projen 0.81.17__py3-none-any.whl → 0.98.25__py3-none-any.whl

projen/release/__init__.py

@@ -11,7 +11,22 @@ import jsii
 import publication
 import typing_extensions
 
-from typeguard import check_type
+import typeguard
+from importlib.metadata import version as _metadata_package_version
+TYPEGUARD_MAJOR_VERSION = int(_metadata_package_version('typeguard').split('.')[0])
+
+def check_type(argname: str, value: object, expected_type: typing.Any) -> typing.Any:
+    if TYPEGUARD_MAJOR_VERSION <= 2:
+        return typeguard.check_type(argname=argname, value=value, expected_type=expected_type) # type:ignore
+    else:
+        if isinstance(value, jsii._reference_map.InterfaceDynamicProxy): # pyright: ignore [reportAttributeAccessIssue]
+           pass
+        else:
+            if TYPEGUARD_MAJOR_VERSION == 3:
+                typeguard.config.collection_check_strategy = typeguard.CollectionCheckStrategy.ALL_ITEMS # type:ignore
+                typeguard.check_type(value=value, expected_type=expected_type) # type:ignore
+            else:
+                typeguard.check_type(value=value, expected_type=expected_type, collection_check_strategy=typeguard.CollectionCheckStrategy.ALL_ITEMS) # type:ignore
 
 from .._jsii import *
 
@@ -36,6 +51,7 @@ from ..github.workflows import (
     jsii_struct_bases=[],
     name_mapping={
         "major_version": "majorVersion",
+        "environment": "environment",
         "min_major_version": "minMajorVersion",
         "minor_version": "minorVersion",
         "npm_dist_tag": "npmDistTag",
@@ -49,6 +65,7 @@ class BranchOptions:
         self,
         *,
         major_version: jsii.Number,
+        environment: typing.Optional[builtins.str] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
         minor_version: typing.Optional[jsii.Number] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
@@ -59,6 +76,7 @@ class BranchOptions:
         '''(experimental) Options for a release branch.
 
         :param major_version: (experimental) The major versions released from this branch.
+        :param environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param min_major_version: (experimental) The minimum major version to release.
         :param minor_version: (experimental) The minor versions released from this branch.
         :param npm_dist_tag: (experimental) The npm distribution tag to use for this branch. Default: "latest"
@@ -71,6 +89,7 @@ class BranchOptions:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__6f62eb98000deee3820f046309b2262c5063c0cb9581232fd1a44731f86986d7)
             check_type(argname="argument major_version", value=major_version, expected_type=type_hints["major_version"])
+            check_type(argname="argument environment", value=environment, expected_type=type_hints["environment"])
             check_type(argname="argument min_major_version", value=min_major_version, expected_type=type_hints["min_major_version"])
             check_type(argname="argument minor_version", value=minor_version, expected_type=type_hints["minor_version"])
             check_type(argname="argument npm_dist_tag", value=npm_dist_tag, expected_type=type_hints["npm_dist_tag"])
@@ -80,6 +99,8 @@ class BranchOptions:
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "major_version": major_version,
         }
+        if environment is not None:
+            self._values["environment"] = environment
         if min_major_version is not None:
             self._values["min_major_version"] = min_major_version
         if minor_version is not None:
@@ -103,6 +124,23 @@ class BranchOptions:
         assert result is not None, "Required property 'major_version' is missing"
         return typing.cast(jsii.Number, result)
 
+    @builtins.property
+    def environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for the release.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        When multiple artifacts are released, the environment can be overwritten
+        on a per artifact basis.
+
+        :default: - no environment used, unless set at the artifact level
+
+        :stability: experimental
+        '''
+        result = self._values.get("environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def min_major_version(self) -> typing.Optional[jsii.Number]:
         '''(experimental) The minimum major version to release.
@@ -325,6 +363,7 @@ class CodeArtifactOptions:
     jsii_type="projen.release.CommonPublishOptions",
     jsii_struct_bases=[],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
@@ -334,14 +373,16 @@ class CommonPublishOptions:
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
         '''(experimental) Common publishing options.
 
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
 
         :stability: experimental
@@ -350,10 +391,13 @@ class CommonPublishOptions:
             publish_tools = _Tools_75b93a2a(**publish_tools)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__9603f09b67279d5ef3dc921367168d873983210161b1d6382c369d0b9ec13b0a)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
@@ -361,6 +405,22 @@ class CommonPublishOptions:
         if publish_tools is not None:
             self._values["publish_tools"] = publish_tools
 
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
         '''(experimental) Steps to execute after executing the publishing command.
@@ -377,7 +437,7 @@ class CommonPublishOptions:
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -460,6 +520,7 @@ class ContinuousReleaseOptions:
     jsii_type="projen.release.GitHubReleasesPublishOptions",
     jsii_struct_bases=[CommonPublishOptions],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
@@ -472,6 +533,7 @@ class GitHubReleasesPublishOptions(CommonPublishOptions):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -481,8 +543,9 @@ class GitHubReleasesPublishOptions(CommonPublishOptions):
     ) -> None:
         '''(experimental) Publishing options for GitHub releases.
 
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
         :param changelog_file: (experimental) The location of an .md file (relative to ``dist/``) that includes the changelog for the release.
         :param release_tag_file: (experimental) The location of a text file (relative to ``dist/``) that contains the release tag.
@@ -494,6 +557,7 @@ class GitHubReleasesPublishOptions(CommonPublishOptions):
             publish_tools = _Tools_75b93a2a(**publish_tools)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__c7008ba35b00dedc375d87db7a317e8f077475b6a4e334303337c92bb77171fb)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
@@ -505,6 +569,8 @@ class GitHubReleasesPublishOptions(CommonPublishOptions):
             "release_tag_file": release_tag_file,
             "version_file": version_file,
         }
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
@@ -512,6 +578,22 @@ class GitHubReleasesPublishOptions(CommonPublishOptions):
         if publish_tools is not None:
             self._values["publish_tools"] = publish_tools
 
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
         '''(experimental) Steps to execute after executing the publishing command.
@@ -528,7 +610,7 @@ class GitHubReleasesPublishOptions(CommonPublishOptions):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -748,13 +830,13 @@ class GitPublishOptions:
     jsii_type="projen.release.GoPublishOptions",
     jsii_struct_bases=[CommonPublishOptions],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
         "git_branch": "gitBranch",
         "git_commit_message": "gitCommitMessage",
         "github_deploy_key_secret": "githubDeployKeySecret",
-        "github_repo": "githubRepo",
         "github_token_secret": "githubTokenSecret",
         "github_use_ssh": "githubUseSsh",
         "git_user_email": "gitUserEmail",
@@ -765,13 +847,13 @@ class GoPublishOptions(CommonPublishOptions):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
         git_branch: typing.Optional[builtins.str] = None,
         git_commit_message: typing.Optional[builtins.str] = None,
         github_deploy_key_secret: typing.Optional[builtins.str] = None,
-        github_repo: typing.Optional[builtins.str] = None,
         github_token_secret: typing.Optional[builtins.str] = None,
         github_use_ssh: typing.Optional[builtins.bool] = None,
         git_user_email: typing.Optional[builtins.str] = None,
@@ -779,17 +861,17 @@ class GoPublishOptions(CommonPublishOptions):
     ) -> None:
         '''(experimental) Options for Go releases.
 
