Problem
PUBLISHING.md documents a 7-step manual process: checkout, review git log, update History.md, bump version in package.json, commit, create GitHub release, run npm publish. Risk of:
- Human error in version bumps.
- Inconsistent or forgotten changelog entries.
- Forgotten git tags.
- Unsigned or unprovenanced releases.
Why it matters
Automated releases reduce both release friction and release risk. OSSF Scorecard (#9) rewards reproducible, signed releases.
Proposed approach
Choose one of:
- Option A (recommended): Release Please (
googleapis/release-please-action). Enforces conventional commits; opens a "release PR" that when merged, publishes to npm, tags, and creates a GitHub Release. Auto-generates changelog.
- Option B: Changesets (
changesets/action). Authors add changeset files per PR; merge consolidates and releases.
Either way:
- npm publish uses existing OIDC trusted publishing (already configured) for provenance.
- Rename
History.md → CHANGELOG.md to match tooling expectations.
Acceptance criteria
- Merging a release PR produces: git tag, GitHub Release with notes, npm publish with provenance.
- Manual
PUBLISHING.md is obsoleted (or becomes a short emergency fallback).
Problem
PUBLISHING.mddocuments a 7-step manual process: checkout, review git log, updateHistory.md, bump version inpackage.json, commit, create GitHub release, runnpm publish. Risk of:Why it matters
Automated releases reduce both release friction and release risk. OSSF Scorecard (#9) rewards reproducible, signed releases.
Proposed approach
Choose one of:
googleapis/release-please-action). Enforces conventional commits; opens a "release PR" that when merged, publishes to npm, tags, and creates a GitHub Release. Auto-generates changelog.changesets/action). Authors add changeset files per PR; merge consolidates and releases.Either way:
History.md→CHANGELOG.mdto match tooling expectations.Acceptance criteria
PUBLISHING.mdis obsoleted (or becomes a short emergency fallback).