release: adopt npm trusted publishing

[brianmhunt]

Summary

• move npm publishing to GitHub Actions OIDC trusted publishing
• split release preparation from publish so the publish job runs with least-privilege permissions
• update release docs and plans to match the new workflow

Details

• switch the release workflow to a trusted-publishing-compatible Node 24 setup
• replace npm install with npm ci in the release flow
• pin third-party GitHub Actions by commit SHA in the release workflow
• remove token-based npm publish auth from the workflow
• remove manual dispatch from the release workflow so publishing stays tied to pushes on main
• document why TKO uses separate prepare and publish jobs instead of the default single-job Changesets pattern

Testing

• not run

Follow-up

• configure the npm trusted publisher for knockout/tko using release.yml
• after one successful OIDC publish, disable token-based publishing for the public @tko/* packages

Summary by CodeRabbit

• Chores

  • Split release into prepare (creates/updates version PR) and publish (runs only when no unreleased changesets remain).
  • Moved versioning to prepare job; publishing now uses OIDC-based trusted publishing (no token env) and runs with Node 24 and npm ci.
  • Removed manual workflow dispatch and pinned CI actions for stability.

• Documentation

  • Updated release and contributor guidance to reflect the new CI-driven, OIDC-based publishing flow and removed manual publish fallback.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4917af59-ac51-4bbd-bc53-bc0f794e5ff4

📥 Commits

Reviewing files that changed from the base of the PR and between bd961ee and 200ef14.

📒 Files selected for processing (2)

• .github/workflows/release.yml
• README.md

✅ Files skipped from review due to trivial changes (1)

• README.md

---

📝 Walkthrough

Walkthrough

Restructured GitHub Actions release workflow from a single release job into two jobs (prepare-release, publish), moved Changesets versioning into prepare-release, switched npm publishing to GitHub Actions OIDC trusted publishing (removed token envs and --provenance flag), updated Node to 24.x and npm install → npm ci, and updated docs to reflect the trusted-publishing flow.

Changes

Cohort / File(s)	Summary
Release Workflow Configuration .github/workflows/release.yml	Split monolithic release job into prepare-release (runs on pushes to main, creates/updates Changesets version PR) and publish (runs only when no unreleased changesets). Removed token-based publish envs (NODE_AUTH_TOKEN/NPM_TOKEN), removed --provenance flag, enabled OIDC (id-token: write) for publish, bumped Node from 22.x → 24.x, changed npm install → npm ci, pinned third-party actions to commit SHAs, and removed workflow_dispatch trigger.
Release Process Documentation AGENTS.md, README.md	Replaced manual publish instructions with guidance to publish via GitHub Actions OIDC trusted publishing; replaced lerna publish guidance with npx changeset add; documented new release workflow behavior (version PR + OIDC publish).
Planning & Migration Docs plans/build-and-release-certainty.md, plans/trusted-publishing.md	Renamed sections in build-and-release plan (Current State → Original State, etc.), updated requirement from repo NPM_TOKEN secret to npm trusted publishing via OIDC, and added plans/trusted-publishing.md describing migration steps, workflow changes (split jobs, remove token wiring, keep id-token: write, use npm ci, pin actions), and a verification checklist.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer (merge -> main)
  participant GH as GitHub Actions (prepare-release)
  participant PR as Version PR (Changesets)
  participant GH2 as GitHub Actions (publish)
  participant NPM as npm Registry (OIDC)

  Dev->>GH: push to main -> trigger prepare-release
  GH->>PR: run changesets/action -> open/update version PR (has_changesets)
  PR-->>Dev: Version PR created/updated
  Dev->>PR: merge version PR when ready
  PR->>GH2: trigger publish job (condition: has_changesets == 'false')
  GH2->>NPM: request OIDC id-token
  GH2->>NPM: npx changeset publish (OIDC-authenticated)
  NPM-->>GH2: publish result
  GH2-->>Dev: publish status

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add build and release certainty automation #238: Modifies the repository's release workflow and Changesets publishing steps; addresses similar changes around versioning and publish authentication.

