ci: add npm provenance and improve release workflow (#110)

AVGVSTVS96 · web-flow · commit 66c6f6079866 · 2025-12-04T21:08:03.000-08:00
This PR enhances our release workflow by:

- Adding npm provenance support for package security
- Configuring the npm registry URL in the GitHub workflow
- Adding custom commit message and PR title for version updates
- Setting public access and provenance in package.json
- Removing the custom release script in favor of the changeset action

These changes improve our publishing security and simplify the release process by leveraging GitHub Actions and changesets more effectively.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -9,6 +9,7 @@ concurrency: ${{ github.workflow }}-${{ github.ref }}
 permissions:
   contents: write
   pull-requests: write
+  id-token: write # for npm provenance OIDC attestation
 
 jobs:
   version:
@@ -27,6 +28,7 @@ jobs:
         with:
           node-version: 22
           cache: "pnpm"
+          registry-url: "https://registry.npmjs.org"
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -35,7 +37,11 @@ jobs:
         id: changesets
         uses: changesets/action@v1
         with:
+          commit: "chore: update versions"
+          title: "chore: update versions"
           publish: pnpm ci:publish
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
diff --git a/package.json b/package.json
@@ -16,7 +16,6 @@
     "check": "pnpm --filter react-shiki check",
     "format": "pnpm --filter react-shiki format",
     "changeset": "changeset",
-    "release": "node scripts/release.mjs",
     "ci:publish": "pnpm package:build && changeset publish"
   },
   "devDependencies": {
diff --git a/package/package.json b/package/package.json
@@ -26,13 +26,12 @@
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
-  "files": [
-    "dist",
-    "src/lib/styles.css"
-  ],
-  "sideEffects": [
-    "src/lib/styles.css"
-  ],
+  "files": ["dist", "src/lib/styles.css"],
+  "sideEffects": ["src/lib/styles.css"],
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
diff --git a/scripts/release.mjs b/scripts/release.mjs
