| name | deployment-runbook |
|---|---|
| description | Deployment and release runbook for this repository using PR-first flow, Release Please, and npm trusted publishing. |
This runbook covers ongoing release operations for this repository:
- PR-first integration to
main - Automated release PRs via Release Please
- GitHub Release validation/package workflow
- npm publish via GitHub trusted publishing (OIDC)
- Clean local branch with intended release commits
- Local checks passing (
npm run check) - npm package name ownership for
proton-pass-community-mcp(before first publish)
- Gate 1: explicit maintainer confirmation is required before any
git push(including tags/branches/workflow changes). - Gate 2: explicit maintainer confirmation is required before changing publish automation/auth settings.
Use this only when bootstrapping a new remote:
- Set the new remote URL as
origin. - Push initial branch(es) and establish
main. - Verify
mainis the default branch in GitHub.
- Enable GitHub Actions for the repository.
- Set workflow permissions to allow write access.
- Allow workflows to create pull requests when required by your org policy.
- Create a protected GitHub environment named
npm-publish. - Add workflow file
.github/workflows/publish-npm.ymltomain.
Configure trusted publishing on npm for this package:
- Open npm package settings for
proton-pass-community-mcp. - Under Trusted publishing, choose GitHub Actions.
- Configure:
- GitHub owner/user:
hesreallyhim - Repository:
proton-pass-community-mcp - Workflow filename:
publish-npm.yml - Environment name:
npm-publish
- GitHub owner/user:
- Save settings.
- Merge release-ready commits into
mainvia PR (PR-first; no direct push tomainin the default flow). - Wait for CI workflow (
.github/workflows/ci.yml) onmainto pass. - Wait for Release Please workflow (
.github/workflows/release-please.yml) to open a release PR. - Review the Release Please PR:
- expected semver bump for current scope
- changelog content matches intended scope
- package metadata changes are correct
- Merge the Release Please PR.
- Wait for publish workflow (
.github/workflows/publish-npm.yml) onrelease.published. - Verify outputs:
- expected git tag for the released version
- GitHub Release created
CHANGELOG.mdand version bump committed tomain- npm package tarball asset (
.tgz) uploaded to the GitHub Release - checksum file (
.sha256) uploaded to the GitHub Release - workflow logs indicate
npm publishsucceeded
After first successful trusted publish:
- In npm package settings, set publishing access to
Require two-factor authentication and disallow tokens. - Revoke obsolete npm automation tokens.
- Keep publish execution gated behind maintainer release process controls.
CHANGELOG.mdis managed by Release Please. Do not maintain it manually.- If Release Please proposes an unexpected version, do not merge; fix config first.
- Historical release-specific guidance for the initial release is archived at
docs/archived/DEPLOYMENT_0.1.md. - To force a specific release version, add a commit body footer with
Release-As: X.Y.Z(case insensitive) on a commit merged tomain. - The publish workflow validates Node/npm minimums for trusted publishing (
Node >= 22.14.0,npm >= 11.5.1).
Example:
chore: release 0.2.0
Release-As: 0.2.0
- No release PR appears:
- confirm
release-please.ymlexists onmain - confirm Actions permissions allow write
- confirm
- Release PR version is wrong:
- inspect commit history and release-please config
- correct configuration, then rerun workflow
- CI failing on PR or
main:- fix failures on branch/PR
- re-run checks before merging
- Publish workflow ran but package not on npm:
- confirm npm trusted publisher points at
publish-npm.yml - confirm trusted publisher environment claim matches workflow (
npm-publish) - confirm release was not marked prerelease
- confirm npm trusted publisher points at
- npm publish authentication failed:
- verify workflow permissions include
id-token: write - verify run is on GitHub-hosted runner and public repo
- verify workflow permissions include