danger · orta · Feb 21, 2026 · Feb 21, 2026 · Feb 21, 2026 · Feb 21, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,38 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: corepack enable
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: yarn
+      - run: yarn install --immutable
+      - run: yarn typecheck
+      - run: yarn test
+      - run: yarn build
+
+  danger:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v4
+      - run: corepack enable
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: yarn
+      - run: yarn install --immutable
+      - run: yarn build
+      - run: node dist/cli/danger.js ci
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,49 @@
+name: Publish
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: corepack enable
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: yarn
+          registry-url: https://registry.npmjs.org
+
+      - run: yarn install --immutable
+      - run: yarn typecheck
+      - run: yarn test
+      - run: yarn build
+
+      - name: Extract changelog for this version
+        id: changelog
+        run: |
+          VERSION="${GITHUB_REF_NAME#v}"
+          NOTES=$(awk "/^## ${VERSION}$/,/^## /" CHANGELOG.md | sed '1d;$d' | sed '/^$/N;/^\n$/d')
+          if [ -z "$NOTES" ]; then
+            NOTES="Release ${VERSION}"
+          fi
+          echo "notes<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$NOTES" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          body: ${{ steps.changelog.outputs.notes }}
+
+      - name: Publish to npm
+        run: yarn npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,5 @@
 node_modules
 dist
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
diff --git a/README.md b/README.md
@@ -1,3 +1,19 @@
 # risk
 
-An experiment in a smaller Danger JS runtime with a more narrow scope: GitHub, ESM, TS+JS only, Node 22+
+An experiment in a smaller Danger JS runtime with a more narrow scope: GitHub, ESM, TS+JS only, Node 22+
+
+Aims to have as few dependencies as possible. Currently that is 3.
+
+## Installation
+
+```sh
+yarn add risk
+```
+
+## Usage
+
+```sh
+yarn danger ci
+```
+
+Will evaluate an existing `dangerfile.ts`, `dangerfile.js` etc
diff --git a/dangerfile.ts b/dangerfile.ts
@@ -0,0 +1,3 @@
+import { danger, message } from "risk"
+
+message(`Hey there! Everything is working. This PR has ${danger.github.pr.changed_files} changed file(s).`)
diff --git a/package.json b/package.json
@@ -33,6 +33,7 @@
   "files": [
     "dist"
   ],
+  "packageManager": "yarn@4.12.0",
   "engines": {
     "node": ">=22.6.0"
   },

diff --git a/scripts/release.ts b/scripts/release.ts
@@ -4,16 +4,15 @@
  * Release script for risk.
  *
  * Usage:
- *   node --experimental-strip-types scripts/release.ts <patch|minor|major>
+ *   yarn release <patch|minor|major>
  *
  * What it does:
- *   1. Checks for clean working tree
+ *   1. Checks for clean working tree on main
  *   2. Runs tests and typecheck
  *   3. Bumps version in package.json
- *   4. Extracts release notes from CHANGELOG.md
- *   5. Commits, tags, and pushes
- *   6. Creates a GitHub release with the changelog entry
- *   7. Publishes to npm
+ *   4. Commits, tags, and pushes
+ *
+ * The publish.yml workflow handles the rest (GitHub release + npm publish).
  */
 
 import { execSync } from "node:child_process"
@@ -38,7 +37,7 @@ function die(msg: string): never {
 
 const bump = process.argv[2] as "patch" | "minor" | "major" | undefined
 if (!bump || !["patch", "minor", "major"].includes(bump)) {
-  console.log("Usage: scripts/release.ts <patch|minor|major>")
+  console.log("Usage: yarn release <patch|minor|major>")
   process.exit(1)
 }
 
@@ -55,10 +54,10 @@ if (branch !== "main") {
 }
 
 console.log("Running tests...")
-run("npm test", { stdio: "inherit" })
+run("yarn test", { stdio: "inherit" })
 
 console.log("Running typecheck...")
-run("npm run typecheck", { stdio: "inherit" })
+run("yarn typecheck", { stdio: "inherit" })
 
 // --- Bump version ---
 
@@ -76,24 +75,6 @@ pkg.version = newVersion
 writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + "\n")
 console.log(`\nVersion: ${oldVersion} -> ${newVersion}`)
 
-// --- Extract changelog entry ---
-
-const changelogPath = resolve(root, "CHANGELOG.md")
-const changelog = readFileSync(changelogPath, "utf-8")
-
-// Find the section for the new version, fall back to the first section
-const sections = changelog.split(/^## /m).filter(Boolean)
-const currentSection = sections.find(s => s.startsWith(newVersion)) ?? sections[0]
-const releaseNotes = currentSection
-  ? currentSection.replace(/^\S+\s*\n/, "").trim() // Remove the version heading line
-  : `Release ${newVersion}`
-
-if (!currentSection?.startsWith(newVersion)) {
-  console.log(`Warning: No CHANGELOG entry found for ${newVersion}, using first entry.`)
-}
-
-console.log(`\nRelease notes:\n${releaseNotes}\n`)
-
 // --- Commit, tag, push ---
 
 const tag = `v${newVersion}`
@@ -103,17 +84,4 @@ run(`git commit -m "Release ${tag}"`)
 run(`git tag -a ${tag} -m "Release ${tag}"`)
 run(`git push origin main --follow-tags`)
 
-console.log(`Pushed ${tag} to origin.`)
-
-// --- GitHub release ---
-
-console.log("Creating GitHub release...")
-const releaseBody = `## ${newVersion}\n\n${releaseNotes}`
-run(`gh release create ${tag} --title "${tag}" --notes ${JSON.stringify(releaseBody)}`)
-console.log(`GitHub release created: https://github.com/danger/risk/releases/tag/${tag}`)
-
-// --- npm publish ---
-
-console.log("Publishing to npm...")
-run("npm publish", { stdio: "inherit" })
-console.log(`\nPublished risk@${newVersion} to npm.`)
+console.log(`\nPushed ${tag} to origin. The publish workflow will handle the rest.`)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		import { danger, message } from "risk"

		message(`Hey there! Everything is working. This PR has ${danger.github.pr.changed_files} changed file(s).`)