maxmind
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 55 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎README.dev.md‎
Lines changed: 15 additions & 14 deletions b/‎README.dev.md‎
Lines changed: 15 additions & 14 deletions
diff --git a/‎dev-bin/release.sh‎
Lines changed: 92 additions & 0 deletions b/‎dev-bin/release.sh‎
Lines changed: 92 additions & 0 deletions
@@ -0,0 +1,55 @@
+name: Release
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+  release:
+    types: [published]
+
+permissions: {}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 22
+      - run: npm ci
+      - run: npm test
+      - run: npm run lint
+      - run: npm run build
+      - run: npm run build:docs
+
+  publish:
+    needs: build
+    if: github.event_name == 'release' && github.event.action == 'published'
+    runs-on: ubuntu-latest
+    environment: npm
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          registry-url: 'https://registry.npmjs.org'
+      - run: npm install -g npm@latest
+      - run: npm ci
+      - run: npm run build
+      - run: npm publish --provenance
+      - run: npm run build:docs
+      - name: Deploy docs to gh-pages
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./docs
@@ -1,23 +1,24 @@
-Steps for releasing:
+## Steps for releasing:
 
 1. Review open issues and PRs to see if any can easily be fixed, closed, or
    merged.
 2. Bump copyright year in `README.md`, if necessary.
 3. Consider whether any dependencies need to be updated.
 4. Review `CHANGELOG.md` for completeness and correctness. Update its
-   release date.
-5. Set the version in `package.json`.
-6. Run `npm publish`. You can do this from the release branch. This will
-   generate the docs, deploy docs, and publish the module to NPM.
-7. Create a release PR containing the updates relating to any of the steps
-   above.
-8. Create and push a git tag (e.g. `git tag -a v4.2.0 -m v4.2.0 && git push
-   --tags`).
-9. Manually create a release on GitHub to include the release-specific
-   notes found in `CHANGELOG.md`.
-10. Verify the release on
-    [GitHub](https://github.com/maxmind/minfraud-api-node/releases) and
-    [NPM](https://npmjs.com/package/@maxmind/minfraud-api-node).
+   release date to today.
+5. Run `./dev-bin/release.sh`. This will:
+   - Validate you're not on the main branch
+   - Validate your branch is up to date with origin/main
+   - Extract the version and date from `CHANGELOG.md`
+   - Update the version in `package.json`
+   - Build and test
+   - Commit changes and push
+   - Create a GitHub release (which triggers the npm publish workflow)
+6. Merge the release PR after the workflow succeeds.
+7. Verify the release on [npm](https://npmjs.com/package/@maxmind/minfraud-api-node).
+
+Note: Publishing is done via GitHub Actions using npm Trusted Publishing
+(OIDC). Manual `npm publish` is not supported.
 
 ## Set up Precious to tidy and lint
 
 
@@ -0,0 +1,92 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+# Check that we're not on the main branch
+current_branch=$(git branch --show-current)
+if [ "$current_branch" = "main" ]; then
+    echo "Error: Releases should not be done directly on the main branch."
+    echo "Please create a release branch and run this script from there."
+    exit 1
+fi
+
+# Fetch latest changes and check that we're not behind origin/main
+echo "Fetching from origin..."
+git fetch origin
+
+if ! git merge-base --is-ancestor origin/main HEAD; then
+    echo "Error: Current branch is behind origin/main."
+    echo "Please merge or rebase with origin/main before releasing."
+    exit 1
+fi
+
+changelog=$(cat CHANGELOG.md)
+
+# minfraud-api-node format: "8.2.0 (2025-11-20)" followed by "---"
+regex='([0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+)?) \(([0-9]{4}-[0-9]{2}-[0-9]{2})\)'
+
+if [[ ! $changelog =~ $regex ]]; then
+    echo "Could not find version/date in CHANGELOG.md!"
+    exit 1
+fi
+
+version="${BASH_REMATCH[1]}"
+date="${BASH_REMATCH[3]}"
+
+# Extract release notes: everything after the "---" line until the next version header
+notes=$(awk -v ver="$version" '
+    $0 ~ "^" ver " \\(" { found=1; next }
+    found && /^-+$/ { in_notes=1; next }
+    in_notes && /^[0-9]+\.[0-9]+\.[0-9]+.* \([0-9]{4}-[0-9]{2}-[0-9]{2}\)/ { exit }
+    in_notes { print }
+' CHANGELOG.md | sed -e :a -e '/^\n*$/{$d;N;ba' -e '}')
+
+if [[ "$date" != "$(date +"%Y-%m-%d")" ]]; then
+    echo "Release date $date is not today ($(date +"%Y-%m-%d"))!"
+    exit 1
+fi
+
+tag="v$version"
+
+if [ -n "$(git status --porcelain)" ]; then
+    echo "Working directory is not clean." >&2
+    exit 1
+fi
+
+# Update version in package.json
+current_version=$(node -p "require('./package.json').version")
+if [ "$current_version" != "$version" ]; then
+    echo "Updating version in package.json from $current_version to $version..."
+    npm version "$version" --no-git-tag-version
+fi
+
+# Build and test
+echo "Running build and tests..."
+npm ci
+npm run build
+npm test
+npm run lint
+
+echo $'\nDiff:'
+git diff
+
+echo $'\nRelease notes:'
+echo "$notes"
+
+read -e -p "Commit changes and create release? (y/n) " should_continue
+
+if [ "$should_continue" != "y" ]; then
+    echo "Aborting"
+    exit 1
+fi
+
+git commit -m "Prepare for $version" -a
+
+git push
+
+gh release create --target "$(git branch --show-current)" -t "$version" -n "$notes" "$tag"
+
+echo ""
+echo "Release $tag created successfully!"
+echo "The GitHub Actions workflow will now publish to npm."
+echo "Monitor the release at: https://github.com/maxmind/minfraud-api-node/actions"