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
         :param git_branch: (experimental) Branch to push to. Default: "main"
         :param git_commit_message: (experimental) The commit message. Default: "chore(release): $VERSION"
         :param github_deploy_key_secret: (experimental) The name of the secret that includes a GitHub deploy key used to push to the GitHub repository. Ignored if ``githubUseSsh`` is ``false``. Default: "GO_GITHUB_DEPLOY_KEY"
-        :param github_repo: (experimental) GitHub repository to push to. Default: - derived from ``moduleName``
         :param github_token_secret: (experimental) The name of the secret that includes a personal GitHub access token used to push to the GitHub repository. Ignored if ``githubUseSsh`` is ``true``. Default: "GO_GITHUB_TOKEN"
         :param github_use_ssh: (experimental) Use SSH to push to GitHub instead of a personal accses token. Default: false
-        :param git_user_email: (experimental) The email to use in the release git commit. Default: "github-actions@github.com"
-        :param git_user_name: (experimental) The user name to use for the release git commit. Default: "github-actions"
+        :param git_user_email: (experimental) The email to use in the release git commit. Default: - default GitHub Actions user email
+        :param git_user_name: (experimental) The user name to use for the release git commit. Default: - default GitHub Actions user name
 
         :stability: experimental
         '''
@@ -797,18 +879,20 @@ class GoPublishOptions(CommonPublishOptions):
             publish_tools = _Tools_75b93a2a(**publish_tools)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__81a5b8a4f17bcea99089b42477d5b778fd3a9066d3d1126736ccf21a9c44bfbc)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
             check_type(argname="argument git_branch", value=git_branch, expected_type=type_hints["git_branch"])
             check_type(argname="argument git_commit_message", value=git_commit_message, expected_type=type_hints["git_commit_message"])
             check_type(argname="argument github_deploy_key_secret", value=github_deploy_key_secret, expected_type=type_hints["github_deploy_key_secret"])
-            check_type(argname="argument github_repo", value=github_repo, expected_type=type_hints["github_repo"])
             check_type(argname="argument github_token_secret", value=github_token_secret, expected_type=type_hints["github_token_secret"])
             check_type(argname="argument github_use_ssh", value=github_use_ssh, expected_type=type_hints["github_use_ssh"])
             check_type(argname="argument git_user_email", value=git_user_email, expected_type=type_hints["git_user_email"])
             check_type(argname="argument git_user_name", value=git_user_name, expected_type=type_hints["git_user_name"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
@@ -821,8 +905,6 @@ class GoPublishOptions(CommonPublishOptions):
             self._values["git_commit_message"] = git_commit_message
         if github_deploy_key_secret is not None:
             self._values["github_deploy_key_secret"] = github_deploy_key_secret
-        if github_repo is not None:
-            self._values["github_repo"] = github_repo
         if github_token_secret is not None:
             self._values["github_token_secret"] = github_token_secret
         if github_use_ssh is not None:
@@ -832,6 +914,22 @@ class GoPublishOptions(CommonPublishOptions):
         if git_user_name is not None:
             self._values["git_user_name"] = git_user_name
 
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
         '''(experimental) Steps to execute after executing the publishing command.
@@ -848,7 +946,7 @@ class GoPublishOptions(CommonPublishOptions):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -906,17 +1004,6 @@ class GoPublishOptions(CommonPublishOptions):
         result = self._values.get("github_deploy_key_secret")
         return typing.cast(typing.Optional[builtins.str], result)
 
-    @builtins.property
-    def github_repo(self) -> typing.Optional[builtins.str]:
-        '''(experimental) GitHub repository to push to.
-
-        :default: - derived from ``moduleName``
-
-        :stability: experimental
-        '''
-        result = self._values.get("github_repo")
-        return typing.cast(typing.Optional[builtins.str], result)
-
     @builtins.property
     def github_token_secret(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the secret that includes a personal GitHub access token used to push to the GitHub repository.
@@ -945,7 +1032,7 @@ class GoPublishOptions(CommonPublishOptions):
     def git_user_email(self) -> typing.Optional[builtins.str]:
         '''(experimental) The email to use in the release git commit.
 
-        :default: "github-actions@github.com"
+        :default: - default GitHub Actions user email
 
         :stability: experimental
         '''
@@ -956,7 +1043,7 @@ class GoPublishOptions(CommonPublishOptions):
     def git_user_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The user name to use for the release git commit.
 
-        :default: "github-actions"
+        :default: - default GitHub Actions user name
 
         :stability: experimental
         '''
@@ -979,13 +1066,13 @@ class GoPublishOptions(CommonPublishOptions):
     jsii_type="projen.release.JsiiReleaseGo",
     jsii_struct_bases=[GoPublishOptions],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
         "git_branch": "gitBranch",
         "git_commit_message": "gitCommitMessage",
         "github_deploy_key_secret": "githubDeployKeySecret",
-        "github_repo": "githubRepo",
         "github_token_secret": "githubTokenSecret",
         "github_use_ssh": "githubUseSsh",
         "git_user_email": "gitUserEmail",
@@ -996,30 +1083,30 @@ class JsiiReleaseGo(GoPublishOptions):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
         git_branch: typing.Optional[builtins.str] = None,
         git_commit_message: typing.Optional[builtins.str] = None,
         github_deploy_key_secret: typing.Optional[builtins.str] = None,
-        github_repo: typing.Optional[builtins.str] = None,
         github_token_secret: typing.Optional[builtins.str] = None,
         github_use_ssh: typing.Optional[builtins.bool] = None,
         git_user_email: typing.Optional[builtins.str] = None,
         git_user_name: typing.Optional[builtins.str] = None,
     ) -> None:
         '''
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
         :param git_branch: (experimental) Branch to push to. Default: "main"
         :param git_commit_message: (experimental) The commit message. Default: "chore(release): $VERSION"
         :param github_deploy_key_secret: (experimental) The name of the secret that includes a GitHub deploy key used to push to the GitHub repository. Ignored if ``githubUseSsh`` is ``false``. Default: "GO_GITHUB_DEPLOY_KEY"
-        :param github_repo: (experimental) GitHub repository to push to. Default: - derived from ``moduleName``
         :param github_token_secret: (experimental) The name of the secret that includes a personal GitHub access token used to push to the GitHub repository. Ignored if ``githubUseSsh`` is ``true``. Default: "GO_GITHUB_TOKEN"
         :param github_use_ssh: (experimental) Use SSH to push to GitHub instead of a personal accses token. Default: false
-        :param git_user_email: (experimental) The email to use in the release git commit. Default: "github-actions@github.com"
-        :param git_user_name: (experimental) The user name to use for the release git commit. Default: "github-actions"
+        :param git_user_email: (experimental) The email to use in the release git commit. Default: - default GitHub Actions user email
+        :param git_user_name: (experimental) The user name to use for the release git commit. Default: - default GitHub Actions user name
 
         :deprecated: Use ``GoPublishOptions`` instead.
 
