feat: enable auto-publishing on NPM after a GitHub release

.github/workflows/ci.yaml

@@ -7,15 +7,15 @@ on:
     branches: [main]
 
 env:
-  NODE_VER: 22.11
+  NODE_VER: 22.18
   CI: true
 
 jobs:
   test-module:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: pnpm/action-setup@v4
         name: Install pnpm
@@ -26,7 +26,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ env.NODE_VER }}
-          cache: "pnpm"
+          cache: 'pnpm'
 
       - name: Install deps and prepare types
         run: pnpm i && pnpm dev:prepare
@@ -37,7 +37,7 @@ jobs:
       # Check linting and typing
       - run: pnpm lint
       - run: pnpm typecheck
-      
+
       # Run unit tests
       - run: pnpm test:unit
 
@@ -48,7 +48,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: pnpm/action-setup@v4
         name: Install pnpm
@@ -74,7 +74,7 @@ jobs:
         working-directory: ./playground-local
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: pnpm/action-setup@v4
         name: Install pnpm
@@ -110,7 +110,7 @@ jobs:
       run:
         working-directory: ./playground-authjs
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: pnpm/action-setup@v4
         name: Install pnpm

.github/workflows/release.yml

@@ -0,0 +1,78 @@
+name: Release on NPM
+
+on:
+  release:
+    types: [published] # runs when a GitHub Release is published
+
+permissions:
+  contents: read
+  id-token: write # required for npm provenance
+
+env:
+  NODE_VER: 22.18
+  CI: true
+
+jobs:
+  publish:
+    name: Publish package from release tag
+    # Run only when tag is in the format `vX.Y.Z` produced by `npm version`
+    if: startsWith(github.event.release.tag_name, 'v')
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out the tag referenced by this release
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.release.tag_name }}
+          fetch-depth: 0
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          run_install: false
+
+      - name: Setup Node.js and pnpm
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VER }}
+          cache: 'pnpm'
+          # This is required for `setup-node` to generate the registry URL into .npmrc
+          # See https://github.com/actions/setup-node/blob/5e2628c959b9ade56971c0afcebbe5332d44b398/action.yml#L17-L18
+          registry-url: 'https://registry.npmjs.org/'
+
+      - name: Verify tag matches package.json version
+        run: |
+          TAG="${{ github.event.release.tag_name }}"
+          PKG_VERSION=$(node -p "require('./package.json').version")
+          if [ "v$PKG_VERSION" != "$TAG" ]; then
+            echo "::error ::Tag ($TAG) does not match package.json version (v$PKG_VERSION)"
+            exit 1
+          fi
+
+      - name: Install deps
+        run: |
+          pnpm --version
+          pnpm install --frozen-lockfile
+          pnpm dev:prepare
+
+      # Note: no build step because npm publish would run `prepack` script which builds the module
+
+      - name: Publish to npm with provenance
+        env:
+          # Environment variable used by `setup-node` action
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          TAG="${{ github.event.release.tag_name }}"
+
+          # Stable release (vX.Y.Z)
+          if echo "$TAG" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
+            npm publish --provenance --access public
+
+          # Pre-release (vX.Y.Z-*)
+          elif echo "$TAG" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+-'; then
+            npm publish --provenance --access public --tag next
+
+          else
+            echo "Not a valid release tag ($TAG), skipping publish."
+          fi
+

package.json

@@ -64,5 +64,5 @@
     "vitest": "^3.2.4",
     "vue-tsc": "^2.2.12"
   },
-  "packageManager": "pnpm@9.6.0+sha512.38dc6fba8dba35b39340b9700112c2fe1e12f10b17134715a4aa98ccf7bb035e76fd981cf0bb384dfa98f8d6af5481c2bef2f4266a24bfa20c34eb7147ce0b5e"
+  "packageManager": "pnpm@10.15.0+sha512.486ebc259d3e999a4e8691ce03b5cac4a71cbeca39372a9b762cb500cfdf0873e2cb16abe3d951b1ee2cf012503f027b98b6584e4df22524e0c7450d9ec7aa7b"
 }