@conduction/docusaurus-preset 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +16 -12
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -139,32 +139,36 @@ This is how product sites such as `mydash.conduction.nl/docs/...` adopt the bran
139
139
 
140
140
  ## Releasing
141
141
 
142
- Releases are tag-triggered. Pushing a tag `vX.Y.Z` runs [.github/workflows/publish-packages.yml](../.github/workflows/publish-packages.yml), which publishes `@conduction/docusaurus-preset` to npm under the `@conduction` scope. The diagram primitives ship inside the same tarball under `src/diagrams/`, so there is exactly one npm release per tag.
142
+ Releases auto-publish on push to `main`. The [.github/workflows/publish-packages.yml](../.github/workflows/publish-packages.yml) workflow compares the version in this `package.json` against what's on `registry.npmjs.org`. Bump the version, push, the workflow publishes. No bump means no publish the workflow exits cleanly. Tag pushes (`v*`) and manual `workflow_dispatch` runs (with an optional dry-run flag) are accepted for explicit republishes and emergency holds.
143
143
 
144
- **One-time setup** (per repo, since Conduction keeps secrets repo-local):
144
+ The diagram primitives ship inside the same tarball under `src/diagrams/`, so there is exactly one npm release per push.
145
145
 
146
- 1. Sign in to npm with an account that's a member of the `@conduction` org and has publish rights on the scope. (`npm login` from the CLI, or via [npmjs.com](https://www.npmjs.com/login).)
147
- 2. Create an automation token under your *user* settings (npm tokens are user-level, not org-level): npmjs.com → avatar dropdown → "Access Tokens" → "Generate New Token" → **Automation**. Copy the value.
148
- 3. Add it as a repo secret: <https://github.com/ConductionNL/design-system/settings/secrets/actions> → "New repository secret" → name `NPM_TOKEN`, paste the token.
149
- 4. (Optional) Verify the workflow with a dry run: Actions → "Publish packages" → Run workflow → leave "dry_run" checked. Watch for `+ @conduction/docusaurus-preset@…` in the logs without an actual upload.
146
+ **One-time setup**: configure the npm Trusted Publisher (OIDC) link.
150
147
 
151
- The token publishes **on behalf of the user account**, not the org, so anyone with the right org-level permission can generate the token. Rotate by replacing the secret; no need to redeploy or amend the workflow.
148
+ 1. Open the package settings on npm: <https://www.npmjs.com/package/@conduction/docusaurus-preset/access>. Scroll to "Trusted Publisher" and click "Set up connection".
149
+ 2. Fill in:
150
+ - Publisher: GitHub Actions
151
+ - Organization or user: `ConductionNL`
152
+ - Repository: `design-system`
153
+ - Workflow filename: `publish-packages.yml`
154
+ - Environment name: leave empty (or set to a GitHub Environment if you later want a manual approval gate)
155
+ 3. Click "Set up connection".
156
+
157
+ That's it. There is no token to generate, no secret to install, no expiry to track. The workflow's `permissions: id-token: write` lets the runner request a short-lived OIDC token; npm validates the `{repo, workflow}` claim against the trust config and issues a one-shot publish credential. Each release is also signed with a [provenance attestation](https://docs.npmjs.com/generating-provenance-statements) so consumers can verify the build came from this exact workflow run.
152
158
 
153
159
  **Per release:**
154
160
 
155
161
  ```bash
156
162
  # Bump the preset version. The diagrams source ships inside the preset,
157
- # so there is one version to bump and one tag to push.
163
+ # so there is one version to bump.
158
164
  $EDITOR docusaurus-preset/package.json # "version": "0.2.0"
159
165
 
160
166
  git add docusaurus-preset/package.json
161
167
  git commit -m "Bump @conduction/docusaurus-preset to 0.2.0"
162
- git tag v0.2.0
163
- git push origin main
164
- git push origin v0.2.0 # this triggers the publish workflow
168
+ git push origin main # the workflow detects the bump and publishes
165
169
  ```
166
170
 
167
- The workflow runs `npm publish --workspace @conduction/docusaurus-preset --access public`. Watch the run on the Actions tab. If it fails, fix the issue, bump the patch (`0.2.1`), re-tag — npm rejects re-publishing the same version.
171
+ The workflow runs `npm publish --workspace @conduction/docusaurus-preset --access public`. Watch the run on the Actions tab. If it fails, fix the issue, bump the patch (`0.2.1`), push again — npm rejects re-publishing the same version, so a single failed run can't block a corrected re-bump.
168
172
 
169
173
  ## License
170
174
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@conduction/docusaurus-preset",
3
- "version": "0.1.0",
3
+ "version": "0.1.1",
4
4
  "description": "Conduction brand preset for Docusaurus 3. Tokens, theme, navbar, footer, i18n config for nl/en/de/fr, and the React component library that powers conduction.nl and the Conduction product sites.",
5
5
  "main": "src/index.js",
6
6
  "exports": {