feat: enable auto-publishing on NPM after a GitHub release

[phoenix-ru]

🔗 Linked issue

❓ Type of change

• 📖 Documentation (updates to the documentation, readme or JSdoc annotations)
• 🐞 Bug fix (a non-breaking change that fixes an issue)
• 👌 Enhancement (improving an existing functionality like performance)
• ✨ New feature (a non-breaking change that adds functionality)
• 🧹 Chore (updates to the build process or auxiliary tools and libraries)
• ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

This creates a workflow which would automatically publish the package on NPM when a GitHub (pre-)release has been published.

The full process of releasing would include:

• pnpm version [patch|minor]
• git push --follow-tags
• Create the GitHub release and publish it;
• The new workflow will automatically build the package and publish it on NPM with provenance enabled.

📝 Checklist

• I have linked an issue or discussion.
• I have added tests (if possible).
• I have updated the documentation accordingly.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@sidebase/nuxt-auth@1051

commit: 1fcd911

[BracketJohn]

note: I don't thibnk that semver required the v, so its not really a good check for sem-ver-ness, right?

instead, can we use a mechanism like CODEOWNERS to restrict who can do releases, and then trust them to do it right?

source: https://semver.org/

[phoenix-ru]

The npm version command produces a tag in the format of vX.Y.Z and I want to rely on the standard practices.

instead, can we use a mechanism like CODEOWNERS to restrict who can do releases, and then trust them to do it right?

I believe that the default release rights already prohibit non-owners from creating releases

[BracketJohn]

fine for me to rely on the current auth-approach then.

The npm version command produces a tag in the format of vX.Y.Z and I want to rely on the standard practices.

I think we should either be relying on the gh-tagname OR on the package.json name + version. In the current logic you take the tag from github and the name from the package.json:

          TAG="${{ github.event.release.tag_name }}"
          NAME=$(node -p "require('./package.json').name")

[phoenix-ru]

Please note that NAME is only a debug variable, we might as well not use it at all. There is also a CI step that checks that the tag and the package json version match each other so that we prevent situations like manual tags created without bumping the package json version (or release being created too late/too early).

In this sense, we are solely relying on Git tags (because they serve as "code snapshots"), while only verifying package.json for correctness.

[BracketJohn]

can you make the code a bit clearer/more easy to follow, so that people can better understand this when reading it? (:

[BracketJohn]

can we specify the exact version of pnpm we want to use, to ensure consistent/stable builds?

[phoenix-ru]

PNPM is already using a correct version, see: https://github.com/sidebase/nuxt-auth/actions/runs/17260489231/job/48980590409

Another piece of evidence:

• before: we had version 9.6.0, it was correctly installed
• after: I bumped to 10.15.0, it was also correctly picked up

This means that the presence of packageManager field inside package.json is beneficial for both Corepack flow (keep the version consistent across contributors) and CI (use single source of truth) 🚀

I checked the action source and it is in fact true that the action reads the version (also documented): https://github.com/pnpm/action-setup/blob/f2b2b233b538f500472c7274c7012f57857d8ce0/src/install-pnpm/run.ts#L54-L56

[BracketJohn]

LGTM

[BracketJohn]

Carrying over approval after successful dry-run.

After merging this I suggest to create a proper 1.0.2 release to see the whole thing in action (: