setup: npm publish (changesets + release workflow)

[amotarao]

closes #5

変更内容

• @changesets/cli / @changesets/config をインストール
• version / release スクリプトを追加
• .changeset/config.json を設定（access: public）
• Release workflow を追加（changesets/action 使用）
• README にリリース手順を記載

補足

npm publish には NPM_TOKEN の Secret 設定が別途必要です。

Summary by CodeRabbit

• New Features

  • リリース管理システムを導入し、自動化されたリリースワークフローを実装しました。変更をトラッキングし、自動的にバージョン更新と公開が行われるようになります。

• Documentation

  • リリース手順に関する詳細なドキュメントを追加しました。

[coderabbitai]

ウォークスルー

Changesets ツールを導入して、npm へのリリースワークフローを整備しました。設定ファイル、GitHub Actions ワークフロー、npm スクリプト、およびドキュメントを追加して、自動化されたパッケージ公開プロセスを実装しています。

変更内容

コホート / ファイル	概要
Changesets 設定 .changeset/README.md, .changeset/config.json	Changesets 用の設定ファイルとドキュメントを追加。キャッシュロケーション、コミット無効化、公開アクセス設定、ベースブランチを main に設定。
リリース自動化 .github/workflows/release.yml	main ブランチへのプッシュをトリガーに、changesets/action を実行して npm 経由でパッケージを公開する GitHub Actions ワークフローを追加。Node.js 24、pnpm キャッシュ、トークン認証を設定。
パッケージマニフェスト更新 package.json	changeset version と changeset publish スクリプトを追加。@changesets/cli と @changesets/config を devDependencies に追加。
ドキュメント README.md	リリース手順セクションを追加。changeset 作成から Version Packages PR マージまでのワークフローステップを記載。

推定コードレビュー時間

🎯 2 (Simple) | ⏱️ ~10 minutes

ウサギからのお祝い詩

🐰 Changesets で流れよく、リリース自動化の道
GitHub Actions が舞い踊り、npm へと版を飛ばす
設定ファイル整い、ドキュメント輝く
パッケージの成長、ワークフローの完成 ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	PRタイトルは、changesets と release workflow の導入という主要な変更を明確に説明しており、実装内容と完全に一致しています。
Linked Issues check	✅ Passed	PR内容は issue #5 の要件を満たしており、changesets の設定、npm publish 対応、release workflow の自動化がすべて実装されています。
Out of Scope Changes check	✅ Passed	すべての変更は npm publish および release workflow 設定という linked issue #5 の範囲内に収まっており、範囲外の変更は見当たりません。
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch setup/npm-publish

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

4-4: ⚠️ Potential issue | 🔴 Critical

private: true が公開リリースをブロックします

Line 4 はこのPRの「npm publish 設定」目的と衝突しています。公開対象がこのパッケージなら private を false に変更してください（private のままなら publish されません）。

🔧 修正案

-  "private": true,
+  "private": false,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 4, The package.json has "private": true which prevents
npm publish; to allow public release change the "private" field value to false
(or remove the "private" property entirely) so the package can be published;
locate the "private" key in package.json and update it accordingly and ensure
any CI/publish scripts expect a non-private package.

🧹 Nitpick comments (2)

README.md (1)

41-45: Secrets 設定導線の表記を最新UIに合わせると親切です

初回セットアップの迷いを減らすため、Settings → Secrets を Settings → Secrets and variables → Actions 表記に寄せるのを推奨します。

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 41 - 45, Update the README guidance that currently
says "Settings → Secrets" to the current UI path "Settings → Secrets and
variables → Actions" so users can find where to add the `NPM_TOKEN` secret;
specifically, change the header/inline text where "Settings → Secrets" appears
and keep the rest of the table (Secret 名 / `NPM_TOKEN`) untouched so the table
under the new UI path remains correct and clear for first-time setup.

.github/workflows/release.yml (1)

19-21: GitHub Actions をコミット SHA で固定することを推奨します

現在、すべての GitHub Actions が @v4 や @v1 などのバージョンタグで指定されています。将来のタグ更新によって予期しない変更が導入される可能性があります。再現性の確保と供給網リスク低減のため、40文字のコミット SHA で固定することを推奨します：

• 行19: actions/checkout@v4
• 行20: pnpm/action-setup@v4
• 行21: actions/setup-node@v4
• 行27: changesets/action@v1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 19 - 21, Replace the three action
version tags and the changesets action tag in the workflow with their
40-character commit SHAs to pin exact commits: update the uses entries for
actions/checkout, pnpm/action-setup, actions/setup-node, and changesets/action
in release.yml so they use the full commit SHA instead of `@v4` or `@v1`; locate the
uses lines mentioning those repository names and substitute the tag with the
corresponding commit SHA obtained from each action's GitHub repo to ensure
reproducible runs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 14-17: Remove the unused OIDC permission by deleting the
"id-token: write" entry from the workflow permissions block (the permissions:
contents/pull-requests entries should remain); also scan the steps referenced by
the workflow to confirm no actions rely on OIDC (no usages of GITHUB_OIDC_TOKEN
or provenance signatures) before committing the change to ensure no breakage.

---

Outside diff comments:
In `@package.json`:
- Line 4: The package.json has "private": true which prevents npm publish; to
allow public release change the "private" field value to false (or remove the
"private" property entirely) so the package can be published; locate the
"private" key in package.json and update it accordingly and ensure any
CI/publish scripts expect a non-private package.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 19-21: Replace the three action version tags and the changesets
action tag in the workflow with their 40-character commit SHAs to pin exact
commits: update the uses entries for actions/checkout, pnpm/action-setup,
actions/setup-node, and changesets/action in release.yml so they use the full
commit SHA instead of `@v4` or `@v1`; locate the uses lines mentioning those
repository names and substitute the tag with the corresponding commit SHA
obtained from each action's GitHub repo to ensure reproducible runs.

In `@README.md`:
- Around line 41-45: Update the README guidance that currently says "Settings →
Secrets" to the current UI path "Settings → Secrets and variables → Actions" so
users can find where to add the `NPM_TOKEN` secret; specifically, change the
header/inline text where "Settings → Secrets" appears and keep the rest of the
table (Secret 名 / `NPM_TOKEN`) untouched so the table under the new UI path
remains correct and clear for first-time setup.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3b4dc88 and 3542c1c.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• .changeset/README.md
• .changeset/config.json
• .github/workflows/release.yml
• README.md
• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for OIDC/provenance usage patterns
rg -n 'id-token|ACTIONS_ID_TOKEN|provenance|sigstore|cosign' .github/workflows/release.yml README.md package.json .changeset/config.json 2>/dev/null || echo "No matches found"

Repository: plainbrew/next-utils

Length of output: 118

---

🏁 Script executed:

#!/bin/bash
# Check the full release.yml to understand the workflow context
head -100 .github/workflows/release.yml

Repository: plainbrew/next-utils

Length of output: 799

---

🏁 Script executed:

#!/bin/bash
# Search for any usage of id-token in the entire workflows directory
rg -n 'id-token' .github/workflows/ 2>/dev/null || echo "No id-token usage found"

Repository: plainbrew/next-utils

Length of output: 118

---

🏁 Script executed:

#!/bin/bash
# Check if there are any npm publish or package registry operations that might need id-token
rg -n 'npm publish|registry|provenance' .github/workflows/release.yml 2>/dev/null || echo "No npm publish found"

Repository: plainbrew/next-utils

Length of output: 117

---

id-token: write は使用されていないため削除してください

このワークフローは npm レジストリへの認証に NODE_AUTH_TOKEN 環境変数を使用しており、OIDC トークンは利用されていません。provenance 署名やその他の OIDC ベースの操作も存在しないため、この権限は不要です。最小権限の原則に従い削除してください。

修正例

     permissions:
       contents: write
       pull-requests: write
-      id-token: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	contents: write
	pull-requests: write
	id-token: write
	permissions:
	contents: write
	pull-requests: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 14 - 17, Remove the unused OIDC
permission by deleting the "id-token: write" entry from the workflow permissions
block (the permissions: contents/pull-requests entries should remain); also scan
the steps referenced by the workflow to confirm no actions rely on OIDC (no
usages of GITHUB_OIDC_TOKEN or provenance signatures) before committing the
change to ensure no breakage.