Skip to content

setup: npm publish (changesets + release workflow) #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
amotarao wants to merge 6 commits into
base: main
Choose a base branch
from
Open

setup: npm publish (changesets + release workflow) #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2a103c2
chore: install @changesets/cli and @changesets/config
amotarao Mar 2, 2026
b1d961a
chore: add version and release scripts
amotarao Mar 2, 2026
96c6c97
chore: setup changesets config
amotarao Mar 2, 2026
e74ee8f
ci: add release workflow
amotarao Mar 2, 2026
3fb3386
docs: add release guide to README
amotarao Mar 2, 2026
3542c1c
chore: format
amotarao Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .changeset/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Changesets

Hello and welcome! This folder has been automatically generated by `@changesets/cli`, a build tool that works
with multi-package repos, or single-package repos to help you version and publish your code. You can
find the full documentation for it [in our repository](https://github.com/changesets/changesets)

We have a quick list of common questions to get you started engaging with this project in
[our documentation](https://github.com/changesets/changesets/blob/main/docs/common-questions.md)
11 changes: 11 additions & 0 deletions .changeset/config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"$schema": "../node_modules/@changesets/config/schema.json",
"changelog": "@changesets/cli/changelog",
"commit": false,
"fixed": [],
"linked": [],
"access": "public",
"baseBranch": "main",
"updateInternalDependencies": "patch",
"ignore": []
}
32 changes: 32 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Release

on:
push:
branches:
- main

concurrency: ${{ github.workflow }}-${{ github.ref }}

jobs:
release:
name: Release
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
id-token: write
Comment on lines +14 to +17
Copy link

@coderabbitai coderabbitai bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for OIDC/provenance usage patterns
rg -n 'id-token|ACTIONS_ID_TOKEN|provenance|sigstore|cosign' .github/workflows/release.yml README.md package.json .changeset/config.json 2>/dev/null || echo "No matches found"

Repository: plainbrew/next-utils

Length of output: 118

🏁 Script executed:

#!/bin/bash
# Check the full release.yml to understand the workflow context
head -100 .github/workflows/release.yml

Repository: plainbrew/next-utils

Length of output: 799

🏁 Script executed:

#!/bin/bash
# Search for any usage of id-token in the entire workflows directory
rg -n 'id-token' .github/workflows/ 2>/dev/null || echo "No id-token usage found"

Repository: plainbrew/next-utils

Length of output: 118

🏁 Script executed:

#!/bin/bash
# Check if there are any npm publish or package registry operations that might need id-token
rg -n 'npm publish|registry|provenance' .github/workflows/release.yml 2>/dev/null || echo "No npm publish found"

Repository: plainbrew/next-utils

Length of output: 117

id-token: write は使用されていないため削除してください

このワークフローは npm レジストリへの認証に NODE_AUTH_TOKEN 環境変数を使用しており、OIDC トークンは利用されていません。provenance 署名やその他の OIDC ベースの操作も存在しないため、この権限は不要です。最小権限の原則に従い削除してください。

修正例 
     permissions:
       contents: write
       pull-requests: write
-      id-token: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: write
pull-requests: write
id-token: write
permissions:
contents: write
pull-requests: write
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 14 - 17, Remove the unused OIDC
permission by deleting the "id-token: write" entry from the workflow permissions
block (the permissions: contents/pull-requests entries should remain); also scan
the steps referenced by the workflow to confirm no actions rely on OIDC (no
usages of GITHUB_OIDC_TOKEN or provenance signatures) before committing the
change to ensure no breakage.

steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with:
node-version: 24
cache: pnpm
registry-url: https://registry.npmjs.org
- run: pnpm install --frozen-lockfile
- uses: changesets/action@v1
with:
publish: pnpm run release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
44 changes: 44 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,45 @@
# next-utils

## リリース手順

このリポジトリは [changesets](https://github.com/changesets/changesets) を使ってバージョン管理と npm publish を行います。

### 1. changeset を作成する

パッケージに変更を加えたら、その変更内容を記録するファイルを作成します。

```bash
pnpm changeset
```

対話形式で以下を入力します:

- **対象パッケージ** — 変更したパッケージを選択
- **バージョンの種類** — `patch` / `minor` / `major` を選択
- **変更内容の説明** — changelog に記載されるメッセージを入力

実行後、`.changeset/` に `.md` ファイルが生成されます。このファイルを変更と一緒にコミットして PR を出してください。

### 2. main にマージする

PR を main にマージすると、GitHub Actions が自動的に動きます。

- **changeset ファイルがある場合** — "Version Packages" という PR が自動作成されます
- **changeset ファイルがない場合** — 何も起きません

### 3. "Version Packages" PR をマージする

自動作成された "Version Packages" PR には以下が含まれます:

- 各パッケージの `package.json` のバージョン更新
- `CHANGELOG.md` の更新

この PR をマージすると、GitHub Actions が npm に自動で publish します。

### 事前準備(初回のみ)

リポジトリの Settings → Secrets に以下を追加してください:

| Secret 名 | 値 |
| ----------- | ---------------------------------------------- |
| `NPM_TOKEN` | npm の Access Token(`Automation` タイプ推奨) |
4 changes: 4 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,13 @@
"scripts": {
"format": "oxfmt",
"format:check": "oxfmt --check",
"version": "changeset version",
"release": "changeset publish",
"prepare": "husky"
},
"devDependencies": {
"@changesets/cli": "^2.29.8",
"@changesets/config": "^3.1.2",
"husky": "^9.1.7",
"lint-staged": "^16.3.1",
"oxfmt": "^0.36.0"
Expand Down
Loading