From 462771797b26ee95f4a52eb3462140c8dd865fb0 Mon Sep 17 00:00:00 2001 From: Haseeb Ahmad Date: Wed, 17 Jun 2026 11:23:14 +0200 Subject: [PATCH 1/4] CLOUDPLAT-3217: add OIDC npm publish workflow and contributing guide --- .github/workflows/npm-release.yml | 10 ++++++++++ CONTRIBUTING.md | 22 ++++++++++++++++++++++ package.json | 3 +++ 3 files changed, 35 insertions(+) create mode 100644 .github/workflows/npm-release.yml create mode 100644 CONTRIBUTING.md diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml new file mode 100644 index 00000000..2c65013a --- /dev/null +++ b/.github/workflows/npm-release.yml @@ -0,0 +1,10 @@ +name: NPM release + +on: + workflow_dispatch: + +jobs: + npm-release: + uses: mapbox/gha-public/.github/workflows/workflow-npm-oidc-publish.yml@main + with: + create-github-release: true diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 00000000..cff85202 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,22 @@ +# Contributing to cloudfriend + +## Development + +```bash +npm ci +npm test +``` + +## Releasing a new version + +Releases are published to npm via GitHub Actions + +### Steps + +1. **Bump the version** in `package.json` (follow [semver](https://semver.org)) +2. **Update `CHANGELOG.md`** with a summary of what changed +3. **Open a PR**, get it reviewed and merged to `master` +4. **Trigger the release** from the [Actions tab](../../actions/workflows/npm-release.yml): + - Select **NPM release** → **Run workflow** → run from `master` + +The workflow will publish to npm, and create a GitHub release with auto-generated notes. diff --git a/package.json b/package.json index 32798cbd..3120d76a 100644 --- a/package.json +++ b/package.json @@ -29,6 +29,9 @@ ], "author": "Mapbox", "license": "ISC", + "publishConfig": { + "access": "public" + }, "bugs": { "url": "https://github.com/mapbox/cloudfriend/issues" }, From 98e7898bbe6b309879f6a9a0884326d796a80c5e Mon Sep 17 00:00:00 2001 From: Haseeb Ahmad Date: Wed, 17 Jun 2026 11:25:48 +0200 Subject: [PATCH 2/4] CLOUDPLAT-3217: bump version to 9.4.2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 3120d76a..74c765bf 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@mapbox/cloudfriend", - "version": "9.4.1", + "version": "9.4.2", "description": "Helper functions for assembling CloudFormation templates in JavaScript", "main": "index.js", "engines": { From 41f6b918ced86286e4f2348ab1b25c5c930cb870 Mon Sep 17 00:00:00 2001 From: Haseeb Ahmad Date: Wed, 17 Jun 2026 11:28:19 +0200 Subject: [PATCH 3/4] CLOUDPLAT-3217: add permissions block to npm-release workflow --- .github/workflows/npm-release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml index 2c65013a..5bd342e6 100644 --- a/.github/workflows/npm-release.yml +++ b/.github/workflows/npm-release.yml @@ -6,5 +6,8 @@ on: jobs: npm-release: uses: mapbox/gha-public/.github/workflows/workflow-npm-oidc-publish.yml@main + permissions: + id-token: write + contents: write with: create-github-release: true From a668cc5aca1c8cd1bd0d10253beda21799c423ca Mon Sep 17 00:00:00 2001 From: Haseeb Ahmad Date: Wed, 17 Jun 2026 14:00:07 +0200 Subject: [PATCH 4/4] CLOUDPLAT-3217: note that only maintainers with write access can trigger releases --- CONTRIBUTING.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index cff85202..91ef1da9 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -20,3 +20,5 @@ Releases are published to npm via GitHub Actions - Select **NPM release** → **Run workflow** → run from `master` The workflow will publish to npm, and create a GitHub release with auto-generated notes. + +> **Note:** Only Mapbox maintainers with write access to this repository can trigger the release workflow. External contributors can open and contribute to PRs, but releases are always cut by the owning team.