Chore/add npm metadata

.changeset/cute-states-accept.md

@@ -0,0 +1,5 @@
+---
+"brand-shell": minor
+---
+
+Switch npm release workflow to Trusted Publishing (OIDC) by removing token-based npm auth from GitHub Actions release job.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,35 @@
+---
+name: Bug report
+about: Report a bug in brand-shell
+title: "[bug]: "
+labels: ["bug"]
+---
+
+## Summary
+
+Briefly describe the problem.
+
+## Steps to reproduce
+
+1.
+2.
+3.
+
+## Expected behavior
+
+What should happen?
+
+## Actual behavior
+
+What happened instead?
+
+## Environment
+
+- `brand-shell` version:
+- Framework/runtime:
+- Browser (if relevant):
+- OS:
+
+## Additional context
+
+Add any logs, screenshots, links, or sample payloads here.

.github/workflows/release.yml

@@ -26,9 +26,6 @@ jobs:
       contents: write
       pull-requests: write
       id-token: write
-    env:
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
     steps:
       - name: Checkout
@@ -50,24 +47,6 @@ jobs:
       - name: Install Dependencies
         run: bun install --frozen-lockfile
 
-      - name: Verify npm token
-        run: |
-          if [ -z "${NPM_TOKEN}" ]; then
-            echo "NPM_TOKEN is not configured."
-            echo "Add it in GitHub repository settings > Secrets and variables > Actions."
-            exit 1
-          fi
-          if [[ "${NPM_TOKEN}" != npm_* ]]; then
-            echo "NPM_TOKEN format looks invalid. It should start with npm_."
-            exit 1
-          fi
-
-      - name: Verify npm auth identity
-        run: |
-          npm --version
-          npm config get registry
-          npm whoami
-
       - name: Create release PR or publish
         uses: changesets/action@v1
         with:
@@ -77,5 +56,3 @@ jobs:
           commit: "chore(release): version packages"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

CONTRIBUTING.md

@@ -69,9 +69,10 @@ Release is automated through GitHub Actions.
 
 ## NPM Publish Notes
 
-- Use repository secret `NPM_TOKEN`.
-- Token must support publish and bypass 2FA for automation.
-- Release workflow verifies `npm whoami` before publish.
+- Publish uses npm Trusted Publishing (OIDC) from GitHub Actions.
+- Keep `id-token: write` permission in `/Users/mounikathota/brand-shell/.github/workflows/release.yml`.
+- Configure Trusted Publisher in npm package settings for this repository/workflow.
+- Do not store long-lived `NPM_TOKEN` once Trusted Publishing is active.
 
 ## Pull Request Checklist
 

README.md

@@ -86,4 +86,4 @@ import schema from "brand-shell/schema";
 
 SemVer is managed with Changesets.
 
-See [CONTRIBUTING.md](CONTRIBUTING.md) for development, commit policy, and release flow.
+See [CONTRIBUTING.md](https://github.com/venwork-dev/brand-shell/blob/main/CONTRIBUTING.md) for development, commit policy, and release flow.

package.json

@@ -2,6 +2,14 @@
   "name": "brand-shell",
   "version": "0.4.0",
   "description": "Reusable Header and Footer components with typed details and theme. Premium default UX, works in React, Vite, Next.js.",
+  "homepage": "https://github.com/venwork-dev/brand-shell#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/venwork-dev/brand-shell.git"
+  },
+  "bugs": {
+    "url": "https://github.com/venwork-dev/brand-shell/issues"
+  },
   "type": "module",
   "main": "./dist/index.mjs",
   "module": "./dist/index.mjs",