Setup Release Workflow
Set up draft-release and publish-release GitHub Actions workflows in the current repository using yukukotani/github-actions composite actions.
Prerequisites
Verify the following before proceeding:
- •
package.jsonexists at the repository root - •The repository is hosted on GitHub
Workflow
1. Inspect the repository
Read package.json and check for:
- •
scripts.buildandscripts.test(determine build/test commands) - •
engines.node(determine Node.js version constraint) - •Lockfile:
bun.lock-> bun,package-lock.json-> npm - •Whether the package is scoped (
@scope/name) or unscoped
Also detect the default branch name (main or master) via git.
2. Ensure repository field in package.json
npm provenance verification requires package.json to have a repository field whose URL matches the GitHub repository. Inspect package.json and fix if needed:
- •If
repositoryis missing or empty, add it. - •If
repository.urldoes not matchhttps://github.com/<owner>/<repo>, update it.
The expected format:
{
"repository": {
"type": "git",
"url": "https://github.com/<owner>/<repo>"
}
}
The shorthand form "repository": "github:<owner>/<repo>" also works.
3. Create workflow files
Generate two files under .github/workflows/. Use the templates in references/workflow-templates.md as the base, adjusting parameters based on what was found in step 1:
- •
draft-release.yml-- No parameters need adjustment; use the template as-is. - •
publish-release.yml-- Adjust the following based on repository inspection:- •
package-manager:bun(ifbun.lockexists) ornpm - •
build-command: value ofscripts.buildprefixed with the package manager run command, or''if absent - •
test-command: value ofscripts.testprefixed with the package manager run command, or''if absent - •
npm-tokenline: includenpm-token: ${{ secrets.NPM_TOKEN }}unless the user says npm publish is not needed - •
skip-npm-publish: set to'true'if the user says npm publish is not needed
- •
4. Post-setup checklist
After creating the files, present the following checklist to the user. These are manual steps the user must complete themselves.
GitHub repository settings (https://github.com/<owner>/<repo>/settings/actions):
- •Under Workflow permissions, select Read and write permissions
- •Check Allow GitHub Actions to create and approve pull requests
npm Trusted Publishing (if publishing to npm):
- •Go to
https://www.npmjs.com/package/<package-name>/access(or Package Settings -> Trusted Publisher) - •Select GitHub Actions as the publisher
- •Fill in:
- •Organization or user: the GitHub owner (user or org)
- •Repository: the repository name
- •Workflow filename:
publish-release.yml(filename only, with extension) - •Environment name: leave blank unless using GitHub Environments
- •Click Set up connection
- •Recommended: under Publishing access, select Require two-factor authentication and disallow tokens for maximum security
- •Revoke any old
NPM_TOKENsecrets from the repository once trusted publishing is confirmed working
Notes on Trusted Publishing:
- •Requires npm CLI >= 11.5.1 / Node.js >= 22.14.0 (the workflow handles this via
npm install -g npm@latest) - •Workflow filename configured on npmjs.com must exactly match the file created (case-sensitive,
.ymlextension) - •Only works with GitHub-hosted runners (not self-hosted)
- •Provenance is auto-generated; no
--provenanceflag needed when using trusted publishing - •Private repositories will not get provenance attestations even with trusted publishing