Poem

🐰 The bunny hops, CI bright and merry,

No tokens tucked within the burrow’s carry.
Two jobs hum, version PR then publish flight,
OIDC sings through the runner-night.
Hooray — safe packages hop into sight!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'release: adopt npm trusted publishing' accurately and concisely summarizes the main objective of the changeset, which involves transitioning npm package publishing from token-based authentication to npm trusted publishing via GitHub Actions OIDC.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bmh/sc-trusted-publishing

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[phillipc]

Should we separate the prettier task again from linting/TSC-check? So linting can performed independently and parallel again.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

README.md (1)

57-58: Table row formatting is inconsistent with other entries.

Line 58 uses the command-style format ($ \Release workflow``) but "Release workflow" is not an executable command like the other rows. Consider restructuring this row to better fit the table's command/effect pattern or moving this information to a separate "Release" section.

📝 Suggested fix

 | $ `npx changeset add` | Add a changeset for package behavior changes in your PR |
-| $ `Release workflow` | On merge to `main`, CI opens or updates a version PR and publishes from GitHub Actions via npm trusted publishing |
+| *Release workflow* | On merge to `main`, CI opens or updates a version PR and publishes from GitHub Actions via npm trusted publishing |

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 57 - 58, The table row for "`Release workflow`" is
incorrectly formatted as a command; update the README table so the first-column
cell is plain descriptive text (e.g., "Release workflow" without backticks) and
the second column explains the behavior ("On merge to main, CI opens/updates a
version PR and publishes via GitHub Actions/npm"), or remove this row and move
that explanation into a separate "Release" section instead; locate the row
containing "`npx changeset add`" and "`Release workflow`" and adjust the
formatting accordingly so all table entries follow the same command/effect
pattern.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 32-36: Update the GitHub Actions workflow to annotate the pinned
SHA usages with their corresponding tagged versions for clarity: add inline
comments next to the uses entries for actions/checkout (currently pinned to a
SHA) noting "checkout v6.0.2", for actions/setup-node noting "setup-node
v6.3.0", and for changesets/action noting "changesets/action v1.5.3"; ensure you
place these comments directly beside the existing uses lines (e.g., the uses:
actions/checkout@<sha> line) so future maintainers can see the tagged release
that corresponds to each SHA.

---

Nitpick comments:
In `@README.md`:
- Around line 57-58: The table row for "`Release workflow`" is incorrectly
formatted as a command; update the README table so the first-column cell is
plain descriptive text (e.g., "Release workflow" without backticks) and the
second column explains the behavior ("On merge to main, CI opens/updates a
version PR and publishes via GitHub Actions/npm"), or remove this row and move
that explanation into a separate "Release" section instead; locate the row
containing "`npx changeset add`" and "`Release workflow`" and adjust the
formatting accordingly so all table entries follow the same command/effect
pattern.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7a05d2b3-d9c6-49ac-8015-bd47ad4579d1

📥 Commits

Reviewing files that changed from the base of the PR and between e613af9 and bd961ee.

📒 Files selected for processing (5)

• .github/workflows/release.yml
• AGENTS.md
• README.md
• plans/build-and-release-certainty.md
• plans/trusted-publishing.md

[Copilot]

Pull request overview

This PR migrates npm publishing for TKO to GitHub Actions OIDC “trusted publishing”, restructuring the release workflow to reduce permissions during the publish step and updating repo documentation/plans to match the new process.

Changes:

• Updates .github/workflows/release.yml to split “prepare release PR” vs “publish to npm” and remove token-based npm auth in favor of OIDC.
• Switches the release workflow’s install step to npm ci and pins key GitHub Actions by commit SHA (in the release workflow).
• Updates maintainer/contributor docs and adds a plan documenting the trusted publishing migration.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
README.md	Replaces the old lerna publish guidance with Changesets + release workflow guidance.
plans/trusted-publishing.md	Adds an implementation/verification plan for migrating to npm trusted publishing.
plans/build-and-release-certainty.md	Updates the release workflow description to reflect OIDC trusted publishing and clarifies “original” state/gaps.
AGENTS.md	Updates maintainer release instructions to reflect OIDC trusted publishing and discourages manual token-based publishing.
.github/workflows/release.yml	Implements the least-privilege split workflow and removes token-based npm publish configuration.

[brianmhunt]

@phillipc

Should we separate the prettier task again from linting/TSC-check? So linting can performed independently and parallel again.

Good question. I’d keep that separate from this PR so we can land the trusted publishing change cleanly first. If we want to split Prettier/lint/typecheck back out for CI parallelism, I’d prefer to do that in a follow-up workflow PR.