Add changesets and npm publish workflows with OIDC trusted publishers (#39)

* Add changesets and npm publish workflows with OIDC trusted publishers

- Add changesets for version management and changelog generation
- Create changesets.yml workflow for automated version PRs
- Create publish.yml workflow triggered by version tags
- Configure npm OIDC trusted publishers (id-token: write)
- Link b2c-cli, b2c-tooling-sdk, and b2c-dx-mcp versions together
- Exclude b2c-plugin-example-config from publishing

* Add publishing documentation

* Explicitly filter published packages to only the 3 main packages

* Aggregate all package changelogs for GitHub release notes

* Add nightly and pre-release support to publish workflow

* Document changesets workflow in CONTRIBUTING.md

* Pin GitHub Actions to specific commit SHAs for security

Author: clavery

.changeset/README.md

@@ -0,0 +1,8 @@
+# Changesets
+
+Hello and welcome! This folder has been automatically generated by `@changesets/cli`, a build tool that works
+with multi-package repos, or single-package repos to help you version and publish your code. You can
+find the full documentation for it [in our repository](https://github.com/changesets/changesets)
+
+We have a quick list of common questions to get you started engaging with this project in
+[our documentation](https://github.com/changesets/changesets/blob/main/docs/common-questions.md)

.changeset/config.json

@@ -0,0 +1,16 @@
+{
+  "$schema": "https://unpkg.com/@changesets/[email protected]/schema.json",
+  "changelog": [
+    "@changesets/changelog-github",
+    { "repo": "SalesforceCommerceCloud/b2c-developer-tooling" }
+  ],
+  "commit": false,
+  "fixed": [],
+  "linked": [
+    ["@salesforce/b2c-cli", "@salesforce/b2c-tooling-sdk", "@salesforce/b2c-dx-mcp"]
+  ],
+  "access": "public",
+  "baseBranch": "main",
+  "updateInternalDependencies": "patch",
+  "ignore": ["@salesforce/b2c-plugin-example-config"]
+}

.github/workflows/changesets.yml

@@ -0,0 +1,40 @@
+name: Changesets
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  version:
+    name: Create Version PR
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 22
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Create Release PR
+        uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3
+        with:
+          version: pnpm changeset version
+          title: 'chore: version packages'
+          commit: 'chore: version packages'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish.yml

