PUBLISHING.md documents the manual pnpm publish --no-git-checks flow. The repo actually has tag-triggered OIDC publish workflows for all three packages:
.github/workflows/schemas-publish.yml → schemas-v*.github/workflows/sdk-typescript-publish.yml → sdk-typescript-v*.github/workflows/sdk-python-publish.yml → sdk-python-v*
All three use id-token: write + environment: npm/pypi for trusted publishing, no local npm/PyPI credentials needed. The doc should reflect this:
cd packages/schemas
npm version minor
git add package.json
git commit -m "release: schemas@$(node -p 'require("./package.json").version)"
git push
git tag schemas-v$(node -p 'require("./package.json").version')
git push --tags
# workflow handles the restDrop the pnpm publish --no-git-checks instructions; the workflow's "verify tag matches package.json version" step makes the manual flow strictly more error-prone (version drift between local and CI).
Caught while shipping #100's SDK bumps — manual flow worked but bypassed the audit/verification CI provides.
PUBLISHING.mddocuments the manualpnpm publish --no-git-checksflow. The repo actually has tag-triggered OIDC publish workflows for all three packages:.github/workflows/schemas-publish.yml→schemas-v*.github/workflows/sdk-typescript-publish.yml→sdk-typescript-v*.github/workflows/sdk-python-publish.yml→sdk-python-v*All three use
id-token: write+environment: npm/pypifor trusted publishing, no local npm/PyPI credentials needed. The doc should reflect this:Drop the
pnpm publish --no-git-checksinstructions; the workflow's "verify tag matches package.json version" step makes the manual flow strictly more error-prone (version drift between local and CI).Caught while shipping #100's SDK bumps — manual flow worked but bypassed the audit/verification CI provides.