ci: adopt Changesets for versioning and publishing by bmuenzenmeyer · Pull Request #855 · nodejs/doc-kit

bmuenzenmeyer · 2026-06-27T03:50:14Z

closes #791 - and a Slack thread

What

Replaces the bespoke package.json-diff publish flow with Changesets, so releases now produce a CHANGELOG.md, git tags, and GitHub Releases — none of which the previous process generated.

How it works now

Contributors add a changeset per PR (node --run changeset) declaring the bump type + summary.
When changesets land on main, changesets/action opens a "Version Packages" PR that bumps the version and writes CHANGELOG.md.
Merging that PR publishes to npm (via the existing npm OIDC trusted publishing — no token), creates the v<x.y.z> git tag, and cuts a GitHub Release.

Changes

package.json — add @changesets/cli + @changesets/changelog-github; add changeset, changeset:version, release scripts.
.changeset/ — config (changelog-github, access: public, baseBranch: main), README, and one bootstrap changeset.
.github/workflows/release.yml (new, replaces publish.yml) — changesets/action@v1.9.0 pinned by SHA; keeps harden-runner, npm OIDC, and the Slack notify. Permissions bumped to contents: write + pull-requests: write.
CONTRIBUTING.md — "Adding a Changeset" and "Releasing" sections.

⚠️ Action required before first publish

The npm trusted-publisher config currently points at publish.yml. Since the workflow was renamed to release.yml, update the trusted publisher's workflow filename in the npm package settings, or the OIDC publish will fail.

Note

release.yml uses egress-policy: audit (not block) on harden-runner — the publish step legitimately reaches many endpoints (npm registry, sigstore provenance, GitHub API, git push, Slack) and a wrong block allowlist would hard-fail releases. The old publish job had no harden-runner at all, so this is still a net gain; it can be tightened to block once a real run reveals the exact endpoint list.

Verification

changeset status validates config + sees the bootstrap changeset.
A throwaway changeset version produced 1.4.1 + a clean CHANGELOG.md (reverted).
lint + format:check pass.

🤖 Generated with Claude Code

Replace the bespoke package.json-diff publish flow with Changesets so releases produce a CHANGELOG.md, git tags, and GitHub Releases. - Add @changesets/cli + @changesets/changelog-github and changeset, changeset:version, and release scripts - Add .changeset config (changelog-github, public access, main base) - Replace publish.yml with release.yml using changesets/action, keeping npm OIDC trusted publishing and the Slack notification - Document the changeset and release flow in CONTRIBUTING.md Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

cursor · 2026-06-27T03:50:20Z

PR Summary

Medium Risk
Changes how npm packages ship and requires updating npm trusted-publisher workflow name; misconfiguration could block releases until OIDC settings match release.yml.

Overview
Replaces the old publish.yml flow (publish when package.json version changes on main) with Changesets for versioning, changelog, tags, and GitHub Releases.

Adds .changeset/ config (GitHub changelog for nodejs/doc-kit, public access, main base branch) plus a bootstrap patch changeset. package.json gains @changesets/cli / @changesets/changelog-github and scripts changeset, changeset:version, and release (changeset publish).

New .github/workflows/release.yml runs changesets/action on every push to main: pending changesets open/update a Version Packages PR; after that merges, it publishes via npm OIDC, tags, and creates a GitHub Release. Keeps Slack notify on publish; adds harden-runner with audit egress (broader than the removed publish job’s blocked list). Job permissions include contents: write and pull-requests: write.

CONTRIBUTING.md documents contributor changesets and the maintainer release path (no manual version bumps).

Before the first publish: npm trusted publishing must reference release.yml instead of publish.yml.

^{Reviewed by Cursor Bugbot for commit 105d54d. Bugbot is set up for automated code reviews on this repo. Configure here.}

vercel · 2026-06-27T03:50:20Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
api-docs-tooling	Ready	Preview	Jun 28, 2026 3:36am

+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          # Changesets needs full history (and credentials) to push the version branch and tags.
+          fetch-depth: 0


codecov · 2026-06-27T03:50:44Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.99%. Comparing base (8851110) to head (56b213d).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #855      +/-   ##
==========================================
- Coverage   84.99%   84.99%   -0.01%     
==========================================
  Files         179      179              
  Lines       16404    16407       +3     
  Branches     1482     1483       +1     
==========================================
+ Hits        13943    13945       +2     
- Misses       2451     2452       +1     
  Partials       10       10

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

cursor

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 105d54d. Configure here.}

cursor · 2026-06-27T03:51:46Z

+          version: node --run changeset:version
+          publish: node --run release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}


Publish verification checks removed

Medium Severity

Replacing publish.yml drops the pre-publish checks that required a GPG-verified commit and a merge-queue committer before any npm publish. The new Release job runs changesets/action (including node --run release) on every push to main with no equivalent authenticity gate on the publish path.