@@ -0,0 +1,126 @@
+name: Publish to npm
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+' # Stable releases: v1.0.0, v2.1.3
+      - 'v[0-9]+.[0-9]+.[0-9]+-*' # Pre-releases: v1.0.0-beta.1, v1.0.0-rc.1
+  schedule:
+    - cron: '0 2 * * 1-5' # Weekdays at 2 AM UTC (Mon-Fri)
+  workflow_dispatch:
+    inputs:
+      release_type:
+        description: 'Release type'
+        required: true
+        default: 'nightly'
+        type: choice
+        options:
+          - nightly
+
+jobs:
+  publish:
+    name: Publish
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # For creating GitHub releases
+      id-token: write # Required for npm OIDC trusted publishers
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Determine release type
+        id: release-type
+        run: |
+          if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_type }}" == "tag" ]]; then
+            echo "type=stable" >> $GITHUB_OUTPUT
+            # Pre-release versions (v1.0.0-beta.1) publish to @next, stable to @latest
+            if [[ "$GITHUB_REF_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+-.+ ]]; then
+              echo "tag=next" >> $GITHUB_OUTPUT
+              echo "prerelease=true" >> $GITHUB_OUTPUT
+            else
+              echo "tag=latest" >> $GITHUB_OUTPUT
+              echo "prerelease=false" >> $GITHUB_OUTPUT
+            fi
+          else
+            echo "type=nightly" >> $GITHUB_OUTPUT
+            echo "tag=nightly" >> $GITHUB_OUTPUT
+            echo "prerelease=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Validate tag matches package version
+        if: steps.release-type.outputs.type == 'stable'
+        run: |
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          PKG_VERSION=$(node -p "require('./packages/b2c-tooling-sdk/package.json').version")
+          if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
+            echo "Error: Tag version ($TAG_VERSION) does not match package version ($PKG_VERSION)"
+            exit 1
+          fi
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 22
+          cache: 'pnpm'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Create snapshot versions
+        if: steps.release-type.outputs.type == 'nightly'
+        run: pnpm changeset version --snapshot nightly
+
+      - name: Build packages
+        run: pnpm run build
+
+      - name: Run tests
+        run: pnpm run test
+
+      - name: Publish to npm
+        run: |
+          pnpm --filter @salesforce/b2c-tooling-sdk publish --access public --no-git-checks --tag ${{ steps.release-type.outputs.tag }}
+          pnpm --filter @salesforce/b2c-cli publish --access public --no-git-checks --tag ${{ steps.release-type.outputs.tag }}
+          pnpm --filter @salesforce/b2c-dx-mcp publish --access public --no-git-checks --tag ${{ steps.release-type.outputs.tag }}
+
+      - name: Extract changelog for release
+        if: steps.release-type.outputs.type == 'stable'
+        run: |
+          VERSION="${GITHUB_REF_NAME#v}"
+
+          # Function to extract version section from a changelog
+          extract_version() {
+            awk -v ver="$1" '
+              /^## / { if (found) exit; if ($2 == ver) found=1; next }
+              found { print }
+            ' "$2"
+          }
+
+          # Build combined release notes
+          {
+            echo "## @salesforce/b2c-cli"
+            echo ""
+            extract_version "$VERSION" packages/b2c-cli/CHANGELOG.md
+            echo ""
+            echo "## @salesforce/b2c-dx-mcp"
+            echo ""
+            extract_version "$VERSION" packages/b2c-dx-mcp/CHANGELOG.md
+            echo ""
+            echo "## @salesforce/b2c-tooling-sdk"
+            echo ""
+            extract_version "$VERSION" packages/b2c-tooling-sdk/CHANGELOG.md
+          } > /tmp/release-notes.md
+
+      - name: Create GitHub Release
+        if: steps.release-type.outputs.type == 'stable'
+        run: |
+          PRERELEASE_FLAG=""
+          if [[ "${{ steps.release-type.outputs.prerelease }}" == "true" ]]; then
+            PRERELEASE_FLAG="--prerelease"
+          fi
+          gh release create "$GITHUB_REF_NAME" --notes-file /tmp/release-notes.md $PRERELEASE_FLAG
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

CONTRIBUTING.md

@@ -58,6 +58,48 @@ Issues labelled `good first contribution`.
 - [x] Reviews
   - Changes must be approved via peer code review
 
+# Changesets
+
+This project uses [Changesets](https://github.com/changesets/changesets) to manage versions and changelogs.
+
+## When to Add a Changeset
+
+Add a changeset when your PR includes changes that users should know about:
+- Bug fixes
+- New features
+- Breaking changes
+- Significant improvements
+
+You **don't need** a changeset for:
+- Documentation-only changes
+- Internal refactoring
+- Test improvements
+- CI/build changes
+
+## How to Add a Changeset
+
+1. Run the changeset command:
+   ```bash
+   pnpm changeset
+   ```
+
+2. Select the packages affected by your change (usually all three are linked)
+
+3. Choose the change type:
+   - `patch` - Bug fixes, minor improvements
+   - `minor` - New features, non-breaking changes
+   - `major` - Breaking changes
+
+4. Write a brief summary of your change (this appears in the changelog)
+
+5. Commit the generated `.changeset/*.md` file with your PR
+
+## Notes
+
+- Changesets are optional - maintainers can add them later if needed
+- Multiple changesets can exist for separate changes
+- See [PUBLISHING.md](./PUBLISHING.md) for full release process details
+
 # Creating a Pull Request
 
 1. **Ensure the bug/feature was not already reported** by searching on GitHub under Issues.  If none exists, create a new issue so that other contributors can keep track of what you are trying to add/fix and offer suggestions (or let you know if there is already an effort in progress).