This project uses Conventional Commits and a tag-driven GitHub Actions release workflow. npm
publishing uses trusted publishing with GitHub Actions OIDC, so releases do not need a long-lived
NPM_TOKEN secret.
- Confirm the package and trusted publisher are configured:
npm view @alecrust/workboxnpm trust list @alecrust/workbox
- The trusted publisher should point at this repository and workflow:
npm trust github @alecrust/workbox --repo AlecRust/workbox --file release.yml
- In npm package settings:
- Require two-factor authentication for publishing/settings.
- Disallow token publishing.
- Do not add or rely on a GitHub Actions
NPM_TOKENsecret for publishing.
- Make sure your working tree is clean and you are on
main:git statusgit switch main && git pull --ff-only
- Run checks locally:
bun installbun run checkbun testnpm pack --dry-run --ignore-scripts --json
- Bump the version in
package.json(for example,0.4.2). - Update
CHANGELOG.mdwith the release date and user-facing changes. - Commit the release prep:
git add package.json CHANGELOG.md bun.lockgit commit -m "chore(release): prepare for v0.4.2"
- Create the tag:
git tag -a v0.4.2 -m "v0.4.2"
- Push commit and tag:
git push origin maingit push origin v0.4.2
On tag push (v*.*.*), .github/workflows/release.yml:
- Runs
bun run checkandbun test - Verifies
package.jsonversion matches the tag - Publishes
@alecrust/workboxto npm with trusted publishing - Creates npm provenance through GitHub Actions OIDC
- Creates a GitHub Release with notes generated by
git-cliff
After the release workflow succeeds:
npm view @alecrust/workbox versiontmpdir=$(mktemp -d) && cd "$tmpdir" && bun add -g @alecrust/workbox && wkb --versiontmpdir=$(mktemp -d) && cd "$tmpdir" && npm init -y && npm install @alecrust/workbox && npm audit signatures