For Maintainers: This guide describes the NPM publishing workflow for safe-formdata.
safe-formdata uses an explicit, transparent publishing workflow that aligns with the library's design principles.
Before creating a release PR, validate locally:
bun run prepare:publishThis runs the following steps:
- TypeScript type checking (
check:type:source) - Test suite with coverage (
test:coverage) - Build (
build) - Package validation (
check:package: publint + attw)
- Prepare Release PR: Bump version → Update CHANGELOG → Create release branch → Open PR for review
- Review & Merge: Maintainer reviews and merges release PR to main
- Publish: Manual trigger of publish workflow → All checks run → npm publish
The publish workflow is defined in .github/workflows/publish.yml and runs the following steps:
- Setup environment (Bun + dependencies)
- Validate and build package (
bun run prepare:publish) - Setup Node.js for npm
- Publish to npm with provenance
- Create and push Git tag
- Create GitHub Release (draft)
Previous versions used npm run prepublishOnly in package.json, which ran automatically during npm publish.
This violated the boundary principle: explicit over implicit.
The publish workflow now declares all validation steps explicitly:
- TypeScript type checking
- Test execution
- Build process
- Package validation
- NPM publication
This ensures the publishing process is transparent and traceable in the workflow file.
| Principle | Implementation |
|---|---|
| Explicit over implicit | prepare:publish is called explicitly in the workflow, not triggered automatically |
| Security over convenience | All validation steps are visible and traceable |
| Boundary-focused | Clear separation between development and publishing processes |
| No silent fixes | No hidden automation; every step is declared |
.github/workflows/publish.yml- Publish workflow implementationpackage.json- Package configuration and scriptsCONTRIBUTING.md- Contributor guide