@@ -1029,18 +1116,20 @@ class JsiiReleaseGo(GoPublishOptions):
             publish_tools = _Tools_75b93a2a(**publish_tools)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__44bae65cd3313afa37ada6dbaab99141ff7744458e985bc9c53faa021220e167)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
             check_type(argname="argument git_branch", value=git_branch, expected_type=type_hints["git_branch"])
             check_type(argname="argument git_commit_message", value=git_commit_message, expected_type=type_hints["git_commit_message"])
             check_type(argname="argument github_deploy_key_secret", value=github_deploy_key_secret, expected_type=type_hints["github_deploy_key_secret"])
-            check_type(argname="argument github_repo", value=github_repo, expected_type=type_hints["github_repo"])
             check_type(argname="argument github_token_secret", value=github_token_secret, expected_type=type_hints["github_token_secret"])
             check_type(argname="argument github_use_ssh", value=github_use_ssh, expected_type=type_hints["github_use_ssh"])
             check_type(argname="argument git_user_email", value=git_user_email, expected_type=type_hints["git_user_email"])
             check_type(argname="argument git_user_name", value=git_user_name, expected_type=type_hints["git_user_name"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
@@ -1053,8 +1142,6 @@ class JsiiReleaseGo(GoPublishOptions):
             self._values["git_commit_message"] = git_commit_message
         if github_deploy_key_secret is not None:
             self._values["github_deploy_key_secret"] = github_deploy_key_secret
-        if github_repo is not None:
-            self._values["github_repo"] = github_repo
         if github_token_secret is not None:
             self._values["github_token_secret"] = github_token_secret
         if github_use_ssh is not None:
@@ -1064,6 +1151,22 @@ class JsiiReleaseGo(GoPublishOptions):
         if git_user_name is not None:
             self._values["git_user_name"] = git_user_name
 
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
         '''(experimental) Steps to execute after executing the publishing command.
@@ -1080,7 +1183,7 @@ class JsiiReleaseGo(GoPublishOptions):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -1138,17 +1241,6 @@ class JsiiReleaseGo(GoPublishOptions):
         result = self._values.get("github_deploy_key_secret")
         return typing.cast(typing.Optional[builtins.str], result)
 
-    @builtins.property
-    def github_repo(self) -> typing.Optional[builtins.str]:
-        '''(experimental) GitHub repository to push to.
-
-        :default: - derived from ``moduleName``
-
-        :stability: experimental
-        '''
-        result = self._values.get("github_repo")
-        return typing.cast(typing.Optional[builtins.str], result)
-
     @builtins.property
     def github_token_secret(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the secret that includes a personal GitHub access token used to push to the GitHub repository.
@@ -1177,7 +1269,7 @@ class JsiiReleaseGo(GoPublishOptions):
     def git_user_email(self) -> typing.Optional[builtins.str]:
         '''(experimental) The email to use in the release git commit.
 
-        :default: "github-actions@github.com"
+        :default: - default GitHub Actions user email
 
         :stability: experimental
         '''
@@ -1188,7 +1280,7 @@ class JsiiReleaseGo(GoPublishOptions):
     def git_user_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The user name to use for the release git commit.
 
-        :default: "github-actions"
+        :default: - default GitHub Actions user name
 
         :stability: experimental
         '''
@@ -1295,6 +1387,7 @@ class ManualReleaseOptions:
     jsii_type="projen.release.MavenPublishOptions",
     jsii_struct_bases=[CommonPublishOptions],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
@@ -1312,6 +1405,7 @@ class MavenPublishOptions(CommonPublishOptions):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -1326,15 +1420,16 @@ class MavenPublishOptions(CommonPublishOptions):
     ) -> None:
         '''(experimental) Options for Maven releases.
 
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
-        :param maven_endpoint: (experimental) URL of Nexus repository. if not set, defaults to https://oss.sonatype.org Default: "https://oss.sonatype.org"
+        :param maven_endpoint: (experimental) URL of Nexus repository. if not set, defaults to https://oss.sonatype.org Default: - "https://oss.sonatype.org" or none when publishing to Maven Central
         :param maven_gpg_private_key_passphrase: (experimental) GitHub secret name which contains the GPG private key or file that includes it. This is used to sign your Maven packages. See instructions. Default: "MAVEN_GPG_PRIVATE_KEY_PASSPHRASE" or not set when using GitHub Packages
         :param maven_gpg_private_key_secret: (experimental) GitHub secret name which contains the GPG private key or file that includes it. This is used to sign your Maven packages. See instructions. Default: "MAVEN_GPG_PRIVATE_KEY" or not set when using GitHub Packages
         :param maven_password: (experimental) GitHub secret name which contains the Password for maven repository. For Maven Central, you will need to Create JIRA account and then request a new project (see links). Default: "MAVEN_PASSWORD" or "GITHUB_TOKEN" when using GitHub Packages
         :param maven_repository_url: (experimental) Deployment repository when not deploying to Maven Central. Default: - not set
-        :param maven_server_id: (experimental) Used in maven settings for credential lookup (e.g. use github when publishing to GitHub). Default: "ossrh" (Maven Central) or "github" when using GitHub Packages
+        :param maven_server_id: (experimental) Used in maven settings for credential lookup (e.g. use github when publishing to GitHub). Set to ``central-ossrh`` to publish to Maven Central. Default: "central-ossrh" (Maven Central) or "github" when using GitHub Packages
         :param maven_staging_profile_id: (experimental) GitHub secret name which contains the Maven Central (sonatype) staging profile ID (e.g. 68a05363083174). Staging profile ID can be found in the URL of the "Releases" staging profile under "Staging Profiles" in https://oss.sonatype.org (e.g. https://oss.sonatype.org/#stagingProfiles;11a33451234521). Default: "MAVEN_STAGING_PROFILE_ID" or not set when using GitHub Packages
         :param maven_username: (experimental) GitHub secret name which contains the Username for maven repository. For Maven Central, you will need to Create JIRA account and then request a new project (see links). Default: "MAVEN_USERNAME" or the GitHub Actor when using GitHub Packages
 
@@ -1344,6 +1439,7 @@ class MavenPublishOptions(CommonPublishOptions):
             publish_tools = _Tools_75b93a2a(**publish_tools)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__da2d55bfa47dd9e6869b7f55b573dea54539ab2e9b833766e4140d6d4c4c3d7e)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
@@ -1356,6 +1452,8 @@ class MavenPublishOptions(CommonPublishOptions):
             check_type(argname="argument maven_staging_profile_id", value=maven_staging_profile_id, expected_type=type_hints["maven_staging_profile_id"])
             check_type(argname="argument maven_username", value=maven_username, expected_type=type_hints["maven_username"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
@@ -1379,6 +1477,22 @@ class MavenPublishOptions(CommonPublishOptions):
         if maven_username is not None:
             self._values["maven_username"] = maven_username
 
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
         '''(experimental) Steps to execute after executing the publishing command.
@@ -1395,7 +1509,7 @@ class MavenPublishOptions(CommonPublishOptions):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -1424,7 +1538,7 @@ class MavenPublishOptions(CommonPublishOptions):
 
         if not set, defaults to https://oss.sonatype.org
 
-        :default: "https://oss.sonatype.org"
+        :default: - "https://oss.sonatype.org" or none when publishing to Maven Central
 
         :stability: experimental
         '''
@@ -1490,7 +1604,9 @@ class MavenPublishOptions(CommonPublishOptions):
     def maven_server_id(self) -> typing.Optional[builtins.str]:
         '''(experimental) Used in maven settings for credential lookup (e.g. use github when publishing to GitHub).
 
-        :default: "ossrh" (Maven Central) or "github" when using GitHub Packages
+        Set to ``central-ossrh`` to publish to Maven Central.
+
+        :default: "central-ossrh" (Maven Central) or "github" when using GitHub Packages
 
         :stability: experimental
         '''
@@ -1539,6 +1655,7 @@ class MavenPublishOptions(CommonPublishOptions):
     jsii_type="projen.release.NpmPublishOptions",
     jsii_struct_bases=[CommonPublishOptions],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
@@ -1547,12 +1664,14 @@ class MavenPublishOptions(CommonPublishOptions):
         "npm_provenance": "npmProvenance",
         "npm_token_secret": "npmTokenSecret",
         "registry": "registry",
+        "trusted_publishing": "trustedPublishing",
     },
 )
 class NpmPublishOptions(CommonPublishOptions):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -1561,17 +1680,20 @@ class NpmPublishOptions(CommonPublishOptions):
         npm_provenance: typing.Optional[builtins.bool] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
         registry: typing.Optional[builtins.str] = None,
+        trusted_publishing: typing.Optional[builtins.bool] = None,
     ) -> None:
         '''(experimental) Options for npm release.
 
