ci: add changesets release workflow#13
Conversation
Runs on pushes to main. When unreleased changesets are present, opens or updates a "Version Packages" PR that bumps versions and consumes the changesets. When that PR merges, the workflow publishes the updated packages to npm with provenance. Made-with: Cursor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Adds an automated Changesets-based release workflow to version packages via PRs and publish to npm on pushes to main, replacing the current manual pnpm publish-packages process.
Changes:
- Introduces a
ReleaseGitHub Actions workflow triggered on pushes tomain. - Runs Changesets to either open/update a “version packages” PR or publish packages to npm (with provenance).
- Grants the workflow permissions required to create PRs/commits and request an OIDC token for provenance.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - run: pnpm build | ||
|
|
There was a problem hiding this comment.
pnpm build runs turbo run build across the whole monorepo. In this repo, apps/marketing has a prebuild that regenerates tracked files under apps/marketing/src/generated/*, so running build here can dirty the workspace and accidentally include unrelated generated diffs in the Changesets version PR/publish commit. Consider removing this step, or scoping the build to the publishable package(s) (e.g., only @web-kits/audio) and/or running build only when actually publishing.
| - run: pnpm build |
| title: "chore(release): version packages" | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} |
There was a problem hiding this comment.
The workflow configures actions/setup-node with registry-url, which typically relies on NODE_AUTH_TOKEN for npm auth. This job only exports NPM_TOKEN (and there is no .npmrc in-repo referencing NPM_TOKEN), so pnpm changeset publish may run without credentials. Consider also setting NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} (or adding an .npmrc that uses NPM_TOKEN) so publishing is reliably authenticated.
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
Summary
Adds
.github/workflows/release.ymlso we can stop runningpnpm publish-packagesby hand.How it works
On every push to
main:main, detects that versions changed, and runspnpm changeset publishto publish@web-kits/audioto npm (with provenance).Only
@web-kits/audiois non-private, so it's the only package that will be published.Requirements
NPM_TOKENrepo secret with publish rights to@web-kits/audio\u2014 already added.GITHUB_TOKEN\u2014 auto-provided by Actions.contents: write/pull-requests: writeso Changesets can commit version bumps and open the PR, andid-token: writeso npm provenance works.Related
Test plan
main).chore(release): version packagesPR is opened automatically.@web-kits/audio@0.2.0appears on npm.Made with Cursor