-
Notifications
You must be signed in to change notification settings - Fork 0
Releasing
🔄 Auto-generated mirror. Canonical source:
contributing/releasing.md. Edit there — changes here are overwritten by CI.
Display Case publishes to the public npm registry (Bun has no registry of its
own — bun install and bun publish both speak to npm). Releases are automated
with Changesets: no manual version
bumps and no manual npm publish. main is the release branch.
The version is decoupled from commit messages — it comes from the changeset
file(s) a PR includes. Commit/merge style therefore has no effect on the release
(main is squash-only).
-
In your PR, add a changeset declaring the release impact:
bun run changeset # interactive: pick patch / minor / major + write a descriptionThis writes a file like
.changeset/cool-otters-sing.md:--- "@awarebydefault/display-case": minor --- Add a `--static` flag to `display-case publish` for a server-less export.
Level When Example patchbug fix / internal change, no API change 0.1.0→0.1.1minorbackward-compatible new capability 0.1.0→0.2.0majorbreaking change to the public API or CLI 0.1.0→1.0.0For a change that should not release (docs, CI, tests, refactors), add an empty changeset instead — it satisfies the PR check without bumping anything:
bun run changeset --empty
(The
display-case-changesetskill can write the right changeset from your branch's diff.) -
A PR check enforces it. The
Changeset presentCI job fails any PR that adds no.changeset/*.md, so release impact is always declared (use an empty changeset to opt out of a release). -
On merge to
main,.github/workflows/release.ymlruns the browser-free gate (lint+typecheck+check+test), then — only if the merged changes carried any changesets — runschangeset version(bumpspackage.json, prependsCHANGELOG.md, deletes the consumed changesets), commits that back tomainaschore(release): version packages [skip ci], andchangeset publishes to npm. A push carrying no changesets is a clean no-op. Multiple changesets in one release collapse to the highest level, and each description becomes its own changelog line.
The version commit is tagged [skip ci] so it doesn't retrigger the workflow.
The version commit + git tags push directly to main, which the Protect main ruleset gates behind a PR. The release job therefore pushes as the
awarebydefault-release GitHub App — the ruleset's sole bypass actor — via a
short-lived token minted with actions/create-github-app-token. The built-in
GITHUB_TOKEN can't be a ruleset bypass actor, which is why the App exists.
Setup (one-time, already done): the App has Contents: Read & write, is
installed on this repo only, and its RELEASE_APP_ID + RELEASE_APP_PRIVATE_KEY
are repo secrets. The update-baselines workflow uses the same App for the same
reason.
Display Case is Bun-native at runtime, not just at install time — the CLI,
the dev/prod server, and the checks call Bun.serve / Bun.build / Bun.file
directly. Transpiling to JS would not make it Node-runnable (those globals are
still required), so we ship the src/**/*.ts sources verbatim and Bun runs them.
The package declares "engines": { "bun": ">=1.2.0" }, and the CLI exits early
with a friendly message if launched under Node (src/cli.ts). The files
allowlist in package.json controls the published tarball; verify it with
npm pack --dry-run (or bun pm pack --dry-run).
The package publishes with npm trusted publishing —
GitHub Actions authenticates to npm over OIDC, so no long-lived publish token
lives in the repo. The release job runs on Node 24 with npm ≥ 11.5.1 (both
required for trusted publishing); changeset publish shells out to that npm
for the registry handshake.
npm can only configure a trusted publisher on a package that already exists, so the rollout is two phases.
- Mint an npm Automation token (Automation/Granular tokens bypass any
2FA-on-publish requirement) scoped to
@awarebydefaultwith publish rights. - Add it as the
NPM_TOKENrepo secret. When set, the release job writes a one-line~/.npmrcfrom it; when unset, the publish uses OIDC. - Land a release-worthy change on
main; the publish falls back toNPM_TOKENand creates@awarebydefault/display-case.
- On npmjs.com → the package → Settings → Trusted Publisher, add a GitHub
Actions publisher:
-
Organization or user:
AwareByDefault -
Repository:
display-case -
Workflow filename:
release.yml(filename only, not the path) -
Allowed actions:
npm publish
-
Organization or user:
-
Delete the
NPM_TOKENsecret. With it gone the job writes no.npmrcandnpm publishuses OIDC tokenlessly. Confirm the run log shows the OIDC exchange succeeded.
The Node/npm step in release.yml is the only non-Bun part of the pipeline — it
exists solely to provide the npm CLI changeset publish calls. Two upstream
Bun changes must both land before the job could be fully bun-native:
-
Provenance: oven-sh/bun#30522
adds
bun publish --provenance. Open. - Tokenless OIDC auth: oven-sh/bun#24855 adds trusted publishing. Open.
#30522 alone closes only the provenance gap, not authentication.
-
Scoped, public package —
@awarebydefault/display-case. Scoped packages default to private, sopublishConfig.access = public(set inpackage.json) is required. The CLI command is stilldisplay-case. -
Provenance —
publishConfig.provenance = trueplus the workflow'sid-token: writepermission emit provenance attestations on publish.
bun run changeset:status # what would the pending changesets release?If a release run fails after changeset publish succeeds but before the
push lands, npm has the new version while main lacks the bump. Re-run the
workflow (workflow_dispatch): changeset publish skips versions already on the
registry, the changesets are still on main, so the version + push are recreated
idempotently.
Auto-generated mirror of the Display Case docs. Edit the repo, not the wiki.
Product documentation
- AI Agents
- CLI
- Configuration
- Documentation Panel
- Examples
- Hierarchy
- Quick Start
- Style Engines
- Testing
- Theming
- Tweaks
- Writing Cases
- Writing Placard Docs
Contributing (engineering)