Bring in release changes

essential-randomness · essential-randomness · commit 3f821144f3cb · 2026-06-01T19:57:54.000-07:00
diff --git a/.github/workflows/first-release.yaml b/.github/workflows/first-release.yaml
@@ -0,0 +1,98 @@
+name: First Package Release
+
+# Bootstrap workflow for brand-new npm packages.
+#
+# npm Trusted Publishing cannot be configured until a package already exists on
+# the registry. This manual workflow handles that one-time gap by using a short
+# lived NPM_TOKEN secret to publish only public workspace packages whose package
+# name is not on npm yet. It skips packages that already exist, even when the
+# local version has not been published.
+#
+# This runs through changesets/action so successful first publishes get the
+# same tag and GitHub Release behavior as the normal Release workflow. It must
+# run on a versioned checkout with no pending changeset files; otherwise
+# changesets/action would create/update a release PR instead of publishing.
+# Newly published packages must already have a CHANGELOG.md entry for their
+# current version, because changesets/action uses that entry as the GitHub
+# Release body.
+#
+# Before running:
+# - Create a temporary npm granular access token with read/write access to the
+#   relevant scope, a short expiration, and 2FA bypass for automation.
+#   Command-line equivalent:
+#     npm token create \
+#       --name "first-package-release" \
+#       --expires 1 \
+#       --scopes @fujocoded \
+#       --packages-and-scopes-permission read-write \
+#       --bypass-2fa
+# - Add it to this repository's Actions secrets as NPM_TOKEN.
+#   Command-line equivalent:
+#     gh secret set NPM_TOKEN \
+#       --repo FujoWebDev/fujocoded-plugins \
+#       --body "<temporary-npm-token>"
+# - Run this workflow manually.
+#   Command-line equivalent:
+#     gh workflow run first-release.yaml \
+#       --repo FujoWebDev/fujocoded-plugins \
+#       --ref <branch-or-tag>
+#
+# After a successful first release:
+# - Configure Trusted Publishing for each newly published package, using this
+#   repository and the normal release.yaml workflow file.
+#   Command-line equivalent:
+#     npm trust github <package-name> \
+#       --repo FujoWebDev/fujocoded-plugins \
+#       --file release.yaml \
+#       --allow-publish
+# - Delete the NPM_TOKEN repository secret and revoke the npm token.
+#   Command-line equivalent:
+#     gh secret delete NPM_TOKEN \
+#       --repo FujoWebDev/fujocoded-plugins
+#     npm token revoke <token-id-or-token>
+# - Use the normal Release workflow for future package versions.
+
+on:
+  workflow_dispatch:
+
+concurrency: ${{ github.workflow }}-${{ github.ref }}
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  first-release:
+    name: First Package Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Refuse pending changesets
+        run: |
+          if find .changeset -maxdepth 1 -type f -name '*.md' ! -name README.md | grep -q .; then
+            echo "::error::First Package Release must run on a versioned checkout with no pending changeset files."
+            exit 1
+          fi
+
+      - name: Build
+        run: npm run build
+
+      - name: Publish first-release packages
+        uses: changesets/action@v1
+        with:
+          publish: node .github/workflows/scripts/first-release-publish.mjs
+          createGithubReleases: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/scripts/first-release-publish.mjs b/.github/workflows/scripts/first-release-publish.mjs
@@ -0,0 +1,104 @@
+import { existsSync, readdirSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { spawnSync } from "node:child_process";
+
+if (!process.env.NPM_TOKEN) {
+  console.error("NPM_TOKEN is required for first package releases.");
+  process.exit(1);
+}
+
+const root = JSON.parse(readFileSync("package.json", "utf8"));
+const workspaces = Array.isArray(root.workspaces)
+  ? root.workspaces
+  : (root.workspaces?.packages ?? []);
+
+const packages = [];
+
+for (const workspace of workspaces) {
+  if (workspace !== "*/") {
+    continue;
+  }
+
+  for (const entry of readdirSync(".", { withFileTypes: true })) {
+    if (!entry.isDirectory() || entry.name.startsWith(".")) {
+      continue;
+    }
+
+    try {
+      const manifest = JSON.parse(
+        readFileSync(join(entry.name, "package.json"), "utf8"),
+      );
+      if (!manifest.private && manifest.name && manifest.version) {
+        packages.push({
+          dir: entry.name,
+          name: manifest.name,
+          version: manifest.version,
+        });
+      }
+    } catch {
+      // Not a workspace package.
+    }
+  }
+}
+
+const missingPackages = [];
+
+for (const pkg of packages) {
+  const result = spawnSync("npm", ["view", pkg.name, "version"], {
+    encoding: "utf8",
+  });
+
+  if (result.status === 0) {
+    continue;
+  }
+
+  const error = `${result.stderr}\n${result.stdout}`;
+  if (/E404|404 Not Found/.test(error)) {
+    console.log(`${pkg.name} is not published yet.`);
+    missingPackages.push(pkg);
+    continue;
+  }
+
+  process.stderr.write(error);
+  process.exit(result.status ?? 1);
+}
+
+if (missingPackages.length === 0) {
+  console.error("No unpublished public workspace packages found.");
+  process.exit(1);
+}
+
+for (const pkg of missingPackages) {
+  const changelogPath = join(pkg.dir, "CHANGELOG.md");
+  if (!existsSync(changelogPath)) {
+    console.error(
+      `${pkg.name} is missing CHANGELOG.md. Create the first version changelog before publishing so changesets/action can create the GitHub Release.`,
+    );
+    process.exit(1);
+  }
+
+  const changelog = readFileSync(changelogPath, "utf8");
+  const versionHeading = new RegExp(`^#{1,6}\\s+${pkg.version}\\s*$`, "m");
+  if (!versionHeading.test(changelog)) {
+    console.error(
+      `${pkg.name} CHANGELOG.md is missing a ${pkg.version} entry. Create the first version changelog before publishing so changesets/action can create the GitHub Release.`,
+    );
+    process.exit(1);
+  }
+}
+
+for (const pkg of missingPackages) {
+  const result = spawnSync("npm", ["publish", pkg.dir, "--provenance"], {
+    encoding: "utf8",
+    stdio: ["inherit", "pipe", "pipe"],
+  });
+
+  process.stdout.write(result.stdout);
+  process.stderr.write(result.stderr);
+
+  if (result.status !== 0) {
+    process.exit(result.status ?? 1);
+  }
+
+  console.log(`New tag: ${pkg.name}@${pkg.version}`);
+}
diff --git a/msw-atproto/CHANGELOG.md b/msw-atproto/CHANGELOG.md
@@ -0,0 +1,10 @@
+# @fujocoded/astro-smooth-action
+
+## 0.0.1
+
+First release, yay!
+
+As said in the README: `@fujocoded/msw-atproto` uses the power of
+[MSW](https://mswjs.io/) to give you(r tests) fake, <u>stateful</u> ATproto
+accounts that respond to HTTP requests exactly like real PDSes on the real
+network would!
