feat: add npm publishing pipeline with GitHub Actions

[aspiers]

Without this patch, the package cannot be automatically published to npm. Manual publishing requires local setup and manual version management, which is error-prone and time-consuming.

This patch solves the problem by adding a complete CI/CD pipeline that:

• Creates three GitHub Actions workflows for manual release,
  prerelease, and PR validation
• Configures semantic-release for automatic version management
  based on conventional commits
• Fixes package.json entry points to correctly reference
  types/index.ts
• Updates .npmignore to include lexicons/ in published package
• Adds PUBLISHING.md documentation for maintainers

The workflows are manually triggered via workflow_dispatch to give maintainers full control over when releases are published. The pipeline ensures all auto-generated TypeScript types are included in the published package.

Co-authored-by: Cursor [email protected]

Summary by CodeRabbit

• New Features

  • Lexicons directory now included in published npm package.

• Documentation

  • Added a publishing guide covering release and prerelease workflows.
  • Minor README formatting improvement.

• Chores

  • Added automated release and dry-run validation workflows to standardize publishing.
  • Added semantic-release configuration for automated changelogs and versioning.
  • Updated package entry points and packaging configuration for consolidated type distribution.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds GitHub Actions workflows and semantic-release configuration to automate releases (production, staging, PR dry-run), moves package entry points to a types/ directory, removes lexicons/ from .npmignore, and adds publishing documentation and prerelease config.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/create-prerelease-lexicon.yml, .github/workflows/create-release-lexicon.yml, .github/workflows/dryrun-release-ci-lexicon.yml	New workflows for staging/prerelease, production release, and PR dry-run validation: checkout (full history), Node.js 20 setup, npm ci, lint, conditional prerelease config swap, run semantic-release (commit-analyzer, release-notes-generator, changelog, github, npm), using secrets GH_PA_TOKEN/NPM_TOKEN, support dry_run input.
Release Configuration .releaserc.yaml, .releaserc.prerelease.yaml	New/updated semantic-release configs: plugin stack and branch rules; prerelease config adds develop branch with beta prerelease.
Package Configuration .npmignore, package.json	Remove lexicons/ from .npmignore; update package.json main, types, and exports to point to types/ and remove root index.ts from files.
Documentation & README PUBLISHING.md, README.md	Add PUBLISHING.md with publishing prerequisites and workflow usage; change README code fence to bash for installation snippet.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Actions as GitHub Actions
participant Repo as Repository
participant Semantic as semantic-release
participant GH as GitHub API
participant NPM as npm Registry
Note over Actions,Repo: Workflow triggered (manual or PR)
Actions->>Repo: checkout (fetch-depth:0)
Actions->>Actions: setup Node.js 20, npm cache, npm ci, lint
alt on non-main / prerelease
Actions->>Repo: swap .releaserc.prerelease.yaml -> .releaserc.yaml
end
Actions->>Semantic: run semantic-release (with plugins)
Semantic->>GH: create GitHub release, changelog, release notes
Semantic->>NPM: publish package (when not dry_run)
Semantic-->>Actions: outputs (release version, components)
Actions->>Actions: conditional follow-up step prints release details

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Pay attention to semantic-release plugin ordering and configuration.
• Verify branch/prerelease mapping (develop -> beta) in .releaserc.prerelease.yaml.
• Confirm package.json entry-point changes and files array correctly include types/.
• Check workflow permissions and secrets usage (GH_PA_TOKEN, NPM_TOKEN).

Suggested reviewers

• s-adamantine

Poem

🐰 I hopped through YAML, linted every line,
Tags and releases—now they sparkle and shine.
Types tucked in their burrow, changelogs in tow,
From beta to main, the release-river flows. 🚀

Pre-merge checks and finishing touches

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Lexicon Documentation Sync	❌ Error	PR adds 16 lexicon JSON files but documents only 15 in README.md; app.certified.defs.json lacks documentation. Additionally, .npmignore contradicts commit message about including lexicons in npm package.	Add app.certified.defs documentation to README.md, fix .npmignore to include lexicons/ exception, and verify all 16 lexicons are documented before merging.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: add npm publishing pipeline with GitHub Actions' directly and accurately describes the main change: adding an npm publishing pipeline via GitHub Actions workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch publish-pipeline

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/create-prerelease-lexicon.yml (1)

17-19: Consider adding additional permissions for semantic-release.

