diff --git a/.changeset/cute-states-accept.md b/.changeset/cute-states-accept.md new file mode 100644 index 0000000..3d63cc5 --- /dev/null +++ b/.changeset/cute-states-accept.md @@ -0,0 +1,5 @@ +--- +"brand-shell": minor +--- + +Switch npm release workflow to Trusted Publishing (OIDC) by removing token-based npm auth from GitHub Actions release job. diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..a2da9fc --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,35 @@ +--- +name: Bug report +about: Report a bug in brand-shell +title: "[bug]: " +labels: ["bug"] +--- + +## Summary + +Briefly describe the problem. + +## Steps to reproduce + +1. +2. +3. + +## Expected behavior + +What should happen? + +## Actual behavior + +What happened instead? + +## Environment + +- `brand-shell` version: +- Framework/runtime: +- Browser (if relevant): +- OS: + +## Additional context + +Add any logs, screenshots, links, or sample payloads here. diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f87918e..dec2d0c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,9 +26,6 @@ jobs: contents: write pull-requests: write id-token: write - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} steps: - name: Checkout @@ -50,24 +47,6 @@ jobs: - name: Install Dependencies run: bun install --frozen-lockfile - - name: Verify npm token - run: | - if [ -z "${NPM_TOKEN}" ]; then - echo "NPM_TOKEN is not configured." - echo "Add it in GitHub repository settings > Secrets and variables > Actions." - exit 1 - fi - if [[ "${NPM_TOKEN}" != npm_* ]]; then - echo "NPM_TOKEN format looks invalid. It should start with npm_." - exit 1 - fi - - - name: Verify npm auth identity - run: | - npm --version - npm config get registry - npm whoami - - name: Create release PR or publish uses: changesets/action@v1 with: @@ -77,5 +56,3 @@ jobs: commit: "chore(release): version packages" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 7a2a676..ffcee42 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -69,9 +69,10 @@ Release is automated through GitHub Actions. ## NPM Publish Notes -- Use repository secret `NPM_TOKEN`. -- Token must support publish and bypass 2FA for automation. -- Release workflow verifies `npm whoami` before publish. +- Publish uses npm Trusted Publishing (OIDC) from GitHub Actions. +- Keep `id-token: write` permission in `/Users/mounikathota/brand-shell/.github/workflows/release.yml`. +- Configure Trusted Publisher in npm package settings for this repository/workflow. +- Do not store long-lived `NPM_TOKEN` once Trusted Publishing is active. ## Pull Request Checklist diff --git a/README.md b/README.md index aee890e..05b59a0 100644 --- a/README.md +++ b/README.md @@ -86,4 +86,4 @@ import schema from "brand-shell/schema"; SemVer is managed with Changesets. -See [CONTRIBUTING.md](CONTRIBUTING.md) for development, commit policy, and release flow. +See [CONTRIBUTING.md](https://github.com/venwork-dev/brand-shell/blob/main/CONTRIBUTING.md) for development, commit policy, and release flow. diff --git a/package.json b/package.json index d19db18..b14c4eb 100644 --- a/package.json +++ b/package.json @@ -2,6 +2,14 @@ "name": "brand-shell", "version": "0.4.0", "description": "Reusable Header and Footer components with typed details and theme. Premium default UX, works in React, Vite, Next.js.", + "homepage": "https://github.com/venwork-dev/brand-shell#readme", + "repository": { + "type": "git", + "url": "git+https://github.com/venwork-dev/brand-shell.git" + }, + "bugs": { + "url": "https://github.com/venwork-dev/brand-shell/issues" + }, "type": "module", "main": "./dist/index.mjs", "module": "./dist/index.mjs",