ci: add release-please for automated releases#64
Conversation
Add release-please to automate versioning, changelog generation, and npm publishing on merge to main. Mirrors the setup in authkit-nextjs.
Greptile SummaryThis PR introduces release-please automation to handle versioning, changelog generation, and npm publishing on merge to Confidence Score: 5/5Safe to merge — only P2 style findings remain, no correctness or security blockers. All findings are P2: a leftover job ID (
|
| Filename | Overview |
|---|---|
| .github/workflows/release-please.yml | New workflow orchestrating release-please and npm publish; actions not pinned to SHA (supply-chain risk) |
| .github/workflows/release.yml | Updated to workflow_call trigger; job ID is still test instead of publish, pre-release distinction removed (intentional) |
| release-please-config.json | Standard release-please config for a Node package at the repo root; no issues |
| .release-please-manifest.json | Seeds the initial version at 0.5.0 for release-please tracking; no issues |
Sequence Diagram
sequenceDiagram
participant Dev as Developer
participant GH as GitHub (main)
participant RP as release-please-action
participant Bot as SDK Bot App
participant NPM as npm Registry
Dev->>GH: Push conventional commit to main
GH->>Bot: Generate GitHub App token
Bot-->>GH: App token
GH->>RP: Run release-please-action
RP-->>GH: Create/update Release PR (version bump + CHANGELOG)
Dev->>GH: Merge Release PR
GH->>RP: release_created = true
GH->>GH: Trigger release.yml (workflow_call)
GH->>NPM: pnpm publish --tag latest --provenance
Reviews (2): Last reviewed commit: "Update .github/workflows/release-please...." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| publish: | ||
| needs: release-please | ||
| if: ${{ needs.release-please.outputs.release_created == 'true' }} | ||
| uses: ./.github/workflows/release.yml |
There was a problem hiding this comment.
secrets: inherit for reusable workflow call
When release.yml is invoked via workflow_call, secrets from the caller are not automatically forwarded unless secrets: inherit is specified. If release.yml ever needs a secret (e.g. a fallback NODE_AUTH_TOKEN), it would silently receive an empty value. Since the current setup relies purely on OIDC this is likely fine, but adding secrets: inherit here is a low-cost safety net.
| uses: ./.github/workflows/release.yml | |
| uses: ./.github/workflows/release.yml | |
| secrets: inherit |
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
There was a problem hiding this comment.
I think it's fine; we're not using secrets here/anymore.
| publish: | ||
| needs: release-please | ||
| if: ${{ needs.release-please.outputs.release_created == 'true' }} | ||
| uses: ./.github/workflows/release.yml |
There was a problem hiding this comment.
I think it's fine; we're not using secrets here/anymore.
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
|
Tip: Greploop — Automatically fix all review issues by running Use the Greptile plugin for Claude Code to query reviews, search comments, and manage custom context directly from your terminal. |
2 participants
Summary
release-please-config.jsonand.release-please-manifest.json(seeded at v0.5.0)release.ymlto useworkflow_calltrigger (invoked by release-please) instead ofrelease: [published]How it works
maintrigger release-pleaserelease.ymlto build and publish to npm via OIDC trusted publishingPrerequisites
SDK_BOT_APP_ID(var) andSDK_BOT_PRIVATE_KEY(secret) configured on the repo