ci: automate npm release flow (verify -> bump/tag -> publish) (#2)

bntvllnt · web-flow · commit 9f8be84c82eb · 2026-02-24T17:41:58.000+01:00
* ci: automate release tagging and npm publish

* ci: align pnpm version with packageManager
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,40 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.28.2
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Lint
+        run: pnpm lint
+
+      - name: Typecheck
+        run: pnpm typecheck
+
+      - name: Build
+        run: pnpm build
+
+      - name: Test
+        run: pnpm test
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,49 @@
+name: Publish to npm
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.28.2
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          registry-url: https://registry.npmjs.org
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Lint
+        run: pnpm lint
+
+      - name: Typecheck
+        run: pnpm typecheck
+
+      - name: Build
+        run: pnpm build
+
+      - name: Test
+        run: pnpm test
+
+      - name: Publish package
+        run: npm publish --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
@@ -0,0 +1,66 @@
+name: Release Tag
+
+on:
+  workflow_dispatch:
+    inputs:
+      bump:
+        description: Version bump type
+        required: true
+        default: patch
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Ensure main branch
+        run: test "${{ github.ref_name }}" = "main"
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.28.2
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Verify (lint, typecheck, build, test)
+        run: |
+          pnpm lint
+          pnpm typecheck
+          pnpm build
+          pnpm test
+
+      - name: Configure git author
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Bump version and create tag
+        id: bump
+        run: |
+          NEW_VERSION=$(npm version ${{ github.event.inputs.bump }} -m "chore(release): %s [skip ci]")
+          echo "version=$NEW_VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Push release commit and tag
+        run: git push origin HEAD:${{ github.ref_name }} --follow-tags
+
+      - name: Release summary
+        run: echo "Created and pushed ${{ steps.bump.outputs.version }}"
diff --git a/README.md b/README.md
@@ -227,6 +227,33 @@ codebase-visualizer <path>
 - File + exported function granularity (no internal function calls)
 - Client-side 3D requires WebGL
 
+## Release
+
+Publishing is automated and **only happens on `v*` tags**.
+
+### One-time setup
+
+1. Create an npm automation token (npmjs.com → Access Tokens).
+2. Add it to GitHub repository secrets as `NPM_TOKEN`.
+
+### Normal CI (before release)
+
+- `CI` workflow runs on every PR and push to `main`:
+  - lint → typecheck → build → test
+
+### Create a release (auto bump + auto tag)
+
+1. Open GitHub Actions → `Release Tag`.
+2. Click **Run workflow** on `main`.
+3. Select bump type: `patch` | `minor` | `major`.
+
+`Release Tag` will:
+- run lint → typecheck → build → test
+- bump `package.json` version
+- create and push `vX.Y.Z` tag
+
+Pushing that tag triggers `Publish to npm`, which runs checks again and publishes.
+
 ## Contributing
 
 Contributions are welcome. Please open an issue first to discuss what you'd like to change.
