docs: document trusted publishing flow

vaur94 · sisyphus-dev-ai · vaur94 · commit 6bc984482fba · 2026-03-09T23:08:30.000+03:00
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
diff --git a/README.md b/README.md
@@ -130,7 +130,9 @@ npm run ci:check
 
 - GitHub release automation is active on `main`.
 - `release-please` opens or refreshes a release PR from conventional commits, then creates the GitHub release when that PR is merged.
-- npm publish runs from the `Release` workflow only after a release is created and a valid `NPM_TOKEN` is configured.
+- The package already exists on npm; future publishes target npm trusted publishing with GitHub OIDC instead of a long-lived `NPM_TOKEN`.
+- `.github/workflows/publish.yml` verifies the package with `npm run ci:check` and `npm run pack:dry-run` before any publish step.
+- Real npm publish runs from the `published` release event and checks that the GitHub tag matches `package.json`.
 - If you want CI to run automatically on release PRs, add an optional `RELEASE_PLEASE_TOKEN` secret backed by a GitHub PAT.
 
 ## Repository Layout
diff --git a/README.tr.md b/README.tr.md
@@ -130,7 +130,9 @@ npm run ci:check
 
 - GitHub release otomasyonu `main` uzerinde aktif.
 - `release-please`, conventional commit gecmisine gore release PR acip gunceller; bu PR merge edilince GitHub release olusturulur.
-- npm publish adimi, yalnizca release olustuktan sonra ve gecerli bir `NPM_TOKEN` tanimliysa `Release` workflow'u icinde calisir.
+- Paket npm'de zaten mevcut; sonraki yayinlar uzun omurlu `NPM_TOKEN` yerine GitHub OIDC tabanli npm trusted publishing hedefiyle calisir.
+- `.github/workflows/publish.yml`, publish oncesi `npm run ci:check` ve `npm run pack:dry-run` ile paketi dogrular.
+- Gercek npm publish adimi `published` release eventiyle calisir ve GitHub tag'inin `package.json` surumuyle eslestigini kontrol eder.
 - Release PR'larda CI'nin otomatik calismasi isteniyorsa GitHub PAT tabanli opsiyonel bir `RELEASE_PLEASE_TOKEN` secret'i eklenmelidir.
 
 ## Repo Yapisi
diff --git a/RELEASE.md b/RELEASE.md
@@ -9,15 +9,17 @@
 - Conventional commits determine the next version.
 - Release PRs keep `CHANGELOG.md` and `package.json` in sync before a release is cut.
 - GitHub releases are generated when the release PR is merged.
-- npm publishing runs after the GitHub release is created and release credentials are available.
+- The first npm publish is already complete; later publishes should use npm trusted publishing with GitHub OIDC.
+- `.github/workflows/publish.yml` verifies package quality before publish and rejects tag/version mismatches.
 
 ## Maintainer checklist
 
 1. Merge verified changes into `main`.
 2. Confirm `npm run ci:check` is green locally or in CI.
 3. Review and merge the release PR generated by the `Release` workflow.
-4. Verify the generated release notes and package publication result.
-5. Confirm `CHANGELOG.md`, `package.json`, and the GitHub release match the shipped change.
+4. Ensure npm trusted publisher mapping points to `publish.yml`.
+5. Verify the generated release notes and package publication result.
+6. Confirm `CHANGELOG.md`, `package.json`, and the GitHub release match the shipped change.
 
 ## Conventional commit guide
 
@@ -33,3 +35,4 @@
 - `release-please-config.json`
 - `.release-please-manifest.json`
 - `.github/workflows/release.yml`
+- `.github/workflows/publish.yml`
diff --git a/RELEASE.tr.md b/RELEASE.tr.md
@@ -9,11 +9,13 @@
 - Conventional commit mesajlari yeni versiyonu belirler.
 - Release PR, `CHANGELOG.md` ve `package.json` dosyalarini surum oncesi senkron tutar.
 - Release PR merge edilince GitHub release olusturulur.
-- `NPM_TOKEN` varsa npm yayini release olustuktan sonra yapilir.
+- Ilk npm yayini zaten tamamlandi; sonraki yayinlar GitHub OIDC tabanli npm trusted publishing ile yapilmalidir.
+- `.github/workflows/publish.yml`, publish oncesi kaliteyi dogrular ve tag/surum uyusmazligini reddeder.
 
 ## Bakimci kontrol listesi
 
 1. Dogrulanmis degisiklikleri `main` icine alin.
 2. `npm run ci:check` sonucunu dogrulayin.
 3. `Release` workflow'unun actigi release PR'i gozden gecirip merge edin.
-4. GitHub release notlarini, `CHANGELOG.md` guncellemesini ve npm yayin sonucunu kontrol edin.
+4. npm trusted publisher kaydinin `publish.yml` dosyasina bagli oldugunu dogrulayin.
+5. GitHub release notlarini, `CHANGELOG.md` guncellemesini ve npm yayin sonucunu kontrol edin.
diff --git a/docs/en/developer-guide/release-process.md b/docs/en/developer-guide/release-process.md
@@ -16,11 +16,13 @@ Conventional commits define semantic version changes.
 2. GitHub Actions runs `npm run ci:check`.
 3. The `Release` workflow opens or updates a release PR.
 4. Merging that release PR creates the GitHub release and updates `CHANGELOG.md` and `package.json`.
-5. npm publish runs when `NPM_TOKEN` is configured.
+5. The `Publish Package` workflow verifies the package and publishes through npm trusted publishing.
+6. The publish job fails if the GitHub release tag does not match `package.json`.
 
 ## Important files
 
 - `release-please-config.json`
 - `.release-please-manifest.json`
 - `.github/workflows/release.yml`
+- `.github/workflows/publish.yml`
 - `package.json`
diff --git a/docs/tr/developer-guide/release-process.md b/docs/tr/developer-guide/release-process.md
@@ -15,4 +15,5 @@ Conventional commit mesajlari semantic version artisini belirler.
 1. Dogrulanmis degisikligi `main` icine al.
 2. `npm run ci:check` sonucunu dogrula.
 3. `Release` workflow'unun olusturdugu release PR'i gozden gecir.
-4. Release PR merge edildikten sonra GitHub release, `CHANGELOG.md` ve npm yayin sonucunu kontrol et.
+4. Release PR merge edildikten sonra `Publish Package` workflow'unun paketi dogruladigini ve trusted publishing ile yayimladigini kontrol et.
+5. GitHub release, `CHANGELOG.md` ve npm yayin sonucunu kontrol et.
