Skip to content

Commit fd59eee

Browse files
authored
docs: add CONTRIBUTING with the release process (#312)
1 parent 508e03b commit fd59eee

2 files changed

Lines changed: 119 additions & 0 deletions

File tree

CONTRIBUTING.md

Lines changed: 113 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
# Contributing
2+
3+
## Development setup
4+
5+
```bash
6+
git clone git@github.com:zerodevapp/zerodev-wallet-sdk.git
7+
cd zerodev-wallet-sdk
8+
pnpm install
9+
pnpm build
10+
```
11+
12+
Common scripts: `pnpm test`, `pnpm lint`, `pnpm typecheck`. PR titles follow
13+
[Conventional Commits](https://www.conventionalcommits.org/) (`feat:`, `fix:`,
14+
`chore:`, `refactor:`, `build:`, …).
15+
16+
## Releasing
17+
18+
Releases are automated with [Changesets](https://github.com/changesets/changesets)
19+
and published to npm from CI. **Nobody runs `npm publish` locally, and there are
20+
no npm tokens** — CI authenticates to npm via GitHub OIDC ([npm Trusted
21+
Publishing](https://docs.npmjs.com/trusted-publishers)) and every publish carries
22+
a signed provenance attestation.
23+
24+
### Publishable packages
25+
26+
| Package | Path |
27+
|---|---|
28+
| `@zerodev/wallet-core` | `packages/core` |
29+
| `@zerodev/wallet-react` | `packages/react` |
30+
| `@zerodev/react-ui` | `packages/react-ui` |
31+
| `@zerodev/wallet-react-ui` | `packages/wallet-react-ui` |
32+
33+
`@zerodev/wallet-react-native-kit` is private and ignored by the release tooling.
34+
35+
### The flow — two merges, zero manual publishing
36+
37+
**1. Add a changeset to your PR.** If your change affects a published package:
38+
39+
```bash
40+
pnpm changeset
41+
```
42+
43+
- select the package(s) and the bump type (`patch` / `minor` / `major`)
44+
- write a one-line summary — it becomes the CHANGELOG entry (prefix `feat:` /
45+
`fix:` to match existing entries)
46+
- commit the generated `.changeset/*.md` file **in your PR**
47+
48+
Skip this for changes that don't affect a published package (docs, CI, tests, the
49+
demo app, or refactors with no output change). No changeset simply means no
50+
release — that's fine.
51+
52+
> **Bump type:** everything is pre-1.0 (`0.0.x`), so nearly everything is a
53+
> `patch` today. Use `minor` for notable new API, `major` only after 1.0.
54+
55+
**2. Merge your PR → a "Version Packages" PR appears.** On merge to `main`, the
56+
release workflow opens (or updates) a PR titled **"Version Packages"**. It bumps
57+
versions, rewrites CHANGELOGs, and deletes the consumed changesets. Dependent
58+
packages are bumped automatically (e.g. bumping `wallet-react` also bumps
59+
`wallet-react-ui`, which depends on it).
60+
61+
**3. Merge the "Version Packages" PR → publish.** That merge triggers the publish:
62+
CI builds, then `changeset publish` pushes the changed packages to npm `latest`
63+
with provenance and creates git tags.
64+
65+
### Requirements for a publishable package
66+
67+
Every publishable package's `package.json` **must** have a `repository` field with
68+
the monorepo URL and its `directory`:
69+
70+
```json
71+
"repository": {
72+
"type": "git",
73+
"url": "git+https://github.com/zerodevapp/zerodev-wallet-sdk.git",
74+
"directory": "packages/<name>"
75+
}
76+
```
77+
78+
npm's provenance check **rejects the publish with `E422`** if this is missing or
79+
empty. The package must also not be marked `"private": true`. When adding a new
80+
publishable package, set both before its first release.
81+
82+
### PR preview packages
83+
84+
Every PR automatically publishes throwaway preview builds via
85+
[pkg.pr.new](https://pkg.pr.new) (no npm token — its own CDN). Install one to test
86+
a branch before it's released:
87+
88+
```bash
89+
npm i https://pkg.pr.new/@zerodev/wallet-react@<pr-sha>
90+
```
91+
92+
The exact install commands are posted as a comment on each PR.
93+
94+
### How auth works (nothing long-lived to leak)
95+
96+
- **Publishing:** npm Trusted Publishing (OIDC). CI proves its identity to npm via
97+
a short-lived `id-token`; there is no `NPM_TOKEN`. Each package has this repo +
98+
`release.yml` registered as its Trusted Publisher on npm.
99+
- **The "Version Packages" PR:** opened by a GitHub App (short-lived installation
100+
token), so the required CI checks run on it. A PR opened by the default
101+
`GITHUB_TOKEN` wouldn't trigger workflows and could never satisfy branch
102+
protection.
103+
- Third-party GitHub Actions are pinned to commit SHAs and kept current by
104+
Dependabot.
105+
106+
### Good to know
107+
108+
- The published code is always code that passed CI: the "Version Packages" PR must
109+
go green before it can merge. The release job itself does not re-run the test
110+
suite — branch protection on `main` is the gate.
111+
- `changeset publish` is not atomic. If one package fails to publish (e.g. a
112+
provenance error) but a dependent already published, fix the cause and merge —
113+
the next release run publishes any package whose version isn't yet on npm.

README.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -306,6 +306,12 @@ pnpm install
306306
pnpm build
307307
```
308308

309+
### Contributing & releases
310+
311+
See [CONTRIBUTING.md](./CONTRIBUTING.md) for the changesets-based release flow
312+
(add a changeset → merge → merge the auto-generated "Version Packages" PR to
313+
publish).
314+
309315
### Project Structure
310316

311317
```

0 commit comments

Comments
 (0)