ci: use OIDC trusted publishing with auto version bump

DhruvBhatia0 · claude · DhruvBhatia0 · commit b835e488d4ee · 2026-03-16T14:37:06.000-07:00
Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,6 +3,17 @@ name: Release
 on:
   push:
     branches: [main]
+  workflow_dispatch:
+    inputs:
+      version_bump:
+        description: 'Version bump type'
+        required: true
+        default: 'patch'
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
 
 jobs:
   publish:
@@ -14,6 +25,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: oven-sh/setup-bun@v2
         with:
@@ -24,6 +38,10 @@ jobs:
           node-version: '20'
           registry-url: 'https://registry.npmjs.org'
 
+      # npm 11.5.1+ required for Trusted Publishing
+      - name: Update npm to latest
+        run: npm install -g npm@latest
+
       - name: Install dependencies
         run: bun install
 
@@ -36,37 +54,36 @@ jobs:
       - name: Build
         run: bun run build
 
-      - name: Check if version changed
+      - name: Bump version
         id: version
         run: |
-          LOCAL=$(node -p "require('./package.json').version")
-          REMOTE=$(npm view @morphllm/opencode-morph-plugin version 2>/dev/null || echo "0.0.0")
-          echo "local=$LOCAL" >> "$GITHUB_OUTPUT"
-          echo "remote=$REMOTE" >> "$GITHUB_OUTPUT"
-          if [ "$LOCAL" != "$REMOTE" ]; then
-            echo "changed=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "changed=false" >> "$GITHUB_OUTPUT"
-          fi
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+          git pull --rebase origin main
 
+          BUMP_TYPE="${{ github.event.inputs.version_bump || 'patch' }}"
+          npm version $BUMP_TYPE --no-git-tag-version
+          NEW_VERSION=$(node -p "require('./package.json').version")
+          echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
+
+          git add package.json
+          git commit -m "chore: bump to $NEW_VERSION [skip ci]"
+          git tag -f "v$NEW_VERSION"
+          git push origin main --tags --force
+
+      # Trusted Publishing: No NODE_AUTH_TOKEN needed!
+      # npm CLI auto-detects OIDC and handles auth via id-token permission
       - name: Publish to npm
-        if: steps.version.outputs.changed == 'true'
         run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Create GitHub Release
-        if: steps.version.outputs.changed == 'true'
         run: |
-          VERSION="v${{ steps.version.outputs.local }}"
-          NOTES=$(awk "/^## \[${VERSION#v}\]/{flag=1; next} /^## \[/{flag=0} flag" CHANGELOG.md)
-          NOTES_FILE="${RUNNER_TEMP}/release-notes.md"
-          echo "$NOTES" > "$NOTES_FILE"
-
+          VERSION="v${{ steps.version.outputs.new_version }}"
           if gh release view "$VERSION" >/dev/null 2>&1; then
-            gh release edit "$VERSION" --title "$VERSION" --notes-file "$NOTES_FILE"
+            gh release edit "$VERSION" --title "$VERSION" --notes "Published @morphllm/opencode-morph-plugin@${{ steps.version.outputs.new_version }}"
           else
-            gh release create "$VERSION" --title "$VERSION" --notes-file "$NOTES_FILE"
+            gh release create "$VERSION" --title "$VERSION" --notes "Published @morphllm/opencode-morph-plugin@${{ steps.version.outputs.new_version }}"
           fi
         env:
           GH_TOKEN: ${{ github.token }}
