Release process
Release process
Stable publishing is intentionally HITL and runs only from
.github/workflows/release.yml on a stable v* tag contained in main.
Prepare
- Add a Changeset for every public behavior or contract change.
- Run
pnpm version:packages, review the fixed-group versions/changelogs, and updaterelease/manifest.jsonplus the release notes. - Run
pnpm release:gate,pnpm release:pack, and the full CI matrix. - Obtain architecture, security/privacy, compatibility, and launch review.
- Merge the release PR. Create the stable tag only after all required checks
and the protected
npmenvironment are ready.
Publish
The workflow verifies tag ancestry and exact fixed-group versions, installs
from the lockfile without a dependency cache, runs every quality/conformance,
browser, native, PTY, documentation, package, and clean-room gate, then packs
both public packages with SHA-256 checksums. The protected publish job uses a
GitHub-hosted runner with id-token: write and npm provenance.
The 0.1.0 bootstrap used a short-lived token because the package names did
not yet exist. That credential has been removed. Both public packages now trust
AgentsKit-io/agentskit-chat, workflow release.yml, environment npm; npm 11
uses GitHub OIDC and every publish requests public access and provenance. A
GitHub release is made public only after both npm publishes succeed.
See npm's official guidance for trusted publishing, provenance, and scoped public packages.
Verify
Confirm both npm pages show the version in release/manifest.json and provenance, install the package graph
from npm in a clean directory, run npm audit signatures, verify GitHub assets
against SHA256SUMS, and smoke the Docs, Registry, and Playbook hosts. Record
links and results on issue #30 before closing the milestone.