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
-        :param code_artifact_options: (experimental) Options for publishing npm package to AWS CodeArtifact. Default: - undefined
+        :param code_artifact_options: (experimental) Options for publishing npm package to AWS CodeArtifact. Default: - package is not published to
         :param dist_tag: (deprecated) Tags can be used to provide an alias instead of version numbers. For example, a project might choose to have multiple streams of development and use a different tag for each stream, e.g., stable, beta, dev, canary. By default, the ``latest`` tag is used by npm to identify the current version of a package, and ``npm install <pkg>`` (without any ``@<version>`` or ``@<tag>`` specifier) installs the latest tag. Typically, projects only use the ``latest`` tag for stable release versions, and use other tags for unstable versions such as prereleases. The ``next`` tag is used by some projects to identify the upcoming version. Default: "latest"
-        :param npm_provenance: (experimental) Should provenance statements be generated when package is published. Note that this component is using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - undefined
-        :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: - "NPM_TOKEN" or "GITHUB_TOKEN" if ``registry`` is set to ``npm.pkg.github.com``.
+        :param npm_provenance: (experimental) Should provenance statements be generated when package is published. Note that this component is using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Only works in supported CI/CD environments. Default: - enabled for for public packages using trusted publishing, disabled otherwise
+        :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use for publishing packages. Default: - "NPM_TOKEN" or "GITHUB_TOKEN" if ``registry`` is set to ``npm.pkg.github.com``.
         :param registry: (experimental) The domain name of the npm package registry. To publish to GitHub Packages, set this value to ``"npm.pkg.github.com"``. In this if ``npmTokenSecret`` is not specified, it will default to ``GITHUB_TOKEN`` which means that you will be able to publish to the repository's package store. In this case, make sure ``repositoryUrl`` is correctly defined. Default: "registry.npmjs.org"
+        :param trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Requires npm CLI version 11.5.1 or later, this is NOT ensured automatically. When used, ``npmTokenSecret`` will be ignored. Default: - false
 
         :stability: experimental
         '''
@@ -1581,6 +1703,7 @@ class NpmPublishOptions(CommonPublishOptions):
             code_artifact_options = CodeArtifactOptions(**code_artifact_options)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__458289050585e6e895f9ee709ee4e102166b0f71e3c8b2a0617efa2d24e990fb)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
@@ -1589,7 +1712,10 @@ class NpmPublishOptions(CommonPublishOptions):
             check_type(argname="argument npm_provenance", value=npm_provenance, expected_type=type_hints["npm_provenance"])
             check_type(argname="argument npm_token_secret", value=npm_token_secret, expected_type=type_hints["npm_token_secret"])
             check_type(argname="argument registry", value=registry, expected_type=type_hints["registry"])
+            check_type(argname="argument trusted_publishing", value=trusted_publishing, expected_type=type_hints["trusted_publishing"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
@@ -1606,6 +1732,24 @@ class NpmPublishOptions(CommonPublishOptions):
             self._values["npm_token_secret"] = npm_token_secret
         if registry is not None:
             self._values["registry"] = registry
+        if trusted_publishing is not None:
+            self._values["trusted_publishing"] = trusted_publishing
+
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
@@ -1623,7 +1767,7 @@ class NpmPublishOptions(CommonPublishOptions):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -1650,7 +1794,7 @@ class NpmPublishOptions(CommonPublishOptions):
     def code_artifact_options(self) -> typing.Optional[CodeArtifactOptions]:
         '''(experimental) Options for publishing npm package to AWS CodeArtifact.
 
-        :default: - undefined
+        :default: - package is not published to
 
         :stability: experimental
         '''
@@ -1688,7 +1832,9 @@ class NpmPublishOptions(CommonPublishOptions):
         Note that this component is using ``publib`` to publish packages,
         which is using npm internally and supports provenance statements independently of the package manager used.
 
-        :default: - undefined
+        Only works in supported CI/CD environments.
+
+        :default: - enabled for for public packages using trusted publishing, disabled otherwise
 
         :see: https://docs.npmjs.com/generating-provenance-statements
         :stability: experimental
@@ -1698,7 +1844,7 @@ class NpmPublishOptions(CommonPublishOptions):
 
     @builtins.property
     def npm_token_secret(self) -> typing.Optional[builtins.str]:
-        '''(experimental) GitHub secret which contains the NPM token to use when publishing packages.
+        '''(experimental) GitHub secret which contains the NPM token to use for publishing packages.
 
         :default: - "NPM_TOKEN" or "GITHUB_TOKEN" if ``registry`` is set to ``npm.pkg.github.com``.
 
@@ -1728,6 +1874,21 @@ class NpmPublishOptions(CommonPublishOptions):
         result = self._values.get("registry")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work.
+
+        Requires npm CLI version 11.5.1 or later, this is NOT ensured automatically.
+        When used, ``npmTokenSecret`` will be ignored.
+
+        :default: - false
+
+        :see: https://docs.npmjs.com/trusted-publishers
+        :stability: experimental
+        '''
+        result = self._values.get("trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -1744,30 +1905,39 @@ class NpmPublishOptions(CommonPublishOptions):
     jsii_type="projen.release.NugetPublishOptions",
     jsii_struct_bases=[CommonPublishOptions],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
         "nuget_api_key_secret": "nugetApiKeySecret",
         "nuget_server": "nugetServer",
+        "nuget_username_secret": "nugetUsernameSecret",
+        "trusted_publishing": "trustedPublishing",
     },
 )
 class NugetPublishOptions(CommonPublishOptions):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
         nuget_api_key_secret: typing.Optional[builtins.str] = None,
         nuget_server: typing.Optional[builtins.str] = None,
+        nuget_username_secret: typing.Optional[builtins.str] = None,
+        trusted_publishing: typing.Optional[builtins.bool] = None,
     ) -> None:
         '''(experimental) Options for NuGet releases.
 
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
         :param nuget_api_key_secret: (experimental) GitHub secret which contains the API key for NuGet. Default: "NUGET_API_KEY"
         :param nuget_server: (experimental) NuGet Server URL (defaults to nuget.org).
+        :param nuget_username_secret: (experimental) The NuGet.org username (profile name, not email address) for trusted publisher authentication. Required when using trusted publishing. Default: "NUGET_USERNAME"
+        :param trusted_publishing: (experimental) Use NuGet trusted publishing instead of API keys. Needs to be setup in NuGet.org.
 
