Skip to content

feat(repo): add Changesets with Trusted Publishing for automated releases #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
prosdev merged 1 commit into from
Nov 7, 2025
Merged

feat(repo): add Changesets with Trusted Publishing for automated releases #27

prosdev merged 1 commit into from
Nov 7, 2025

Conversation

@prosdev
Copy link
Contributor

@prosdev prosdev commented Nov 6, 2025

Implement Changesets workflow with NPM Trusted Publishing (OIDC) for secure, token-free package versioning and publishing.

Features:

  • Install and configure @changesets/cli with independent versioning
  • Add changeset, version-packages, and release npm scripts
  • Create GitHub Actions release workflow with:
    • NPM Trusted Publishing via OIDC (no tokens required)
    • Provenance attestation for package authenticity
    • Production environment for additional security
    • Dry-run capability for testing
  • Add comprehensive CONTRIBUTING.md with changeset documentation
  • Update CI.md with Trusted Publishing setup instructions

Security benefits:

  • Zero secrets management (no NPM_TOKEN needed)
  • Short-lived OIDC tokens (expire in minutes)
  • Cryptographic provenance attestation
  • NPM verified publisher badge

Closes #20

@prosdev
feat(repo): add Changesets with Trusted Publishing for automated rele…
26122c4 
…ases

Implement Changesets workflow with NPM Trusted Publishing (OIDC) for
secure, token-free package versioning and publishing.

Features:
- Install and configure @changesets/cli with independent versioning
- Add changeset, version-packages, and release npm scripts
- Create GitHub Actions release workflow with:
  - NPM Trusted Publishing via OIDC (no tokens required)
  - Provenance attestation for package authenticity
  - Production environment for additional security
  - Dry-run capability for testing
- Add comprehensive CONTRIBUTING.md with changeset documentation
- Update CI.md with Trusted Publishing setup instructions

Security benefits:
- Zero secrets management (no NPM_TOKEN needed)
- Short-lived OIDC tokens (expire in minutes)
- Cryptographic provenance attestation
- NPM verified publisher badge

Closes #20
@prosdev prosdev merged commit 27852f2 into main Nov 7, 2025
1 check passed
@prosdev prosdev deleted the issue/20-add-changesets branch November 7, 2025 17:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@markhayden markhayden markhayden approved these changes

@ashyablok ashyablok Awaiting requested review from ashyablok

@teijas teijas Awaiting requested review from teijas

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Changesets for automated versioning and publishing

2 participants

@prosdev @markhayden