ci: adopt Changesets for versioning and publishing#855
Conversation
Replace the bespoke package.json-diff publish flow with Changesets so releases produce a CHANGELOG.md, git tags, and GitHub Releases. - Add @changesets/cli + @changesets/changelog-github and changeset, changeset:version, and release scripts - Add .changeset config (changelog-github, public access, main base) - Replace publish.yml with release.yml using changesets/action, keeping npm OIDC trusted publishing and the Slack notification - Document the changeset and release flow in CONTRIBUTING.md Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
PR SummaryMedium Risk Overview Adds New
Before the first publish: npm trusted publishing must reference Reviewed by Cursor Bugbot for commit 105d54d. Bugbot is set up for automated code reviews on this repo. Configure here. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| # Changesets needs full history (and credentials) to push the version branch and tags. | ||
| fetch-depth: 0 |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #855 +/- ##
==========================================
- Coverage 84.99% 84.99% -0.01%
==========================================
Files 179 179
Lines 16404 16407 +3
Branches 1482 1483 +1
==========================================
+ Hits 13943 13945 +2
- Misses 2451 2452 +1
Partials 10 10 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 105d54d. Configure here.
| version: node --run changeset:version | ||
| publish: node --run release | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Publish verification checks removed
Medium Severity
Replacing publish.yml drops the pre-publish checks that required a GPG-verified commit and a merge-queue committer before any npm publish. The new Release job runs changesets/action (including node --run release) on every push to main with no equivalent authenticity gate on the publish path.
Reviewed by Cursor Bugbot for commit 105d54d. Configure here.
This comment was marked as off-topic.
This comment was marked as off-topic.
- Add a concurrency group (cancel-in-progress: false) so overlapping pushes to main can't race the version PR push or the publish step - Guard the job with github.repository so forks don't attempt to publish Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>


closes #791 - and a Slack thread
What
Replaces the bespoke
package.json-diff publish flow with Changesets, so releases now produce aCHANGELOG.md, git tags, and GitHub Releases — none of which the previous process generated.How it works now
node --run changeset) declaring the bump type + summary.main,changesets/actionopens a "Version Packages" PR that bumps the version and writesCHANGELOG.md.v<x.y.z>git tag, and cuts a GitHub Release.Changes
package.json— add@changesets/cli+@changesets/changelog-github; addchangeset,changeset:version,releasescripts..changeset/— config (changelog-github,access: public,baseBranch: main), README, and one bootstrap changeset..github/workflows/release.yml(new, replacespublish.yml) —changesets/action@v1.9.0pinned by SHA; keeps harden-runner, npm OIDC, and the Slack notify. Permissions bumped tocontents: write+pull-requests: write.CONTRIBUTING.md— "Adding a Changeset" and "Releasing" sections.The npm trusted-publisher config currently points at
publish.yml. Since the workflow was renamed torelease.yml, update the trusted publisher's workflow filename in the npm package settings, or the OIDC publish will fail.Note
release.ymlusesegress-policy: audit(notblock) on harden-runner — the publish step legitimately reaches many endpoints (npm registry, sigstore provenance, GitHub API, git push, Slack) and a wrongblockallowlist would hard-fail releases. The old publish job had no harden-runner at all, so this is still a net gain; it can be tightened toblockonce a real run reveals the exact endpoint list.Verification
changeset statusvalidates config + sees the bootstrap changeset.changeset versionproduced1.4.1+ a cleanCHANGELOG.md(reverted).lint+format:checkpass.🤖 Generated with Claude Code