         :stability: experimental
         '''
@@ -1775,12 +1945,17 @@ class NugetPublishOptions(CommonPublishOptions):
             publish_tools = _Tools_75b93a2a(**publish_tools)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__584d4125e43e970396e9062b357de30ef32a6d1b30bd3a0f00fc7db041ea0bec)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
             check_type(argname="argument nuget_api_key_secret", value=nuget_api_key_secret, expected_type=type_hints["nuget_api_key_secret"])
             check_type(argname="argument nuget_server", value=nuget_server, expected_type=type_hints["nuget_server"])
+            check_type(argname="argument nuget_username_secret", value=nuget_username_secret, expected_type=type_hints["nuget_username_secret"])
+            check_type(argname="argument trusted_publishing", value=trusted_publishing, expected_type=type_hints["trusted_publishing"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
@@ -1791,6 +1966,26 @@ class NugetPublishOptions(CommonPublishOptions):
             self._values["nuget_api_key_secret"] = nuget_api_key_secret
         if nuget_server is not None:
             self._values["nuget_server"] = nuget_server
+        if nuget_username_secret is not None:
+            self._values["nuget_username_secret"] = nuget_username_secret
+        if trusted_publishing is not None:
+            self._values["trusted_publishing"] = trusted_publishing
+
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
@@ -1808,7 +2003,7 @@ class NugetPublishOptions(CommonPublishOptions):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -1851,6 +2046,31 @@ class NugetPublishOptions(CommonPublishOptions):
         result = self._values.get("nuget_server")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def nuget_username_secret(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The NuGet.org username (profile name, not email address) for trusted publisher authentication.
+
+        Required when using trusted publishing.
+
+        :default: "NUGET_USERNAME"
+
+        :stability: experimental
+        '''
+        result = self._values.get("nuget_username_secret")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use NuGet trusted publishing instead of API keys.
+
+        Needs to be setup in NuGet.org.
+
+        :see: https://learn.microsoft.com/en-us/nuget/nuget-org/trusted-publishing
+        :stability: experimental
+        '''
+        result = self._values.get("trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -1905,7 +2125,7 @@ class Publisher(
         :param publib_version: (experimental) Version requirement for ``publib``. Default: "latest"
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
-        :param workflow_node_version: (experimental) Node version to setup in GitHub workflows if any node-based CLI utilities are needed. For example ``publib``, the CLI projen uses to publish releases, is an npm library. Default: 18.x
+        :param workflow_node_version: (experimental) Node version to setup in GitHub workflows if any node-based CLI utilities are needed. For example ``publib``, the CLI projen uses to publish releases, is an npm library. Default: lts/*
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
 
@@ -2000,6 +2220,7 @@ class Publisher(
         changelog_file: builtins.str,
         release_tag_file: builtins.str,
         version_file: builtins.str,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -2009,8 +2230,9 @@ class Publisher(
         :param changelog_file: (experimental) The location of an .md file (relative to ``dist/``) that includes the changelog for the release.
         :param release_tag_file: (experimental) The location of a text file (relative to ``dist/``) that contains the release tag.
         :param version_file: (experimental) The location of a text file (relative to ``dist/``) that contains the version number.
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
 
         :stability: experimental
@@ -2019,6 +2241,7 @@ class Publisher(
             changelog_file=changelog_file,
             release_tag_file=release_tag_file,
             version_file=version_file,
+            github_environment=github_environment,
             post_publish_steps=post_publish_steps,
             pre_publish_steps=pre_publish_steps,
             publish_tools=publish_tools,
@@ -2033,11 +2256,11 @@ class Publisher(
         git_branch: typing.Optional[builtins.str] = None,
         git_commit_message: typing.Optional[builtins.str] = None,
         github_deploy_key_secret: typing.Optional[builtins.str] = None,
-        github_repo: typing.Optional[builtins.str] = None,
         github_token_secret: typing.Optional[builtins.str] = None,
         github_use_ssh: typing.Optional[builtins.bool] = None,
         git_user_email: typing.Optional[builtins.str] = None,
         git_user_name: typing.Optional[builtins.str] = None,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -2047,13 +2270,13 @@ class Publisher(
         :param git_branch: (experimental) Branch to push to. Default: "main"
         :param git_commit_message: (experimental) The commit message. Default: "chore(release): $VERSION"
         :param github_deploy_key_secret: (experimental) The name of the secret that includes a GitHub deploy key used to push to the GitHub repository. Ignored if ``githubUseSsh`` is ``false``. Default: "GO_GITHUB_DEPLOY_KEY"
-        :param github_repo: (experimental) GitHub repository to push to. Default: - derived from ``moduleName``
         :param github_token_secret: (experimental) The name of the secret that includes a personal GitHub access token used to push to the GitHub repository. Ignored if ``githubUseSsh`` is ``true``. Default: "GO_GITHUB_TOKEN"
         :param github_use_ssh: (experimental) Use SSH to push to GitHub instead of a personal accses token. Default: false
-        :param git_user_email: (experimental) The email to use in the release git commit. Default: "github-actions@github.com"
-        :param git_user_name: (experimental) The user name to use for the release git commit. Default: "github-actions"
+        :param git_user_email: (experimental) The email to use in the release git commit. Default: - default GitHub Actions user email
+        :param git_user_name: (experimental) The user name to use for the release git commit. Default: - default GitHub Actions user name
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
 
         :stability: experimental
@@ -2062,11 +2285,11 @@ class Publisher(
             git_branch=git_branch,
             git_commit_message=git_commit_message,
             github_deploy_key_secret=github_deploy_key_secret,
-            github_repo=github_repo,
             github_token_secret=github_token_secret,
             github_use_ssh=github_use_ssh,
             git_user_email=git_user_email,
             git_user_name=git_user_name,
+            github_environment=github_environment,
             post_publish_steps=post_publish_steps,
             pre_publish_steps=pre_publish_steps,
             publish_tools=publish_tools,
@@ -2086,22 +2309,24 @@ class Publisher(
         maven_server_id: typing.Optional[builtins.str] = None,
         maven_staging_profile_id: typing.Optional[builtins.str] = None,
         maven_username: typing.Optional[builtins.str] = None,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
         '''(experimental) Publishes artifacts from ``java/**`` to Maven.
 
-        :param maven_endpoint: (experimental) URL of Nexus repository. if not set, defaults to https://oss.sonatype.org Default: "https://oss.sonatype.org"
+        :param maven_endpoint: (experimental) URL of Nexus repository. if not set, defaults to https://oss.sonatype.org Default: - "https://oss.sonatype.org" or none when publishing to Maven Central
         :param maven_gpg_private_key_passphrase: (experimental) GitHub secret name which contains the GPG private key or file that includes it. This is used to sign your Maven packages. See instructions. Default: "MAVEN_GPG_PRIVATE_KEY_PASSPHRASE" or not set when using GitHub Packages
         :param maven_gpg_private_key_secret: (experimental) GitHub secret name which contains the GPG private key or file that includes it. This is used to sign your Maven packages. See instructions. Default: "MAVEN_GPG_PRIVATE_KEY" or not set when using GitHub Packages
         :param maven_password: (experimental) GitHub secret name which contains the Password for maven repository. For Maven Central, you will need to Create JIRA account and then request a new project (see links). Default: "MAVEN_PASSWORD" or "GITHUB_TOKEN" when using GitHub Packages
         :param maven_repository_url: (experimental) Deployment repository when not deploying to Maven Central. Default: - not set
-        :param maven_server_id: (experimental) Used in maven settings for credential lookup (e.g. use github when publishing to GitHub). Default: "ossrh" (Maven Central) or "github" when using GitHub Packages
+        :param maven_server_id: (experimental) Used in maven settings for credential lookup (e.g. use github when publishing to GitHub). Set to ``central-ossrh`` to publish to Maven Central. Default: "central-ossrh" (Maven Central) or "github" when using GitHub Packages
         :param maven_staging_profile_id: (experimental) GitHub secret name which contains the Maven Central (sonatype) staging profile ID (e.g. 68a05363083174). Staging profile ID can be found in the URL of the "Releases" staging profile under "Staging Profiles" in https://oss.sonatype.org (e.g. https://oss.sonatype.org/#stagingProfiles;11a33451234521). Default: "MAVEN_STAGING_PROFILE_ID" or not set when using GitHub Packages
         :param maven_username: (experimental) GitHub secret name which contains the Username for maven repository. For Maven Central, you will need to Create JIRA account and then request a new project (see links). Default: "MAVEN_USERNAME" or the GitHub Actor when using GitHub Packages
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
 
         :stability: experimental
@@ -2115,6 +2340,7 @@ class Publisher(
             maven_server_id=maven_server_id,
             maven_staging_profile_id=maven_staging_profile_id,
             maven_username=maven_username,
+            github_environment=github_environment,
             post_publish_steps=post_publish_steps,
             pre_publish_steps=pre_publish_steps,
             publish_tools=publish_tools,
@@ -2131,19 +2357,23 @@ class Publisher(
         npm_provenance: typing.Optional[builtins.bool] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
         registry: typing.Optional[builtins.str] = None,
+        trusted_publishing: typing.Optional[builtins.bool] = None,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
         '''(experimental) Publishes artifacts from ``js/**`` to npm.
 
