v0.5.0 prep

.changeset/README.md

@@ -0,0 +1,16 @@
+# Changesets
+
+Add a changeset for every user-facing package change:
+
+```sh
+pnpm changeset
+```
+
+Use the summary as adopter-facing release notes. The release workflow turns
+merged changesets into package changelogs, npm publishes, Git tags, and GitHub
+Releases.
+
+The JavaScript packages are currently linked so `@seamless-auth/core` and
+official adapters move together while the API is pre-1.0. After the v1 contract
+is stable, remove packages from the linked group when they can safely version
+independently.

.changeset/config.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "https://unpkg.com/@changesets/config@3.1.1/schema.json",
+  "changelog": "@changesets/cli/changelog",
+  "commit": false,
+  "fixed": [],
+  "linked": [["@seamless-auth/core", "@seamless-auth/express"]],
+  "access": "public",
+  "baseBranch": "main",
+  "updateInternalDependencies": "patch",
+  "snapshot": {
+    "useCalculatedVersion": true,
+    "prereleaseTemplate": "{tag}.{datetime}"
+  },
+  "ignore": []
+}

.changeset/workspace-release-management.md

@@ -0,0 +1,8 @@
+---
+"@seamless-auth/core": patch
+"@seamless-auth/express": patch
+---
+
+Move package development and release management to a pnpm workspace backed by
+Changesets. The Express adapter now resolves core through a local workspace link
+in development while publishing a normal semver dependency for adopters.

.github/workflows/ci.yml

@@ -18,22 +18,17 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: actions/setup-node@v4
+      - uses: pnpm/action-setup@v4
         with:
-          node-version: 20
-
-      - name: Install Core dependencies
-        working-directory: packages/core
-        run: npm ci
+          version: 10.33.0
 
-      - name: Install Express dependencies
-        working-directory: packages/express
-        run: npm ci
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+          cache: pnpm
 
-      - name: Test Core
-        working-directory: packages/core
-        run: npm test
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
 
-      - name: Test Express
-        working-directory: packages/express
-        run: npm test
+      - name: Test workspace
+        run: pnpm test

.github/workflows/prerelease.yml

@@ -0,0 +1,74 @@
+name: Prerelease
+
+on:
+  push:
+    branches:
+      - dev
+      - "release/**"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: npm dist-tag to publish
+        required: true
+        default: alpha
+        type: choice
+        options:
+          - alpha
+          - beta
+          - rc
+
+jobs:
+  prerelease:
+    name: Publish Prerelease Snapshot
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 10.33.0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+          cache: pnpm
+          registry-url: https://registry.npmjs.org/
+
+      - name: Determine release channel
+        id: channel
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            TAG="${{ inputs.tag }}"
+          elif [ "${{ github.ref_name }}" = "dev" ]; then
+            TAG="beta"
+          else
+            TAG="rc"
+          fi
+
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Check release intent
+        id: changesets
+        run: |
+          node -e "const fs = require('fs'); const hasChangesets = fs.readdirSync('.changeset').some((name) => name.endsWith('.md') && name !== 'README.md'); fs.appendFileSync(process.env.GITHUB_OUTPUT, 'has_changesets=' + hasChangesets + '\n');"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Test workspace
+        run: pnpm test
+
+      - name: Publish snapshot packages
+        if: steps.changesets.outputs.has_changesets == 'true'
+        run: pnpm release:${{ steps.channel.outputs.tag }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true

.github/workflows/release.yml

@@ -1,93 +1,50 @@
 name: Release
 
 on:
-  release:
-    types:
-      - published
+  push:
+    branches:
+      - main
+  workflow_dispatch:
 
 jobs:
-  publish:
-    name: Publish Package
+  release:
+    name: Version or Publish Stable Packages
     runs-on: ubuntu-latest
 
     permissions:
-      contents: read
+      contents: write
+      pull-requests: write
       id-token: write
 
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 10.33.0
+
       - uses: actions/setup-node@v4
         with:
           node-version: 24
+          cache: pnpm
           registry-url: https://registry.npmjs.org/
 
-      - name: Determine package and version
-        id: meta
-        run: |
-          TAG="${{ github.event.release.tag_name }}"
-
-          if [[ "$TAG" == core-v* ]]; then
-            PACKAGE="core"
-            VERSION="${TAG#core-v}"
-          elif [[ "$TAG" == express-v* ]]; then
-            PACKAGE="express"
-            VERSION="${TAG#express-v}"
-          else
-            echo "Invalid tag format"
-            exit 1
-          fi
-
-          echo "package=$PACKAGE" >> $GITHUB_OUTPUT
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-
-          echo "Publishing $PACKAGE version $VERSION"
-
-      - name: Validate package.json version matches tag
-        working-directory: packages/${{ steps.meta.outputs.package }}
-        run: |
-          PACKAGE_VERSION=$(node -p "require('./package.json').version")
-          if [ "$PACKAGE_VERSION" != "${{ steps.meta.outputs.version }}" ]; then
-            echo "Version mismatch!"
-            echo "Tag version: ${{ steps.meta.outputs.version }}"
-            echo "package.json version: $PACKAGE_VERSION"
-            exit 1
-          fi
-
-      - name: Validate express core dependency
-        if: steps.meta.outputs.package == 'express'
-        working-directory: packages/express
-        run: |
-          CORE_RANGE=$(node -p "require('./package.json').dependencies['@seamless-auth/core']")
-          CORE_VERSION=$(node -p "require('../core/package.json').version")
-          EXPECTED="^${CORE_VERSION}"
-
-          if [ "$CORE_RANGE" != "$EXPECTED" ]; then
-            echo "Express must depend on @seamless-auth/core ${EXPECTED}, found ${CORE_RANGE}"
-            exit 1
-          fi
-
       - name: Install dependencies
-        run: |
-          if [ "${{ steps.meta.outputs.package }}" = "express" ]; then
-            npm --prefix packages/core ci
-            npm --prefix packages/express ci
-          else
-            npm --prefix packages/core ci
-          fi
+        run: pnpm install --frozen-lockfile
 
-      - name: Test package
-        run: |
-          if [ "${{ steps.meta.outputs.package }}" = "express" ]; then
-            npm --prefix packages/express test
-          else
-            npm --prefix packages/core test
-          fi
+      - name: Test workspace
+        run: pnpm test
 
-      - name: Publish to npm
-        working-directory: packages/${{ steps.meta.outputs.package }}
-        run: npm publish --access public --provenance
+      - name: Version or publish packages
+        uses: changesets/action@v1
+        with:
+          version: pnpm version-packages
+          publish: pnpm release:stable
+          createGithubReleases: true
         env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true

.gitignore

@@ -1 +1,5 @@
 .DS_Store
+node_modules/
+**/node_modules/
+**/dist/
+.pnpm-store/