build: automate release packaging and version bumps with changesets

[zimeg]

Summary

This PR adds Changesets to these packages for improved package release and publishing workflows:

$ npm run changeset

The above command might be run alongside changes in packages to write entries for that package's next release. Other packages use this for detailed release notes as kind example:

• @astrojs/rss: https://github.com/withastro/astro/blob/main/packages/astro-rss/CHANGELOG.md
• @biomejs/biome: https://github.com/biomejs/biome/blob/main/packages/%40biomejs/biome/CHANGELOG.md

We might consider adding this to our release workflows to automate version bumps between dependent packages - as example @slack/web-api imports @slack/types - in addition to the other release and publishing scripts.

Preview

📚 https://github.com/slackapi/node-slack-sdk/blob/zimeg-build-changesets/.github/maintainers_guide.md#-updating-changesets

👾 Publish Workflow: We might experiment with the changes of #2474 to confirm that this publishes packages and creates releases as expected!

Notes

• A few strategies of bumping dependent packages are available. The default is used now and it doesn't bump the minimum required version unless a recent change requires a newer version.
• The tags for upcoming milestones are suggested to be changed to @slack/package@next instead of a set version.
• Instructions toward pre-releases with Changesets are noted as being complicated and were left for future changes: https://akinoccc.github.io/changesets/guide/advance/pre-releases
• We might consider adding the amazing @changeset-bot to this project for reminders in PR since not all changes require new entries so blocking CI would be rude. But perhaps that's a lot of noise?
• OIDC configurations are now available and required in place of access tokens. This can be setup if this all looks good:
  https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/
• The publish GitHub Actions environment will also need to be setup with correct review permissions.

Requirements

• I've read and understood the Contributing Guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.09%. Comparing base (2b61810) to head (e645853).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2483   +/-   ##
=======================================
  Coverage   93.09%   93.09%           
=======================================
  Files          40       40           
  Lines       11239    11239           
  Branches      713      713           
=======================================
  Hits        10463    10463           
  Misses        764      764           
  Partials       12       12           

Flag	Coverage Δ
cli-hooks	95.23% <ø> (ø)
cli-test	94.79% <ø> (ø)
oauth	77.39% <ø> (ø)
socket-mode	61.87% <ø> (ø)
web-api	98.11% <ø> (ø)
webhook	96.66% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[zimeg]

Noting some additional nuance and thoughts in these changes for the wonderful reviewers 🌚

[zimeg]

📚 note: The CHANGELOG file specific to each package might match what's shown in GitHub releases but also perhaps we can use this downstream in documentation?

[mwbrooks]

question: How does changesets/action know what version to bump the package to? Is it part of the npm run changeset command?

[zimeg]

The changesets/action step decides either to update the release PR or create a new release if all previous changesets were removed after merging that release PR.

We only expose the changeset script for adding new entries in development since CI ought handle the rest of this for production releases 🤖

[zimeg]

👁️‍🗨️ note: These package are EOL and shouldn't be published so the private field is used.

[mwbrooks]

question: Should we add rtm-api to the private: true list as well? It's often referred to as legacy but I'm not sure if it's officially EOL.

[zimeg]

@mwbrooks I'm curious about this too, but perhaps we add this to discussion in #2359? IIRC classic apps might still use this but I agree that since it's deprecated we might also mark this package as EOL.

📚 https://docs.slack.dev/changelog/2024-09-legacy-custom-bots-classic-apps-deprecation/

[zimeg]

📺 note: We're using node@24 for a supported npm version:

Trusted publishing requires npm CLI version 11.5.1 or later.

🔗 https://docs.npmjs.com/trusted-publishers

[mwbrooks]

✅ Super exciting! I'm looking forward to seeing changesets in action and wondering if we can bring it to our other projects, if it's a success!

✏️ Left minor comments that are non-blocking!

[mwbrooks]

question: Should we explicitly ignore our legacy packages? I know we currently use private: true in each legacy package to prevent publishing, so ignoring may not be necessary.

[zimeg]

@mwbrooks This is recommended against and instead ignore is meant to be used for stopgap times when we might want to not publish certain packages in the next release:

THIS FEATURE IS DESIGNED FOR TEMPORARY USE TO ALLOW CHANGES TO BE MERGED WITHOUT PUBLISHING THEM

🔗 https://github.com/changesets/changesets/blob/main/docs/config-file-options.md#ignore-array-of-packages

[mwbrooks]

question: How does changesets/action know what version to bump the package to? Is it part of the npm run changeset command?

[mwbrooks]

👌🏻

[mwbrooks]

question: Should we add rtm-api to the private: true list as well? It's often referred to as legacy but I'm not sure if it's officially EOL.

[mwbrooks]

question: Do we need @changeset/cli when npm run changeset → npx @changesets/cli runs the package instead of the cli?

