Add GitHub Actions workflow to publish npm package on GitHub release

[Copilot]

Automates npm publishing when a GitHub Release is published, eliminating manual npm publish steps.

Changes

• .github/workflows/npm-publish.yml — new workflow triggered on release: published with two jobs:
  • verify (runs first):
    • Runs npm pack to build the tarball
    • Checks that all required source files are present in the package (index.js, EventStore.js, Storage.js, Partition.js, Index.js, metadataUtil.js)
    • Checks that sensitive/unwanted files are absent (.env, node_modules/, /data/)
    • Installs the tarball into the bench/ subproject and runs npm run bench as a smoke test — any runtime failure blocks publishing
  • publish (only runs if verify succeeds):
    • Sets up Node.js 22.x with registry-url: https://registry.npmjs.org
    • Runs npm publish --provenance --access public authenticated via NPM_TOKEN secret
    • Uses id-token: write permission for provenance attestation; all other permissions are minimally scoped
• package.json — added missing src/metadataUtil.js to the files array (it was excluded from the tarball but is required at runtime by ReadableStorage.js)
• .gitignore — added *.tgz to prevent locally-created pack tarballs from being accidentally committed

Required setup

Add an npm access token as a repository secret named NPM_TOKEN (Settings → Secrets and variables → Actions → New repository secret).

[albe]

@copilot add a pre release step that creates a npm pack bundle and verifies it contains all necessary files, but no files that shouldn't be there like a .env, data files or node_modules/* .
Then install the package to a small test project, which could be the benchmark subprojects and try running it. If the package is missing crutial files, includes sensitive files or the test project run fails, then don't publish to npm.

[Copilot]

@copilot add a pre release step that creates a npm pack bundle and verifies it contains all necessary files, but no files that shouldn't be there like a .env, data files or node_modules/* .
Then inst...

Done in commit 73c54f4. Here's what was added:

verify job (runs before publish, which now has needs: verify):

1. Pack — npm pack builds the tarball.
2. Verify pack contents — checks that key required files are present (index.js, EventStore.js, Storage.js, Partition.js, Index.js, metadataUtil.js) and that forbidden patterns are absent (.env, node_modules/, /data/). Any violation exits with an error, blocking the publish.
3. Smoke test — installs the tarball into the bench/ subproject via npm install --no-save <tarball> and runs the full npm run bench suite (all four bench scripts). If any benchmark fails, the publish is blocked.

Running the smoke test locally also uncovered a real bug: src/metadataUtil.js was imported by ReadableStorage.js but missing from the files array in package.json, so it was silently excluded from the tarball and caused a runtime crash. That's fixed in the same commit.

[coveralls]

coverage: 98.054%. remained the same
when pulling 73c54f4 on copilot/add-npm-release-workflow
into 211af1e on main.