Publish npm packages on release via OIDC trusted publishing

[joshunrau]

Summary

Extends the release workflow to publish our public npm packages — @opendatacapture/runtime-v1,
@opendatacapture/instrument-bundler, @opendatacapture/serve-instrument, and
@opendatacapture/instrument-guidelines — automatically whenever a release is due, instead of
publishing them by hand. Which packages get published is driven by a publishConfig marker in each
package.json (added on main in 0e1e5bb), so there's no hardcoded list to maintain. Authentication
uses npm OIDC trusted publishing — no long-lived NPM_TOKEN.

Also, going forward all versions will be synced.

Changes

• scripts/list-publishable.sh (new): single source of truth for "what publishes on release."
  Enumerates workspace packages via pnpm ls -r and jq-filters to the non-private ones that declare
  publishConfig, emitting nameversionpath.
• scripts/increment-version.sh: replaced the hardcoded package array with the root package.json plus
  whatever list-publishable.sh discovers, so version bumps stay in sync with the publish set
  automatically.
• .github/workflows/release.yaml: new publish-npm job, gated on the existing should_release output
  and needs: [build, configure]. It builds each publishable package's dependency closure (turbo
  filters; packages without a build script are skipped) and publishes each via pnpm --filter
  publish, skipping versions already on npm so re-runs are idempotent. The release job now also needs:
  publish-npm.
• OIDC trusted publishing: the publish-npm job has permissions: { contents: read, id-token: write }
  and no NPM_TOKEN — pnpm authenticates through OIDC and emits provenance automatically.
• package.json: bumped packageManager pnpm@10.7.0 → 10.34.1. OIDC trusted publishing requires pnpm ≥
  10.13 (which also fixed the setup-node _authToken placeholder → 404 issue); latest 10.x avoids the
  open pnpm 11 OIDC bug.

Prerequisites / notes

• Trusted publishers for all four packages are registered on npmjs.com against this repo + workflow
  filename release.yaml. ✅ (done)
• The NPM_TOKEN repo secret can be deleted once the first OIDC publish succeeds.
• packageManager bump is repo-wide; the v9 lockfile format is unchanged across 10.7→10.34, so
  --frozen-lockfile installs are expected to keep working.

Verification

• scripts/list-publishable.sh outputs exactly the four packages.
• increment-version.sh array resolves to root + the four packages.
• pnpm publish --dry-run confirmed public access from publishConfig and workspace:* deps resolving to
  concrete versions.
• release.yaml parses; publish-npm is correctly gated on should_release and ordered before release.

Summary by CodeRabbit

• Chores
  • Version bumped to 1.16.4 across all publishable packages.
  • Updated package manager to PNPM 10.34.1.
  • Enhanced release automation to automatically publish packages to npm with idempotency checks, ensuring packages are only published when new versions are available.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 1c16b6da-a4be-41da-be83-2f009491c967

📥 Commits

Reviewing files that changed from the base of the PR and between 7b0000a and e3bc448.

📒 Files selected for processing (8)

• .github/workflows/release.yaml
• package.json
• packages/instrument-bundler/package.json
• packages/instrument-guidelines/package.json
• packages/serve-instrument/package.json
• runtime/v1/package.json
• scripts/increment-version.sh
• scripts/list-publishable.sh

---

Walkthrough

This PR introduces automated npm publishing to the release workflow, adds infrastructure for discovering publishable packages, refactors version increment tooling to use dynamic discovery, and synchronizes all package versions to 1.16.4 alongside a pnpm upgrade to 10.34.1.

Changes

NPM Publishing Automation and Version Alignment

Layer / File(s)	Summary
Publishable package discovery utility scripts/list-publishable.sh	New Bash utility that discovers workspace packages via pnpm, filters for non-private packages with publishConfig, and outputs tab-separated name, version, and package.json path for each publishable package.
Dynamic version increment refactoring scripts/increment-version.sh	Refactored to dynamically discover target packages via the new list-publishable utility instead of using a hardcoded array. Version update loop and logging now align with dynamic package discovery.
NPM publishing workflow job .github/workflows/release.yaml	Adds new publish-npm job (gated by should_release) that builds and publishes publishable packages to npm using npm trusted publishing (id-token). Skips already-published versions for idempotency. Updates release job to wait for publish-npm completion.
Coordinated package version updates package.json, packages/instrument-bundler/package.json, packages/instrument-guidelines/package.json, packages/serve-instrument/package.json, runtime/v1/package.json	Synchronizes versions across root and all publishable packages to 1.16.4. Root package.json also updates pnpm from 10.7.0 to 10.34.1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• DouglasNeuroInformatics/OpenDataCapture#1360: Both PRs bump root package.json version in sequence (1.16.2 → 1.16.3 vs. 1.16.3 → 1.16.4).

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}