The workflow only has contents: write permission, but semantic-release with the GitHub plugin may need additional permissions to:

• Create GitHub releases
• Comment on issues and PRs

Compare with the create-release-lexicon.yml workflow which includes:

permissions:
  contents: write
  issues: write
  pull-requests: write
  id-token: write

Apply this diff to add the missing permissions:

     permissions:
       contents: write
+      issues: write
+      pull-requests: write
+      id-token: write

.github/workflows/dryrun-release-ci-lexicon.yml (1)

10-11: Consider adding additional permissions for dry-run validation.

Like the prerelease workflow, this workflow may benefit from additional permissions for semantic-release to fully validate the release process, even in dry-run mode:

permissions:
  contents: write
  issues: write
  pull-requests: write
  id-token: write

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d1e4ff1 and 73b5bfc.

📒 Files selected for processing (9)

• .github/workflows/create-prerelease-lexicon.yml (1 hunks)
• .github/workflows/create-release-lexicon.yml (1 hunks)
• .github/workflows/dryrun-release-ci-lexicon.yml (1 hunks)
• .npmignore (0 hunks)
• .releaserc.prerelease.yaml (1 hunks)
• .releaserc.yaml (1 hunks)
• PUBLISHING.md (1 hunks)
• README.md (1 hunks)
• package.json (1 hunks)

💤 Files with no reviewable changes (1)

• .npmignore

🧰 Additional context used

📓 Path-based instructions (2)

!(types)/**/*.{js,ts,tsx,json,md}

📄 CodeRabbit inference engine (AGENTS.md)

Run npm run format with Prettier before committing to ensure consistent code formatting

Files:

• .releaserc.prerelease.yaml
• package.json
• .github/workflows/create-prerelease-lexicon.yml
• .github/workflows/create-release-lexicon.yml
• README.md
• .releaserc.yaml
• PUBLISHING.md
• .github/workflows/dryrun-release-ci-lexicon.yml

README.md

📄 CodeRabbit inference engine (Custom checks)

README.md: Ensure that all lexicons documented in README.md exist as JSON files in the lexicons/ directory
Ensure all properties documented in README.md match the actual JSON schema definitions in lexicons/**/*.json

Files:

• README.md

🧠 Learnings (17)

📓 Common learnings

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 34
File: lexicons/org/hypercerts/claim/evaluation.json:45-63
Timestamp: 2025-12-15T10:13:17.689Z
Learning: For the hypercerts-lexicon repository, CI automatically runs `npm run gen-api` and `npm run check` to regenerate TypeScript types and validate lexicon definitions, so manual reminders about running these commands are not needed in code reviews.

📚 Learning: 2025-12-15T17:53:11.862Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.862Z
Learning: Applies to !(types)/**/*.{js,ts,tsx,json,md} : Run `npm run format` with Prettier before committing to ensure consistent code formatting

Applied to files:

• .releaserc.prerelease.yaml
• .releaserc.yaml

📚 Learning: 2025-12-15T17:53:11.862Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.862Z
Learning: Applies to types/**/*.{ts,tsx} : Do not edit files in the `types/` directory manually - this directory contains auto-generated code that is regenerated by `npm run gen-api`

Applied to files:

• package.json

📚 Learning: 2025-12-15T17:53:11.862Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.862Z
Learning: Applies to lexicons/**/*.json : After modifying lexicon JSON files, regenerate TypeScript types by running `npm run gen-api`

Applied to files:

• package.json
• README.md

📚 Learning: 2025-12-15T17:53:11.862Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.862Z
Learning: This repository contains ATProto lexicon definitions for the Hypercerts protocol with auto-generated TypeScript types - prioritize lexicon accuracy and consistency

Applied to files:

• package.json
• README.md

📚 Learning: 2025-12-15T17:53:11.862Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.862Z
Learning: Applies to lexicons/**/*.json : Lexicon JSON files should follow the ATProto lexicon schema v1 specification