-        :param code_artifact_options: (experimental) Options for publishing npm package to AWS CodeArtifact. Default: - undefined
+        :param code_artifact_options: (experimental) Options for publishing npm package to AWS CodeArtifact. Default: - package is not published to
         :param dist_tag: (deprecated) Tags can be used to provide an alias instead of version numbers. For example, a project might choose to have multiple streams of development and use a different tag for each stream, e.g., stable, beta, dev, canary. By default, the ``latest`` tag is used by npm to identify the current version of a package, and ``npm install <pkg>`` (without any ``@<version>`` or ``@<tag>`` specifier) installs the latest tag. Typically, projects only use the ``latest`` tag for stable release versions, and use other tags for unstable versions such as prereleases. The ``next`` tag is used by some projects to identify the upcoming version. Default: "latest"
-        :param npm_provenance: (experimental) Should provenance statements be generated when package is published. Note that this component is using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - undefined
-        :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: - "NPM_TOKEN" or "GITHUB_TOKEN" if ``registry`` is set to ``npm.pkg.github.com``.
+        :param npm_provenance: (experimental) Should provenance statements be generated when package is published. Note that this component is using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Only works in supported CI/CD environments. Default: - enabled for for public packages using trusted publishing, disabled otherwise
+        :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use for publishing packages. Default: - "NPM_TOKEN" or "GITHUB_TOKEN" if ``registry`` is set to ``npm.pkg.github.com``.
         :param registry: (experimental) The domain name of the npm package registry. To publish to GitHub Packages, set this value to ``"npm.pkg.github.com"``. In this if ``npmTokenSecret`` is not specified, it will default to ``GITHUB_TOKEN`` which means that you will be able to publish to the repository's package store. In this case, make sure ``repositoryUrl`` is correctly defined. Default: "registry.npmjs.org"
+        :param trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Requires npm CLI version 11.5.1 or later, this is NOT ensured automatically. When used, ``npmTokenSecret`` will be ignored. Default: - false
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
 
         :stability: experimental
@@ -2154,6 +2384,8 @@ class Publisher(
             npm_provenance=npm_provenance,
             npm_token_secret=npm_token_secret,
             registry=registry,
+            trusted_publishing=trusted_publishing,
+            github_environment=github_environment,
             post_publish_steps=post_publish_steps,
             pre_publish_steps=pre_publish_steps,
             publish_tools=publish_tools,
@@ -2167,6 +2399,9 @@ class Publisher(
         *,
         nuget_api_key_secret: typing.Optional[builtins.str] = None,
         nuget_server: typing.Optional[builtins.str] = None,
+        nuget_username_secret: typing.Optional[builtins.str] = None,
+        trusted_publishing: typing.Optional[builtins.bool] = None,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -2175,8 +2410,11 @@ class Publisher(
 
         :param nuget_api_key_secret: (experimental) GitHub secret which contains the API key for NuGet. Default: "NUGET_API_KEY"
         :param nuget_server: (experimental) NuGet Server URL (defaults to nuget.org).
+        :param nuget_username_secret: (experimental) The NuGet.org username (profile name, not email address) for trusted publisher authentication. Required when using trusted publishing. Default: "NUGET_USERNAME"
+        :param trusted_publishing: (experimental) Use NuGet trusted publishing instead of API keys. Needs to be setup in NuGet.org.
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
 
         :stability: experimental
@@ -2184,6 +2422,9 @@ class Publisher(
         options = NugetPublishOptions(
             nuget_api_key_secret=nuget_api_key_secret,
             nuget_server=nuget_server,
+            nuget_username_secret=nuget_username_secret,
+            trusted_publishing=trusted_publishing,
+            github_environment=github_environment,
             post_publish_steps=post_publish_steps,
             pre_publish_steps=pre_publish_steps,
             publish_tools=publish_tools,
@@ -2195,31 +2436,40 @@ class Publisher(
     def publish_to_py_pi(
         self,
         *,
+        attestations: typing.Optional[builtins.bool] = None,
         code_artifact_options: typing.Optional[typing.Union[CodeArtifactOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        trusted_publishing: typing.Optional[builtins.bool] = None,
         twine_password_secret: typing.Optional[builtins.str] = None,
         twine_registry_url: typing.Optional[builtins.str] = None,
         twine_username_secret: typing.Optional[builtins.str] = None,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
         '''(experimental) Publishes wheel artifacts from ``python`` to PyPI.
 
+        :param attestations: (experimental) Generate and publish cryptographic attestations for files uploaded to PyPI. Attestations provide package provenance and integrity an can be viewed on PyPI. They are only available when using a Trusted Publisher for publishing. Default: - enabled when using trusted publishing, otherwise not applicable
         :param code_artifact_options: (experimental) Options for publishing to AWS CodeArtifact. Default: - undefined
+        :param trusted_publishing: (experimental) Use PyPI trusted publishing instead of tokens or username & password. Needs to be setup in PyPI.
         :param twine_password_secret: (experimental) The GitHub secret which contains PyPI password. Default: "TWINE_PASSWORD"
         :param twine_registry_url: (experimental) The registry url to use when releasing packages. Default: - twine default
         :param twine_username_secret: (experimental) The GitHub secret which contains PyPI user name. Default: "TWINE_USERNAME"
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
 
         :stability: experimental
         '''
         options = PyPiPublishOptions(
+            attestations=attestations,
             code_artifact_options=code_artifact_options,
+            trusted_publishing=trusted_publishing,
             twine_password_secret=twine_password_secret,
             twine_registry_url=twine_registry_url,
             twine_username_secret=twine_username_secret,
+            github_environment=github_environment,
             post_publish_steps=post_publish_steps,
             pre_publish_steps=pre_publish_steps,
             publish_tools=publish_tools,
@@ -2327,7 +2577,7 @@ class PublisherOptions:
         :param publib_version: (experimental) Version requirement for ``publib``. Default: "latest"
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
-        :param workflow_node_version: (experimental) Node version to setup in GitHub workflows if any node-based CLI utilities are needed. For example ``publib``, the CLI projen uses to publish releases, is an npm library. Default: 18.x
+        :param workflow_node_version: (experimental) Node version to setup in GitHub workflows if any node-based CLI utilities are needed. For example ``publib``, the CLI projen uses to publish releases, is an npm library. Default: lts/*
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
 
@@ -2503,7 +2753,7 @@ class PublisherOptions:
         For example ``publib``, the CLI projen uses to publish releases,
         is an npm library.
 
-        :default: 18.x
+        :default: lts/*
 
         :stability: experimental
         '''
@@ -2550,10 +2800,13 @@ class PublisherOptions:
     jsii_type="projen.release.PyPiPublishOptions",
     jsii_struct_bases=[CommonPublishOptions],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
+        "attestations": "attestations",
         "code_artifact_options": "codeArtifactOptions",
+        "trusted_publishing": "trustedPublishing",
         "twine_password_secret": "twinePasswordSecret",
         "twine_registry_url": "twineRegistryUrl",
         "twine_username_secret": "twineUsernameSecret",
@@ -2563,20 +2816,26 @@ class PyPiPublishOptions(CommonPublishOptions):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
+        attestations: typing.Optional[builtins.bool] = None,
         code_artifact_options: typing.Optional[typing.Union[CodeArtifactOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        trusted_publishing: typing.Optional[builtins.bool] = None,
         twine_password_secret: typing.Optional[builtins.str] = None,
         twine_registry_url: typing.Optional[builtins.str] = None,
         twine_username_secret: typing.Optional[builtins.str] = None,
     ) -> None:
         '''(experimental) Options for PyPI release.
 