^{Reviewed by Cursor Bugbot for commit 105d54d. Configure here.}

github-actions · 2026-06-28T03:25:19Z

`orama-db` Generator

File	Base	Head	Diff
`orama-db.json`	8.89 MB	8.89 MB	-1.07 KB (-0.01%)

`web` Generator

File	Base	Head	Diff
`all.html`	19.84 MB	19.92 MB	+78.06 KB (+0.38%)
`quic.html`	727.57 KB	739.09 KB	+11.52 KB (+1.58%)
`webcrypto.html`	550.02 KB	557.04 KB	+7.02 KB (+1.28%)
`http.html`	754.18 KB	759.35 KB	+5.17 KB (+0.69%)
`process.html`	686.65 KB	691.28 KB	+4.63 KB (+0.67%)
`fs.html`	1.47 MB	1.47 MB	+4.53 KB (+0.30%)
`http2.html`	778.85 KB	782.94 KB	+4.09 KB (+0.53%)
`perf_hooks.html`	382.28 KB	385.99 KB	+3.71 KB (+0.97%)
`net.html`	410.25 KB	413.22 KB	+2.97 KB (+0.72%)
`webstreams.html`	358.15 KB	360.72 KB	+2.57 KB (+0.72%)
`stream.html`	859.48 KB	861.93 KB	+2.46 KB (+0.29%)
`crypto.html`	1.10 MB	1.10 MB	+2.38 KB (+0.21%)
`dtls.html`	147.17 KB	149.41 KB	+2.24 KB (+1.52%)
`buffer.html`	906.26 KB	907.87 KB	+1.61 KB (+0.18%)
`events.html`	454.72 KB	456.33 KB	+1.61 KB (+0.35%)
`os.html`	144.97 KB	146.36 KB	+1.39 KB (+0.96%)
`url.html`	347.95 KB	349.27 KB	+1.31 KB (+0.38%)
`worker_threads.html`	372.76 KB	374.02 KB	+1.26 KB (+0.34%)
`modules.html`	180.75 KB	181.93 KB	+1.17 KB (+0.65%)
`v8.html`	342.05 KB	343.18 KB	+1.13 KB (+0.33%)
`vm.html`	370.59 KB	371.66 KB	+1.06 KB (+0.29%)
`util.html`	695.74 KB	696.78 KB	+1.04 KB (+0.15%)
`test.html`	806.86 KB	807.82 KB	+989.00 B (+0.12%)
`globals.html`	230.41 KB	231.37 KB	+983.00 B (+0.42%)
`errors.html`	483.59 KB	484.55 KB	+981.00 B (+0.20%)
`tls.html`	378.46 KB	379.35 KB	+910.00 B (+0.23%)
`child_process.html`	379.65 KB	380.48 KB	+851.00 B (+0.22%)
`sqlite.html`	288.59 KB	289.40 KB	+835.00 B (+0.28%)
`timers.html`	133.51 KB	134.19 KB	+693.00 B (+0.51%)
`cluster.html`	196.55 KB	197.16 KB	+616.00 B (+0.31%)
`dgram.html`	208.10 KB	208.63 KB	+543.00 B (+0.25%)
`readline.html`	252.26 KB	252.79 KB	+543.00 B (+0.21%)
`async_context.html`	187.70 KB	188.09 KB	+397.00 B (+0.21%)
`async_hooks.html`	160.13 KB	160.52 KB	+397.00 B (+0.24%)
`inspector.html`	171.82 KB	172.21 KB	+397.00 B (+0.23%)
`styles.css`	141.34 KB	141.69 KB	+359.00 B (+0.25%)
`module.html`	328.52 KB	328.84 KB	+332.00 B (+0.10%)
`esm.html`	157.92 KB	158.24 KB	+324.00 B (+0.20%)
`https.html`	150.40 KB	150.72 KB	+324.00 B (+0.21%)
`packages.html`	178.11 KB	178.43 KB	+324.00 B (+0.18%)
`path.html`	139.50 KB	139.74 KB	+251.00 B (+0.18%)
`diagnostics_channel.html`	304.54 KB	304.72 KB	+188.00 B (+0.06%)
`tracing.html`	84.59 KB	84.77 KB	+178.00 B (+0.21%)
`domain.html`	105.45 KB	105.55 KB	+109.00 B (+0.10%)
`single-executable-applications.html`	107.37 KB	107.48 KB	+107.00 B (+0.10%)
`dns.html`	297.83 KB	297.93 KB	+105.00 B (+0.03%)
`addons.html`	275.26 KB	275.22 KB	-41.00 B (-0.01%)
`assert.html`	329.45 KB	329.41 KB	-41.00 B (-0.01%)
`cli.html`	519.20 KB	519.16 KB	-41.00 B (-0.01%)
`console.html`	144.61 KB	144.57 KB	-41.00 B (-0.03%)
`debugger.html`	96.46 KB	96.42 KB	-41.00 B (-0.04%)
`deprecations.html`	513.59 KB	513.55 KB	-41.00 B (-0.01%)
`documentation.html`	38.47 KB	38.43 KB	-41.00 B (-0.10%)
`embedding.html`	59.86 KB	59.82 KB	-41.00 B (-0.07%)
`environment_variables.html`	44.47 KB	44.43 KB	-41.00 B (-0.09%)
`index.html`	40.93 KB	40.89 KB	-41.00 B (-0.10%)
`intl.html`	58.57 KB	58.53 KB	-41.00 B (-0.07%)
`n-api.html`	812.43 KB	812.39 KB	-41.00 B (-0.00%)
`permissions.html`	63.28 KB	63.24 KB	-41.00 B (-0.06%)
`querystring.html`	64.17 KB	64.13 KB	-41.00 B (-0.06%)
`report.html`	176.35 KB	176.31 KB	-41.00 B (-0.02%)
`string_decoder.html`	55.79 KB	55.75 KB	-41.00 B (-0.07%)
`synopsis.html`	43.10 KB	43.06 KB	-41.00 B (-0.09%)
`typescript.html`	53.90 KB	53.86 KB	-41.00 B (-0.07%)
`vfs.html`	81.64 KB	81.60 KB	-41.00 B (-0.05%)
`stream_iter.html`	367.10 KB	367.13 KB	+34.00 B (+0.01%)
`404.html`	30.41 KB	30.38 KB	-32.00 B (-0.10%)
`ffi.html`	132.13 KB	132.16 KB	+32.00 B (+0.02%)
`punycode.html`	63.58 KB	63.61 KB	+32.00 B (+0.05%)
`repl.html`	183.69 KB	183.72 KB	+32.00 B (+0.02%)
`tty.html`	95.61 KB	95.64 KB	+32.00 B (+0.03%)
`wasi.html`	69.72 KB	69.75 KB	+32.00 B (+0.04%)
`zlib.html`	345.26 KB	345.29 KB	+32.00 B (+0.01%)

