chore(ci): publish package

.github/workflows/publish.yml

@@ -0,0 +1,98 @@
+name: Publish Packages
+
+# This workflow publishes packages to npm when changes are merged to main branch or when manually triggered.
+
+on:
+  push:
+    paths:
+      - package.json
+    # For security reasons, this should never be set to anything but `main`
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  # For npm OIDC (https://docs.npmjs.com/trusted-publishers)
+  id-token: write
+
+env:
+  COMMIT_SHA: ${{ github.sha }}
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      # Output the matrix of packages to publish for use in the publish job
+      should_publish: ${{ steps.check.outputs.should_publish }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
+      - name: Verify commit authenticity
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Get commit data from GitHub API to verify its authenticity
+          COMMIT_DATA=$(gh api repos/${{ github.repository }}/commits/$COMMIT_SHA)
+          # Check if commit signature is verified (GPG signed)
+          VERIFIED=$(echo "$COMMIT_DATA" | jq -r '.commit.verification.verified')
+          # Check if commit was made through GitHub's web interface (merge queue)
+          COMMITTER=$(echo "$COMMIT_DATA" | jq -r '.commit.committer.email')
+
+          # Security checks to ensure we only publish from verified and trusted sources
+          if [[ "$VERIFIED" != "true" ]]; then
+            echo "❌ Unverified commit! Aborting."
+            exit 1
+          fi
+
+          if [[ "$COMMITTER" != "noreply@github.com" ]]; then
+            echo "❌ Not merged with the merge queue! Aborting."
+            exit 1
+          fi
+
+          echo "✅ Commit is verified and trusted."
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 2 # Need at least 2 commits to detect changes between commits
+
+      - name: Check if we should publish
+        id: check
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+        run: |
+          OLD_VERSION=$(git show $COMMIT_SHA~1:package.json | jq -r '.version')
+          NEW_VERSION=$(jq -r '.version' "package.json")
+          if [ "$OLD_VERSION" != "$NEW_VERSION" ]; then
+            echo "should_publish=true" >> $GITHUB_OUTPUT
+          fi
+
+  publish:
+    needs: prepare
+    runs-on: ubuntu-latest
+    if: needs.prepare.outputs.should_publish == 'true'
+    steps:
+      - uses: nodejs/web-team/actions/setup-environment@9f3c83af227d721768d9dbb63009a47ed4f4282f
+        with:
+          pnpm: true
+          use-version-file: true
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Publish
+        run: npm publish --access public --no-git-checks
+
+      - name: Notify
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # 2.3.3
+        env:
+          SLACK_COLOR: '#43853D'
+          SLACK_ICON: https://github.com/nodejs.png?size=48
+          SLACK_TITLE: ':rocket: Package Published: @nodejs/doc-kit'
+          SLACK_MESSAGE: |
+            :package: *Package*: `@nodejs/doc-kit` (<https://www.npmjs.com/package/@nodejs/doc-kit|View on npm>)
+            :bust_in_silhouette: *Published by*: ${{ github.triggering_actor }}
+            :octocat: *Commit*: <https://github.com/${{ github.repository }}/commit/${{ env.COMMIT_SHA }}|${{ env.COMMIT_SHA }}>
+          SLACK_USERNAME: nodejs-bot
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

package.json

@@ -1,6 +1,7 @@
 {
   "name": "@nodejs/doc-kit",
   "type": "module",
+  "version": "1.0.0",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/nodejs/api-docs-tooling.git"