ci: set up release-please with npm trusted publishing

[amondnet]

Summary

Set up release-please (manifest mode) to automate versioning, changelogs, and npm publishing for the eight publishable workspace packages.

• release-please-config.json — node release-type, independent per-package versions, node-workspace plugin to propagate workspace:* bumps, single aggregated release PR.
• .release-please-manifest.json — seeds all packages at 0.1.0.
• .github/workflows/release.yml
  • release-please job opens/maintains the release PR; on merge it tags and creates the GitHub releases.
  • publish job packs each released package with bun pm pack (rewrites workspace:* → concrete versions in the tarball, which npm pack/npm publish alone do not) and publishes the tarball with npm via OIDC Trusted Publishing — no NPM_TOKEN, provenance attached automatically. npm is upgraded to ≥ 11.5.1 first (Trusted Publishing requirement).
• packages/emulate — adds the missing publishConfig.access=public so the scoped package publishes publicly like the others.

All third-party actions are pinned to full commit SHAs; jobs use least-privilege permissions.

Required setup before the first automated release

npm Trusted Publisher can only be configured on packages that already exist on the registry. For these brand-new packages:

1. Bootstrap once — publish each package manually (npm login, then bun pm pack → npm publish <tgz> --access public) to create them on npm.
2. Register the trusted publisher on each package's npmjs.com Settings → Trusted Publisher → GitHub Actions:
   • Repository: pleaseai/emulate
   • Workflow: release.yml
3. Subsequent releases publish automatically via OIDC — no tokens.

Notes

• First release-please run will open a release PR covering existing history (expected). Let me know if a specific initial version is desired (release-as).
• Independent versioning was chosen because commit scopes (feat(asana):, feat(linear):) map to per-package directories.

🤖 Generated with Claude Code

---

Summary by cubic

Set up release-please (manifest mode) to automate per-package versioning, changelogs, tags, and npm publishing via OIDC Trusted Publishing across eight workspace packages. Publishes only changed packages and removes NPM_TOKEN while attaching provenance.

• New Features

  • Added release-please-config.json: node type, independent versions, node-workspace plugin, single aggregated release PR.
  • Added .release-please-manifest.json: seeds packages/* to 0.1.0.
  • Added .github/workflows/release.yml: maintains the release PR, tags on merge, builds, packs with bun pm pack, upgrades npm to >= 11.5.1, and publishes released packages via OIDC.
  • Updated packages/emulate/package.json: publishConfig.access: public.

• Migration

  • One-time: manually publish each package (bun pm pack → npm publish <tgz> --access public) to create it on npm.
  • In npm Settings → Trusted Publisher, register GitHub Actions for each package: repo pleaseai/emulate, workflow release.yml.

^{Written for commit 88f1ddb. Summary will update on new commits.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codacy-production]

Pull Request Overview

The PR establishes a solid foundation for automated releases using release-please and OIDC-based Trusted Publishing. Codacy analysis indicates the changes are up to standards with no new quality issues. However, a significant gap exists in the .github/workflows/release.yml file. The current implementation lacks the --provenance flag for npm publishing, which is a key benefit of switching to OIDC. Additionally, the publishing loop lacks a safety check to ensure that bun pm pack successfully created a tarball; without this, the workflow may silently fall back to publishing the source directory, which contains un-resolved workspace:* dependencies. This contradicts the requirement for concrete version resolution in published artifacts. Finally, the configuration for the eight workspace packages in release-please-config.json should be verified against the intended scope.

Test suggestions

• Verify that release-please-config.json includes all eight workspace packages for tracking.
• Verify the release workflow's 'publish' job correctly iterates over PATHS_RELEASED and construct valid tarball paths.
• Verify 'bun pm pack' resolution of workspace dependencies via dry-run or integration check.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that release-please-config.json includes all eight workspace packages for tracking.
2. Verify the release workflow's 'publish' job correctly iterates over PATHS_RELEASED and construct valid tarball paths.
3. Verify 'bun pm pack' resolution of workspace dependencies via dry-run or integration check.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}

[codacy-production]

_{🟡 MEDIUM RISK}

The npm publish command is missing the --provenance flag required to generate attestations. Additionally, the script should explicitly verify that the tarball was created to avoid falling back to publishing the source directory with un-resolved workspace dependencies. Suggested fix: Update the publish loop in .github/workflows/release.yml to verify the existence of the $tarball before publishing and add the --provenance flag to the npm publish command.

[cubic-dev-ai]

1 issue found across 4 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/release.yml">

<violation number="1" location=".github/workflows/release.yml:58">
P2: `npm@latest` makes the release job non-reproducible and can cause sudden publish failures when npm releases new versions.</violation>
</file>

Architecture diagram

sequenceDiagram
    participant GH as GitHub (main branch)
    participant GHA as GitHub Actions
    participant RP as Release-Please Action
    participant Repo as Repository
    participant Builder as Build Process
    participant NPM as npm Registry

    Note over GH,NPM: CI/CD Release Pipeline (on push to main)

    GH->>GHA: push to main
    GHA->>RP: trigger release-please job
    RP->>Repo: Read release-please-config.json & manifest
    RP->>Repo: Check for conventional commits since last release
    alt Release PR already open
        RP->>Repo: Update existing release PR with new commits
    else No release PR yet
        RP->>Repo: Create release PR with version bumps & changelogs
    end
    
    alt Release PR merged (PR merged event)
        RP->>Repo: Tag each released package (e.g., asana-v0.2.0)
        RP->>Repo: Create GitHub Releases for each package
        RP-->>GHA: Output releases_created=true & paths_released=["packages/asana",...]
    else Release PR not merged yet
        RP-->>GHA: Output releases_created=false
    end

    alt releases_created == true
        GHA->>Builder: trigger publish job (depends on release-please)
        Builder->>Repo: git checkout
        Builder->>Builder: Install bun & node via mise
        Builder->>Builder: bun install --frozen-lockfile
        Builder->>Builder: bun run build
        Builder->>Builder: Upgrade npm to >= 11.5.1 (for OIDC support)
        Builder->>Builder: Loop over paths_released
        loop for each released package
            Builder->>Builder: bun pm pack (rewrites workspace:* to actual versions)
            Builder->>NPM: npm publish <tarball> --access public (via OIDC)
            NPM->>NPM: Verify OIDC token from GitHub Actions
            NPM-->>Builder: Publish success + provenance attestation
            Builder-->>Builder: Log completion
        end
    end

Loading

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

P2: npm@latest makes the release job non-reproducible and can cause sudden publish failures when npm releases new versions.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/release.yml, line 58:

<comment>`npm@latest` makes the release job non-reproducible and can cause sudden publish failures when npm releases new versions.</comment>

<file context>
@@ -0,0 +1,75 @@
+      # Trusted Publishing (OIDC) requires npm >= 11.5.1; the npm bundled with
+      # node 22 is 10.x, so upgrade it before publishing.
+      - name: Upgrade npm for Trusted Publishing
+        run: npm install -g npm@latest
+
+      - name: Publish released packages
</file context>

Suggested change

	run: npm install -g npm@latest
	run: npm install -g npm@11.5.1