ci: Add github action for trusted publishing (#1)

Author: AbhiPrasad

.github/workflows/publish-package.yaml

@@ -0,0 +1,117 @@
+name: Publish package
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: Branch to release from
+        required: true
+        default: main
+        type: string
+
+concurrency:
+  group: publish-package-${{ github.event.inputs.branch || 'main' }}
+  cancel-in-progress: false
+
+jobs:
+  publish:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 20
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+      - name: Check out source
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.inputs.branch }}
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          registry-url: https://registry.npmjs.org
+
+      - name: Set up Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Determine release metadata
+        id: metadata
+        run: |
+          set -euo pipefail
+
+          VERSION=$(node -p "require('./package.json').version")
+          PACKAGE_NAME=$(node -p "require('./package.json').name")
+          TAG="v${VERSION}"
+
+          if git ls-remote --exit-code --tags origin "refs/tags/${TAG}" >/dev/null 2>&1; then
+            echo "Tag ${TAG} already exists on origin" >&2
+            exit 1
+          fi
+
+          if npm view "${PACKAGE_NAME}@${VERSION}" version --registry=https://registry.npmjs.org >/dev/null 2>&1; then
+            echo "${PACKAGE_NAME}@${VERSION} is already published on npm" >&2
+            exit 1
+          fi
+
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "package_name=${PACKAGE_NAME}" >> "$GITHUB_OUTPUT"
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "commit_sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Validate package
+        run: |
+          set -euo pipefail
+          bun run check
+          bun run typecheck
+          bun run test
+          bun run build
+          npm pack --dry-run
+
+      - name: Publish to npm with provenance
+        run: npm publish --provenance --access public
+
+      - name: Create and push git tag
+        env:
+          TAG: ${{ steps.metadata.outputs.tag }}
+          COMMIT_SHA: ${{ steps.metadata.outputs.commit_sha }}
+        run: |
+          set -euo pipefail
+
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git tag "${TAG}" "${COMMIT_SHA}"
+          git push origin "${TAG}"
+
+      - name: Create GitHub release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ steps.metadata.outputs.tag }}
+          PACKAGE_NAME: ${{ steps.metadata.outputs.package_name }}
+        run: |
+          set -euo pipefail
+          gh release create "${TAG}" \
+            --title "${PACKAGE_NAME} ${TAG}" \
+            --generate-notes
+
+      - name: Summarize release
+        env:
+          PACKAGE_NAME: ${{ steps.metadata.outputs.package_name }}
+          VERSION: ${{ steps.metadata.outputs.version }}
+          TAG: ${{ steps.metadata.outputs.tag }}
+        run: |
+          {
+            echo "## Package published"
+            echo
+            echo "- Package: \`${PACKAGE_NAME}\`"
+            echo "- Version: \`${VERSION}\`"
+            echo "- Git tag: \`${TAG}\`"
+            echo "- npm provenance: enabled"
+          } >> "$GITHUB_STEP_SUMMARY"

README.md

@@ -110,3 +110,13 @@ Session (task span)
 │   └── ...
 └── metrics: total_turns, total_tool_calls
 ```
+
+## Releasing
+
+This package is published from GitHub Actions via `.github/workflows/publish-package.yaml` using npm trusted publishing with OIDC and npm provenance (`npm publish --provenance`).
+
+To cut a release:
+
+1. Bump `package.json` to the version you want to ship.
+2. Run the **Publish package** workflow from the branch you want to release.
+3. The workflow validates the package, publishes to npm, pushes the matching `v<version>` git tag, and creates a GitHub release.

docs/PUBLISHING.md

@@ -0,0 +1,116 @@
+# Publishing
+
+This package is published to npm from GitHub Actions using **npm trusted publishing** with **GitHub OIDC** and **provenance attestations**.
+
+Workflow file:
+
+- `.github/workflows/publish-package.yaml`
+
+## Why this setup
+
+This avoids storing a long-lived `NPM_TOKEN` in GitHub secrets.
+
+Instead:
+
+- GitHub Actions requests a short-lived OIDC identity token
+- npm verifies that token against the configured trusted publisher
+- `npm publish --provenance` attaches a provenance attestation for the published package
+
+The workflow has these permissions:
+
+- `contents: write` - to create and push the git tag
+- `id-token: write` - required for npm trusted publishing via OIDC
+
+## One-time npm setup
+
+In npm, configure **trusted publishing** for this package:
+
+- **Package:** `@braintrust/trace-opencode`
+- **Repository:** `braintrustdata/braintrust-opencode-plugin`
+- **Workflow:** `publish-package.yaml`
+
+This workflow no longer requires a GitHub Actions environment.
+
+## Release flow
+
+Releases are started manually from GitHub Actions using the **Publish package** workflow.
+
+### 1. Bump the version
+
+Update the version in `package.json` to the version you want to publish.
+
+### 2. Run the workflow
+
+From the GitHub Actions UI:
+
+- choose **Publish package**
+- choose the branch to publish from (default: `main`)
+- run the workflow
+
+## What the workflow does
+
+The workflow performs these steps:
+
+1. Checks out the selected branch
+2. Sets up Node.js and Bun
+3. Reads `name` and `version` from `package.json`
+4. Verifies that:
+   - git tag `v<version>` does not already exist on `origin`
+   - `@braintrust/trace-opencode@<version>` is not already published on npm
+5. Installs dependencies with `bun install --frozen-lockfile`
+6. Validates the package by running:
+   - `bun run check`
+   - `bun run typecheck`
+   - `bun run test`
+   - `bun run build`
+   - `npm pack --dry-run`
+7. Publishes to npm with:
+
+   ```bash
+   npm publish --provenance --access public
+   ```
+
+8. Creates and pushes the matching git tag:
+
+   ```text
+   v<version>
+   ```
+
+9. Creates a GitHub release for that tag
+
+## Notes
+
+- The package is public, so `package.json` includes:
+
+  ```json
+  {
+    "publishConfig": {
+      "access": "public"
+    }
+  }
+  ```
+
+- The publish step relies on npm trusted publishing. No `NPM_TOKEN` secret should be needed.
+- If the publish succeeds, npm should show provenance information for the release.
+
+## Failure modes
+
+The workflow will fail early if:
+
+- the git tag for that version already exists
+- that exact version is already published on npm
+- lint, typecheck, tests, build, or `npm pack --dry-run` fails
+- npm trusted publishing is not configured correctly for the package/repo/workflow
+
+## Troubleshooting
+
+If npm rejects the publish, verify:
+
+1. trusted publishing is enabled for `@braintrust/trace-opencode`
+2. the repository matches exactly:
+   - `braintrustdata/braintrust-opencode-plugin`
+3. the workflow filename matches exactly:
+   - `publish-package.yaml`
+4. the GitHub Actions job has `id-token: write`
+
+If needed, update the trusted publishing settings in npm and rerun the workflow.

package.json

@@ -34,6 +34,9 @@
     "type": "git",
     "url": "https://github.com/braintrustdata/braintrust-opencode-plugin"
   },
+  "publishConfig": {
+    "access": "public"
+  },
   "files": [
     "dist",
     "README.md"