Applied to files:

• package.json
• README.md

📚 Learning: 2025-12-15T17:53:11.862Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.862Z
Learning: Applies to lexicons/**/*.json : Organize lexicon files by namespace following the directory structure pattern (e.g., `org/hypercerts/claim/*.json`)

Applied to files:

• package.json
• README.md

📚 Learning: 2025-12-15T10:13:17.689Z

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 34
File: lexicons/org/hypercerts/claim/evaluation.json:45-63
Timestamp: 2025-12-15T10:13:17.689Z
Learning: For the hypercerts-lexicon repository, CI automatically runs `npm run gen-api` and `npm run check` to regenerate TypeScript types and validate lexicon definitions, so manual reminders about running these commands are not needed in code reviews.

Applied to files:

• package.json
• .github/workflows/create-prerelease-lexicon.yml
• .github/workflows/create-release-lexicon.yml
• README.md
• PUBLISHING.md

📚 Learning: 2025-12-15T15:33:19.949Z

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 37
File: lexicons/org/hypercerts/funding/receipt.json:1-71
Timestamp: 2025-12-15T15:33:19.949Z
Learning: In the hypercerts-lexicon repository, do not comment on Prettier/formatting issues in code reviews since they are reported by the lint workflow. Do not duplicate the lint output in reviews to reduce noise; focus review comments on functional/semantic issues and other non-formatting concerns.

Applied to files:

• package.json

📚 Learning: 2025-12-11T15:44:24.397Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: coderabbit-custom-pre-merge-checks-unique-id-file-non-traceable-F7F2B60C-1728-4C9A-8889-4F2235E186CA.txt:0-0
Timestamp: 2025-12-11T15:44:24.397Z
Learning: Applies to lexicons/**/*.json : When adding, modifying, or deleting files in lexicons/**/*.json, update README.md to reflect changes (document new lexicons, update modified properties, remove deleted lexicons from documentation)

Applied to files:

• .github/workflows/create-release-lexicon.yml
• PUBLISHING.md

📚 Learning: 2025-12-15T17:53:11.862Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.862Z
Learning: Applies to lexicons/**/*.json : Update `README.md` documentation when adding or modifying lexicon definitions

Applied to files:

• .github/workflows/create-release-lexicon.yml
• README.md
• PUBLISHING.md

📚 Learning: 2025-12-15T17:53:11.862Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.862Z
Learning: Applies to lexicons/**/*.json : Run `npm run check` before committing to validate lexicon syntax and ensure valid lexicon definitions

Applied to files:

• .github/workflows/create-release-lexicon.yml
• README.md
• PUBLISHING.md

📚 Learning: 2025-12-15T16:39:23.964Z

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 39
File: README.md:17-17
Timestamp: 2025-12-15T16:39:23.964Z
Learning: In the hypercerts-lexicon repository, standardize on the hyphenless spelling 'onchain' across Markdown documentation (e.g., README.md and other md files) to match the industry standard. Update any occurrences of 'on-chain' to 'onchain' and ensure consistency throughout all documentation.

Applied to files:

• README.md
• PUBLISHING.md

📚 Learning: 2025-12-11T15:44:24.397Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: coderabbit-custom-pre-merge-checks-unique-id-file-non-traceable-F7F2B60C-1728-4C9A-8889-4F2235E186CA.txt:0-0
Timestamp: 2025-12-11T15:44:24.397Z
Learning: Applies to lexicons/**/*.json : Verify that lexicon IDs in JSON files match what's documented in README.md

Applied to files:

• README.md

📚 Learning: 2025-12-11T15:44:24.397Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: coderabbit-custom-pre-merge-checks-unique-id-file-non-traceable-F7F2B60C-1728-4C9A-8889-4F2235E186CA.txt:0-0
Timestamp: 2025-12-11T15:44:24.397Z
Learning: Applies to README.md : Ensure that all lexicons documented in README.md exist as JSON files in the lexicons/ directory

Applied to files:

• README.md

📚 Learning: 2025-12-11T15:44:24.397Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: coderabbit-custom-pre-merge-checks-unique-id-file-non-traceable-F7F2B60C-1728-4C9A-8889-4F2235E186CA.txt:0-0
Timestamp: 2025-12-11T15:44:24.397Z
Learning: Applies to README.md : Ensure all properties documented in README.md match the actual JSON schema definitions in lexicons/**/*.json

Applied to files:

• PUBLISHING.md

📚 Learning: 2025-12-15T15:33:19.949Z

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 37
File: lexicons/org/hypercerts/funding/receipt.json:1-71
Timestamp: 2025-12-15T15:33:19.949Z
Learning: For the hypercerts-org/hypercerts-lexicon repository, do not comment on Prettier formatting issues in code reviews because they are already reported by the lint workflow, and duplicating the report adds noise to the review.

Applied to files:

• PUBLISHING.md

🔇 Additional comments (11)

README.md (1)

40-42: LGTM!

Specifying the language for the code fence improves syntax highlighting and readability.

.releaserc.yaml (1)

1-10: LGTM! Standard semantic-release configuration.

The configuration correctly defines the plugin stack for production releases on the main branch and version branches. Ensure that the semantic-release plugins referenced here are installed (see comment on .releaserc.prerelease.yaml).

.github/workflows/create-prerelease-lexicon.yml (2)

45-47: LGTM! Clever config swapping for prerelease branches.

The conditional step to replace the release config with the prerelease config for non-main branches is a clean approach to handling different release strategies.

---

60-62: Ensure GH_PA_TOKEN and NPM_TOKEN secrets are configured in GitHub.

The workflow references these secrets for authentication. To configure them, navigate to the repository Settings, select Secrets and variables > Actions, click New repository secret, enter the name and value, then click Add secret. Without these secrets configured, the workflow will fail at authentication steps.

.github/workflows/create-release-lexicon.yml (2)

17-21: LGTM! Comprehensive permissions for release workflow.

The permissions correctly include all necessary scopes for semantic-release to create releases, comment on issues/PRs, and use OIDC for npm provenance.

---

48-61: LGTM! Standard semantic-release configuration.

The workflow correctly uses semantic-release with the necessary plugins and environment variables. The dry-run mode support via workflow input is a good safety feature.

.github/workflows/dryrun-release-ci-lexicon.yml (2)

38-40: LGTM! Consistent prerelease config handling.

The conditional config swap is consistent with the prerelease workflow and correctly handles PR branches.

---

46-46: LGTM! Hardcoded dry-run mode for PR validation.

Correctly hardcoded to true for PR validation, preventing accidental publishes from pull requests.

PUBLISHING.md (1)

1-89: LGTM! Comprehensive publishing documentation.

The documentation clearly explains the publishing process, prerequisites, and version management. It correctly references the workflows and explains the semantic-release behavior.

.releaserc.prerelease.yaml (1)

1-12: Semantic-release plugins are properly configured.

The plugins are correctly specified in the extra_plugins parameter of all three GitHub Actions workflows (create-prerelease-lexicon.yml, create-release-lexicon.yml, and dryrun-release-ci-lexicon.yml) that use the cycjimmy/semantic-release-action. They will be installed at runtime by the GitHub Actions workflow, so no local installation in package.json is required.

package.json (1)

6-6: Remove or update the inconsistent main field in package.json.

The main field points to ./types/index.js, but the repository's package.json already has an exports field that correctly points to ./types/index.ts. Since npm run gen-api generates TypeScript files (not JavaScript), and the exports field takes precedence in modern Node.js, the legacy main field creates an unnecessary inconsistency. Either remove main entirely or update it to match the exports field.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/create-prerelease-lexicon.yml (2)

50-63: Configuration looks correct.

The semantic-release action is properly configured with dry-run support and necessary tokens.

Note: Most of the extra_plugins (commit-analyzer, release-notes-generator, github, npm) are already included by default in semantic-release. Only @semantic-release/changelog is truly an extra. This redundancy is harmless but could be trimmed for clarity if desired.

---

65-71: Remove or implement this placeholder step.

The step name "Do something when a new release published" and the body (only echoing version info) suggest this is a placeholder. Either:

• Remove it if no post-release actions are needed, or
• Implement actual functionality (e.g., Slack notifications, deployment triggers)

If keeping for debugging, consider renaming to "Log release version" for clarity.

-      - name: Do something when a new release published
+      - name: Log release version
         if: steps.semantic.outputs.new_release_published == 'true'
         run: |
-          echo ${{ steps.semantic.outputs.new_release_version }}
-          echo ${{ steps.semantic.outputs.new_release_major_version }}
-          echo ${{ steps.semantic.outputs.new_release_minor_version }}
-          echo ${{ steps.semantic.outputs.new_release_patch_version }}
+          echo "Released version: ${{ steps.semantic.outputs.new_release_version }}"

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 73b5bfc and 00b19ba.

📒 Files selected for processing (9)

• .github/workflows/create-prerelease-lexicon.yml (1 hunks)
• .github/workflows/create-release-lexicon.yml (1 hunks)
• .github/workflows/dryrun-release-ci-lexicon.yml (1 hunks)
• .npmignore (0 hunks)
• .releaserc.prerelease.yaml (1 hunks)
• .releaserc.yaml (1 hunks)
• PUBLISHING.md (1 hunks)
• README.md (1 hunks)
• package.json (1 hunks)

💤 Files with no reviewable changes (1)

• .npmignore

✅ Files skipped from review due to trivial changes (1)

• .releaserc.yaml

🚧 Files skipped from review as they are similar to previous changes (6)

• .releaserc.prerelease.yaml
• .github/workflows/dryrun-release-ci-lexicon.yml
• README.md
• .github/workflows/create-release-lexicon.yml
• PUBLISHING.md
• package.json

🧰 Additional context used

📓 Path-based instructions (1)

!(types)/**/*.{js,ts,tsx,json,md}

📄 CodeRabbit inference engine (AGENTS.md)

Run npm run format with Prettier before committing to ensure consistent code formatting

Files:

• .github/workflows/create-prerelease-lexicon.yml

🧠 Learnings (2)

📓 Common learnings

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 34
File: lexicons/org/hypercerts/claim/evaluation.json:45-63
Timestamp: 2025-12-15T10:13:17.689Z
Learning: For the hypercerts-lexicon repository, CI automatically runs `npm run gen-api` and `npm run check` to regenerate TypeScript types and validate lexicon definitions, so manual reminders about running these commands are not needed in code reviews.

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.862Z
Learning: Applies to !(types)/**/*.{js,ts,tsx,json,md} : Run `npm run format` with Prettier before committing to ensure consistent code formatting

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.862Z
Learning: Applies to lexicons/**/*.json : Run `npm run check` before committing to validate lexicon syntax and ensure valid lexicon definitions

📚 Learning: 2025-12-15T10:13:17.689Z

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 34
File: lexicons/org/hypercerts/claim/evaluation.json:45-63
Timestamp: 2025-12-15T10:13:17.689Z
Learning: For the hypercerts-lexicon repository, CI automatically runs `npm run gen-api` and `npm run check` to regenerate TypeScript types and validate lexicon definitions, so manual reminders about running these commands are not needed in code reviews.

Applied to files:

• .github/workflows/create-prerelease-lexicon.yml

🔇 Additional comments (5)

.github/workflows/create-prerelease-lexicon.yml (5)

1-10: LGTM!

The workflow trigger configuration is well-structured. The workflow_dispatch trigger with a dry_run boolean input provides good control for maintainers to test releases before publishing.

---

12-19: LGTM!

Permissions are correctly scoped. The id-token: write for npm provenance and staging environment isolation are good security practices.

---

21-32: LGTM!

Excellent documentation in the comments explaining why fetch-depth: 0 is required. The persist-credentials: false is correct when using a custom PAT.

---

34-44: LGTM!

Node.js 20 LTS with caching, npm ci for reproducible installs, and linting before release are all best practices.

---

46-48: Verify the conditional prerelease config logic.

This step only applies the prerelease configuration when NOT on main. For a staging/prerelease workflow, this may be counterintuitive—if triggered from main, it would use the regular release config instead of prerelease.

Is this intentional? If the workflow should always produce prereleases regardless of branch, consider removing the condition.