic-release/npm publish step, npm detects the GitHub OIDC identity, mints short-lived publish credentials, and publishes provenance for the release job.
The workflow keeps dependency caches only on the secretless verify job. The secret-bearing release job runs a fresh vp install with package-manager caching disabled before publishing to npm.
The release-bot remote is configured only after dependencies are installed.
Before changing distribution wiring, validate the repo-local guardrails the workflow depends on:
vp install
vp run verify