- Add a concurrency group (cancel-in-progress: false) so overlapping pushes to main can't race the version PR push or the publish step - Guard the job with github.repository so forks don't attempt to publish Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

bmuenzenmeyer requested a review from a team as a code owner June 27, 2026 03:50

github-advanced-security AI found potential problems Jun 27, 2026

View reviewed changes

vercel Bot deployed to Preview June 27, 2026 03:51 View deployment

cursor Bot reviewed Jun 27, 2026

View reviewed changes

bmuenzenmeyer marked this pull request as draft June 27, 2026 03:51

use correct hash/version

5a429a1

github-advanced-security AI found potential problems Jun 27, 2026

View reviewed changes

Comment thread .github/workflows/release.yml Fixed

vercel Bot deployed to Preview June 27, 2026 13:15 View deployment

fix lockfile

a893e1a

vercel Bot deployed to Preview June 28, 2026 03:17 View deployment

regenerate lockfile

32994ae

vercel Bot deployed to Preview June 28, 2026 03:23 View deployment

fix sha/tag ref

e7553c0

vercel Bot deployed to Preview June 28, 2026 03:29 View deployment

vercel Bot deployed to Preview June 28, 2026 03:36 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ci: adopt Changesets for versioning and publishing#855

ci: adopt Changesets for versioning and publishing#855
bmuenzenmeyer wants to merge 6 commits into
mainfrom
changesets

bmuenzenmeyer commented Jun 27, 2026 •

edited

Loading

Uh oh!

cursor Bot commented Jun 27, 2026 •

edited

Loading

Uh oh!

vercel Bot commented Jun 27, 2026 •

edited

Loading

Uh oh!

Uh oh!

codecov Bot commented Jun 27, 2026 •

edited

Loading

Uh oh!

cursor Bot left a comment

Uh oh!

cursor Bot Jun 27, 2026

Uh oh!

Uh oh!

github-actions Bot commented Jun 28, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

bmuenzenmeyer commented Jun 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What

How it works now

Changes

⚠️ Action required before first publish

Note

Verification

Uh oh!

cursor Bot commented Jun 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

PR Summary

Uh oh!

vercel Bot commented Jun 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

codecov Bot commented Jun 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

cursor Bot left a comment

Choose a reason for hiding this comment

Uh oh!

cursor Bot Jun 27, 2026

Choose a reason for hiding this comment

Publish verification checks removed

Uh oh!

Uh oh!

github-actions Bot commented Jun 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

orama-db Generator

web Generator

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

bmuenzenmeyer commented Jun 27, 2026 •

edited

Loading

cursor Bot commented Jun 27, 2026 •

edited

Loading

vercel Bot commented Jun 27, 2026 •

edited

Loading

codecov Bot commented Jun 27, 2026 •

edited

Loading

github-actions Bot commented Jun 28, 2026 •

edited

Loading

`orama-db` Generator

`web` Generator