[zimeg]

@mwbrooks I understand having this listed with dev dependencies guarantees a certain version will be used for the command:

$ npm run changeset

While npx might install a breaking change in CI. Hoping to keep this for now for confidence in shared tooling 💌

[mwbrooks]

question: Do we need a NPM_TOKEN: ${{ secrets.NPM_TOKEN }}? How will npm run chahgeset -- publish release the packages without the token?

[zimeg]

@mwbrooks AFAICT OIDC is a replacement for the token authentications in most recent changes:

Publish packages without npm tokens

🔗 https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/

[mwbrooks]

suggestion: Sounds like id-token: write is used for npm OIDC trusted publishing? I think a comment would be nice here.

Suggested change

	id-token: write
	# required for npm OIDC trusted publishing
	id-token: write

[zimeg]

@mwbrooks Super appreciate this suggestion and f360a20 was added with similar reference! An "id-token" is otherwise not clear to me now...

[zimeg]

@mwbrooks So much great feedback! Thanks for reviewing this with better maintenance in mind 🧠 ✨

As we merge this I'm making a few more changes noted earlier:

• Adding the amazing @changeset-bot to this project
• Setting up the OIDC permissions on NPM
• Creating the GitHub Actions "publish" environment

We'll hold off on pre-releases for now and might update new milestones with @next tags instead of changing the current ones. I'll report back after merging this then the changes of #2474. Perhaps we experiment with a release soon too 🫡

[zimeg]

👁️‍🗨️ We're caught with the unexpected versioning of "@slack/cli-test@2.2.0+cli.2.32.2" version:

🦋  warn @slack/cli-hooks is not being published because version 1.2.1 is already published on npm
🦋  warn @slack/logger is not being published because version 4.0.0 is already published on npm
🦋  warn @slack/oauth is not being published because version 3.0.4 is already published on npm
🦋  warn @slack/rtm-api is not being published because version 7.0.4 is already published on npm
🦋  warn @slack/socket-mode is not being published because version 2.0.5 is already published on npm
🦋  warn @slack/types is not being published because version 2.19.0 is already published on npm
🦋  warn @slack/web-api is not being published because version 7.13.0 is already published on npm
🦋  warn @slack/webhook is not being published because version 7.0.6 is already published on npm
🦋  info @slack/cli-test is being published because our local version (2.2.0+cli.2.32.2) has not been published on npm
🦋  info Publishing "@slack/cli-test" at "2.2.0+cli.2.32.2"
🦋  error an error occurred while publishing @slack/cli-test: undefined You cannot publish over the previously published versions: 2.2.0. 
🦋  error 
🦋  error > @slack/cli-test@2.2.0+cli.2.32.2 prepack
🦋  error > npm run build
🦋  error 
🦋  error 
🦋  error > @slack/cli-test@2.2.0+cli.2.32.2 build
🦋  error > npm run build:clean && tsc
🦋  error 
🦋  error 
🦋  error > @slack/cli-test@2.2.0+cli.2.32.2 build:clean
🦋  error > shx rm -rf ./dist ./coverage
🦋  error 
🦋  error npm warn publish npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.
🦋  error npm warn publish errors corrected:
🦋  error npm warn publish "version" was cleaned and set to "2.2.0"
🦋  error npm warn publish "repository" was changed from a string to an object
🦋  error npm warn publish "repository.url" was normalized to "git+https://github.com/slackapi/node-slack-sdk.git"
🦋  error npm notice Security Notice: Classic tokens have been revoked. Granular tokens are now limited to 90 days and require 2FA by default. Update your CI/CD workflows to avoid disruption. Learn more https://gh.io/all-npm-classic-tokens-revoked
🦋  error npm error You cannot publish over the previously published versions: 2.2.0.
🦋  error npm error A complete log of this run can be found in: /home/runner/.npm/_logs/2026-01-30T00_42_12_292Z-debug-0.log
🦋  error 
🦋  error packages failed to publish:
🦋  @slack/cli-test@2.2.0+cli.2.32.2

🔗 https://github.com/slackapi/node-slack-sdk/actions/runs/21500089838/job/61944289914#step:5:45

Let's fast follow this with an update to ignore publishing the @slack/cli-test package for now and follow up with discussion on how we might version this otherwise?

[zimeg]

📝 OIDC configurations have now been made per package for the following packages:

• @slack/cli-hooks
• @slack/cli-test
• @slack/logger
• @slack/oauth
• @slack/rtm-api
• @slack/socket-mode
• @slack/types
• @slack/web-api
• @slack/webhook

The publish environment exists too but we might find follow up to workflows that separate the PR updating script from the publishing command. I'll add this to #2492 🤖

Also, we've welcomed amazing @changeset-bot to this project in PRs 💌

[WilliamBergamin]

This seems promising 🚀 💯