ci: add release workflow

[danielroe]

🔗 Linked issue

❓ Type of change

• 📖 Documentation (updates to the documentation or readme)
• 🐞 Bug fix (a non-breaking change that fixes an issue)
• 👌 Enhancement (improving an existing functionality)
• ✨ New feature (a non-breaking change that adds functionality)
• 🧹 Chore (updates to the build process or auxiliary tools and libraries)
• ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow file has been introduced at .github/workflows/release.yml that automates release publishing. The workflow triggers on tag pushes matching the v* pattern and defines a release job that runs on ubuntu-latest with a 20-minute timeout. The job includes sequential steps for checking out code, enabling Corepack, setting up Node.js with the latest version, installing dependencies via pnpm, running a build preparation script, executing the build, and publishing to the registry using pnpm publish with the --no-git-checks flag. Concurrency grouping and explicit action versions are configured.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description is a template with no substantive content about the changes; however, the title and code summary clearly indicate this adds a release workflow, making the PR's intent identifiable despite the empty description.	Consider adding details about why the release workflow is needed, what it does, and any deployment or publishing changes it enables.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: add release workflow' clearly and concisely describes the main change—addition of a release workflow in the GitHub Actions CI configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/release

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/release.yml:
- Around line 16-18: The workflow currently grants the id-token: write
permission but never uses npm provenance; either remove the id-token permission
from the permissions block or enable provenance by adding the --provenance flag
to the publish step (the pnpm publish invocation). Locate the permissions
entries (id-token: write) and the publish command (pnpm publish) and implement
one of the two fixes: delete the id-token: write line to drop unnecessary
privilege, or update the pnpm publish command to include --provenance so the
granted id-token is actually used.
- Around line 39-40: The Release job's publish step (step name "📦 Release",
command "pnpm publish --no-git-checks") will fail because npm authentication
isn't configured; update the workflow to configure registry auth by modifying
the actions/setup-node step (the setup-node action) to include a registry-url
for your npm registry and ensure the publish step uses a token (set
NODE_AUTH_TOKEN or NPM_TOKEN as a secret) in its env so pnpm can authenticate
when running pnpm publish.

🧹 Nitpick comments (2)

.github/workflows/release.yml (2)

28-28: node-version: latest is non-deterministic.

Using latest means this workflow will automatically pick up new major Node.js versions on release day, which could introduce breaking changes at the worst possible time. Consider pinning to an LTS major version.

🔧 Proposed fix

       - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
-          node-version: latest
+          node-version: "22"

---

30-31: Consider --frozen-lockfile for reproducible CI installs.

In a release workflow, using pnpm install --frozen-lockfile ensures the published artifact is built from exactly what's in the lockfile, preventing accidental dependency drift.

🔧 Proposed fix

       - name: 📦 Install dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

id-token: write granted but --provenance not used.

The id-token: write permission is typically requested to enable npm provenance. If that's the intent, --provenance needs to be passed to pnpm publish. If provenance is not intended, this permission should be removed to follow the principle of least privilege.

🔧 Option A: Enable provenance

       - name: 📦 Release
-        run: pnpm publish --no-git-checks
+        run: pnpm publish --no-git-checks --provenance

🔧 Option B: Remove unnecessary permission

     permissions:
       contents: write
-      id-token: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	contents: write
	id-token: write
	permissions:
	contents: write

🤖 Prompt for AI Agents

In @.github/workflows/release.yml around lines 16 - 18, The workflow currently
grants the id-token: write permission but never uses npm provenance; either
remove the id-token permission from the permissions block or enable provenance
by adding the --provenance flag to the publish step (the pnpm publish
invocation). Locate the permissions entries (id-token: write) and the publish
command (pnpm publish) and implement one of the two fixes: delete the id-token:
write line to drop unnecessary privilege, or update the pnpm publish command to
include --provenance so the granted id-token is actually used.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

pnpm publish will fail — no npm authentication is configured.

The publish step has no NODE_AUTH_TOKEN (or NPM_TOKEN) environment variable, and actions/setup-node is not configured with a registry-url. Without both of these, the publish command will fail with an authentication error.

🔧 Proposed fix: configure registry auth

First, add registry-url to the setup-node step:

       - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: latest
+          registry-url: "https://registry.npmjs.org"

Then, add the token to the publish step:

       - name: 📦 Release
         run: pnpm publish --no-git-checks
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: 📦 Release
	run: pnpm publish --no-git-checks
	- name: 📦 Release
	run: pnpm publish --no-git-checks
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

🤖 Prompt for AI Agents

In @.github/workflows/release.yml around lines 39 - 40, The Release job's
publish step (step name "📦 Release", command "pnpm publish --no-git-checks")
will fail because npm authentication isn't configured; update the workflow to
configure registry auth by modifying the actions/setup-node step (the setup-node
action) to include a registry-url for your npm registry and ensure the publish
step uses a token (set NODE_AUTH_TOKEN or NPM_TOKEN as a secret) in its env so
pnpm can authenticate when running pnpm publish.