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
+        :param attestations: (experimental) Generate and publish cryptographic attestations for files uploaded to PyPI. Attestations provide package provenance and integrity an can be viewed on PyPI. They are only available when using a Trusted Publisher for publishing. Default: - enabled when using trusted publishing, otherwise not applicable
         :param code_artifact_options: (experimental) Options for publishing to AWS CodeArtifact. Default: - undefined
+        :param trusted_publishing: (experimental) Use PyPI trusted publishing instead of tokens or username & password. Needs to be setup in PyPI.
         :param twine_password_secret: (experimental) The GitHub secret which contains PyPI password. Default: "TWINE_PASSWORD"
         :param twine_registry_url: (experimental) The registry url to use when releasing packages. Default: - twine default
         :param twine_username_secret: (experimental) The GitHub secret which contains PyPI user name. Default: "TWINE_USERNAME"
@@ -2589,22 +2848,31 @@ class PyPiPublishOptions(CommonPublishOptions):
             code_artifact_options = CodeArtifactOptions(**code_artifact_options)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__f90cd44def59be822b686bcd759d7f0a910b9936ca8acc0ef3e69cda5ddc21d2)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
+            check_type(argname="argument attestations", value=attestations, expected_type=type_hints["attestations"])
             check_type(argname="argument code_artifact_options", value=code_artifact_options, expected_type=type_hints["code_artifact_options"])
+            check_type(argname="argument trusted_publishing", value=trusted_publishing, expected_type=type_hints["trusted_publishing"])
             check_type(argname="argument twine_password_secret", value=twine_password_secret, expected_type=type_hints["twine_password_secret"])
             check_type(argname="argument twine_registry_url", value=twine_registry_url, expected_type=type_hints["twine_registry_url"])
             check_type(argname="argument twine_username_secret", value=twine_username_secret, expected_type=type_hints["twine_username_secret"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
             self._values["pre_publish_steps"] = pre_publish_steps
         if publish_tools is not None:
             self._values["publish_tools"] = publish_tools
+        if attestations is not None:
+            self._values["attestations"] = attestations
         if code_artifact_options is not None:
             self._values["code_artifact_options"] = code_artifact_options
+        if trusted_publishing is not None:
+            self._values["trusted_publishing"] = trusted_publishing
         if twine_password_secret is not None:
             self._values["twine_password_secret"] = twine_password_secret
         if twine_registry_url is not None:
@@ -2612,6 +2880,22 @@ class PyPiPublishOptions(CommonPublishOptions):
         if twine_username_secret is not None:
             self._values["twine_username_secret"] = twine_username_secret
 
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
         '''(experimental) Steps to execute after executing the publishing command.
@@ -2628,7 +2912,7 @@ class PyPiPublishOptions(CommonPublishOptions):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -2651,6 +2935,21 @@ class PyPiPublishOptions(CommonPublishOptions):
         result = self._values.get("publish_tools")
         return typing.cast(typing.Optional[_Tools_75b93a2a], result)
 
+    @builtins.property
+    def attestations(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Generate and publish cryptographic attestations for files uploaded to PyPI.
+
+        Attestations provide package provenance and integrity an can be viewed on PyPI.
+        They are only available when using a Trusted Publisher for publishing.
+
+        :default: - enabled when using trusted publishing, otherwise not applicable
+
+        :see: https://docs.pypi.org/attestations/producing-attestations/
+        :stability: experimental
+        '''
+        result = self._values.get("attestations")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def code_artifact_options(self) -> typing.Optional[CodeArtifactOptions]:
         '''(experimental) Options for publishing to AWS CodeArtifact.
@@ -2662,6 +2961,18 @@ class PyPiPublishOptions(CommonPublishOptions):
         result = self._values.get("code_artifact_options")
         return typing.cast(typing.Optional[CodeArtifactOptions], result)
 
+    @builtins.property
+    def trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use PyPI trusted publishing instead of tokens or username & password.
+
+        Needs to be setup in PyPI.
+
+        :see: https://docs.pypi.org/trusted-publishers/adding-a-publisher/
+        :stability: experimental
+        '''
+        result = self._values.get("trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def twine_password_secret(self) -> typing.Optional[builtins.str]:
         '''(experimental) The GitHub secret which contains PyPI password.
@@ -2725,14 +3036,17 @@ class Release(
         *,
         artifacts_directory: builtins.str,
         branch: builtins.str,
-        task: _Task_9fa875b6,
         version_file: builtins.str,
         github_release: typing.Optional[builtins.bool] = None,
+        task: typing.Optional[_Task_9fa875b6] = None,
+        tasks: typing.Optional[typing.Sequence[_Task_9fa875b6]] = None,
         workflow_node_version: typing.Optional[builtins.str] = None,
         workflow_permissions: typing.Optional[typing.Union[_JobPermissions_3b5b53dc, typing.Dict[builtins.str, typing.Any]]] = None,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -2740,12 +3054,14 @@ class Release(
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional["ReleaseTrigger"] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -2757,14 +3073,17 @@ class Release(
         :param scope: should be part of the project the Release belongs to.
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
         :param branch: (experimental) The default branch name to release from. Use ``majorVersion`` to restrict this branch to only publish releases with a specific major version. You can add additional branches using ``addBranch()``.
-        :param task: (experimental) The task to execute in order to create the release artifacts. Artifacts are expected to reside under ``artifactsDirectory`` (defaults to ``dist/``) once build is complete.
         :param version_file: (experimental) A name of a .json file to set the ``version`` field in after a bump.
         :param github_release: (experimental) Create a GitHub release for each release. Default: true
-        :param workflow_node_version: (experimental) Node version to setup in GitHub workflows if any node-based CLI utilities are needed. For example ``publib``, the CLI projen uses to publish releases, is an npm library. Default: 18.x
+        :param task: (deprecated) The task to execute in order to create the release artifacts. Artifacts are expected to reside under ``artifactsDirectory`` (defaults to ``dist/``) once build is complete.
+        :param tasks: (experimental) The tasks to execute in order to create the release artifacts. Artifacts are expected to reside under ``artifactsDirectory`` (defaults to ``dist/``) once build is complete.
+        :param workflow_node_version: (experimental) Node version to setup in GitHub workflows if any node-based CLI utilities are needed. For example ``publib``, the CLI projen uses to publish releases, is an npm library. Default: "lts/*""
         :param workflow_permissions: (experimental) Permissions granted to the release workflow job. Default: ``{ contents: JobPermission.WRITE }``
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -2772,15 +3091,17 @@ class Release(
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
@@ -2793,14 +3114,17 @@ class Release(
         options = ReleaseOptions(
             artifacts_directory=artifacts_directory,
             branch=branch,
-            task=task,
             version_file=version_file,
             github_release=github_release,
+            task=task,
+            tasks=tasks,
             workflow_node_version=workflow_node_version,
             workflow_permissions=workflow_permissions,
+            bump_package=bump_package,
             jsii_release_version=jsii_release_version,
             major_version=major_version,
             min_major_version=min_major_version,
+            next_version_command=next_version_command,
             npm_dist_tag=npm_dist_tag,
             post_build_steps=post_build_steps,
             prerelease=prerelease,
@@ -2808,12 +3132,14 @@ class Release(
             publish_tasks=publish_tasks,
             releasable_commits=releasable_commits,
             release_branches=release_branches,
+            release_environment=release_environment,
             release_every_commit=release_every_commit,
             release_failure_issue=release_failure_issue,
             release_failure_issue_label=release_failure_issue_label,
             release_schedule=release_schedule,
             release_tag_prefix=release_tag_prefix,
             release_trigger=release_trigger,
+            release_workflow_env=release_workflow_env,
             release_workflow_name=release_workflow_name,
             release_workflow_setup_steps=release_workflow_setup_steps,
             versionrc_options=versionrc_options,
@@ -2844,6 +3170,7 @@ class Release(
         branch: builtins.str,
         *,
         major_version: jsii.Number,
+        environment: typing.Optional[builtins.str] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
         minor_version: typing.Optional[jsii.Number] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
@@ -2859,6 +3186,7 @@ class Release(
 
         :param branch: The branch to monitor (e.g. ``main``, ``v2.x``).
         :param major_version: (experimental) The major versions released from this branch.
+        :param environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param min_major_version: (experimental) The minimum major version to release.
         :param minor_version: (experimental) The minor versions released from this branch.
         :param npm_dist_tag: (experimental) The npm distribution tag to use for this branch. Default: "latest"
@@ -2873,6 +3201,7 @@ class Release(
             check_type(argname="argument branch", value=branch, expected_type=type_hints["branch"])
         options = BranchOptions(
             major_version=major_version,
+            environment=environment,
             min_major_version=min_major_version,
             minor_version=minor_version,
             npm_dist_tag=npm_dist_tag,
@@ -2947,9 +3276,11 @@ class Release(
     jsii_type="projen.release.ReleaseProjectOptions",
     jsii_struct_bases=[],
     name_mapping={
+        "bump_package": "bumpPackage",
         "jsii_release_version": "jsiiReleaseVersion",
         "major_version": "majorVersion",
         "min_major_version": "minMajorVersion",
+        "next_version_command": "nextVersionCommand",
         "npm_dist_tag": "npmDistTag",
         "post_build_steps": "postBuildSteps",
         "prerelease": "prerelease",
@@ -2957,12 +3288,14 @@ class Release(
         "publish_tasks": "publishTasks",
         "releasable_commits": "releasableCommits",
         "release_branches": "releaseBranches",
+        "release_environment": "releaseEnvironment",
         "release_every_commit": "releaseEveryCommit",
         "release_failure_issue": "releaseFailureIssue",
         "release_failure_issue_label": "releaseFailureIssueLabel",
         "release_schedule": "releaseSchedule",
         "release_tag_prefix": "releaseTagPrefix",
         "release_trigger": "releaseTrigger",
+        "release_workflow_env": "releaseWorkflowEnv",
         "release_workflow_name": "releaseWorkflowName",
         "release_workflow_setup_steps": "releaseWorkflowSetupSteps",
         "versionrc_options": "versionrcOptions",
@@ -2975,9 +3308,11 @@ class ReleaseProjectOptions:
     def __init__(
         self,
         *,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -2985,12 +3320,14 @@ class ReleaseProjectOptions:
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional["ReleaseTrigger"] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -3000,9 +3337,11 @@ class ReleaseProjectOptions:
     ) -> None:
         '''(experimental) Project options for release.
 
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -3010,15 +3349,17 @@ class ReleaseProjectOptions:
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
@@ -3029,9 +3370,11 @@ class ReleaseProjectOptions:
             workflow_runs_on_group = _GroupRunnerOptions_148c59c1(**workflow_runs_on_group)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__cc5e99254de9f29d2ac3b86e193164816e1ed36e491e602128e7d16fb86aa377)
+            check_type(argname="argument bump_package", value=bump_package, expected_type=type_hints["bump_package"])
             check_type(argname="argument jsii_release_version", value=jsii_release_version, expected_type=type_hints["jsii_release_version"])
             check_type(argname="argument major_version", value=major_version, expected_type=type_hints["major_version"])
             check_type(argname="argument min_major_version", value=min_major_version, expected_type=type_hints["min_major_version"])
+            check_type(argname="argument next_version_command", value=next_version_command, expected_type=type_hints["next_version_command"])
             check_type(argname="argument npm_dist_tag", value=npm_dist_tag, expected_type=type_hints["npm_dist_tag"])
             check_type(argname="argument post_build_steps", value=post_build_steps, expected_type=type_hints["post_build_steps"])
             check_type(argname="argument prerelease", value=prerelease, expected_type=type_hints["prerelease"])
@@ -3039,12 +3382,14 @@ class ReleaseProjectOptions:
             check_type(argname="argument publish_tasks", value=publish_tasks, expected_type=type_hints["publish_tasks"])
             check_type(argname="argument releasable_commits", value=releasable_commits, expected_type=type_hints["releasable_commits"])
             check_type(argname="argument release_branches", value=release_branches, expected_type=type_hints["release_branches"])
+            check_type(argname="argument release_environment", value=release_environment, expected_type=type_hints["release_environment"])
             check_type(argname="argument release_every_commit", value=release_every_commit, expected_type=type_hints["release_every_commit"])
             check_type(argname="argument release_failure_issue", value=release_failure_issue, expected_type=type_hints["release_failure_issue"])
             check_type(argname="argument release_failure_issue_label", value=release_failure_issue_label, expected_type=type_hints["release_failure_issue_label"])
             check_type(argname="argument release_schedule", value=release_schedule, expected_type=type_hints["release_schedule"])
             check_type(argname="argument release_tag_prefix", value=release_tag_prefix, expected_type=type_hints["release_tag_prefix"])
             check_type(argname="argument release_trigger", value=release_trigger, expected_type=type_hints["release_trigger"])
+            check_type(argname="argument release_workflow_env", value=release_workflow_env, expected_type=type_hints["release_workflow_env"])
             check_type(argname="argument release_workflow_name", value=release_workflow_name, expected_type=type_hints["release_workflow_name"])
             check_type(argname="argument release_workflow_setup_steps", value=release_workflow_setup_steps, expected_type=type_hints["release_workflow_setup_steps"])
             check_type(argname="argument versionrc_options", value=versionrc_options, expected_type=type_hints["versionrc_options"])
@@ -3052,12 +3397,16 @@ class ReleaseProjectOptions:
             check_type(argname="argument workflow_runs_on", value=workflow_runs_on, expected_type=type_hints["workflow_runs_on"])
             check_type(argname="argument workflow_runs_on_group", value=workflow_runs_on_group, expected_type=type_hints["workflow_runs_on_group"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if bump_package is not None:
+            self._values["bump_package"] = bump_package
         if jsii_release_version is not None:
             self._values["jsii_release_version"] = jsii_release_version
         if major_version is not None:
             self._values["major_version"] = major_version
         if min_major_version is not None:
             self._values["min_major_version"] = min_major_version
+        if next_version_command is not None:
+            self._values["next_version_command"] = next_version_command
         if npm_dist_tag is not None:
             self._values["npm_dist_tag"] = npm_dist_tag
         if post_build_steps is not None:
@@ -3072,6 +3421,8 @@ class ReleaseProjectOptions:
             self._values["releasable_commits"] = releasable_commits
         if release_branches is not None:
             self._values["release_branches"] = release_branches
+        if release_environment is not None:
+            self._values["release_environment"] = release_environment
         if release_every_commit is not None:
             self._values["release_every_commit"] = release_every_commit
         if release_failure_issue is not None:
@@ -3084,6 +3435,8 @@ class ReleaseProjectOptions:
             self._values["release_tag_prefix"] = release_tag_prefix
         if release_trigger is not None:
             self._values["release_trigger"] = release_trigger
+        if release_workflow_env is not None:
+            self._values["release_workflow_env"] = release_workflow_env
         if release_workflow_name is not None:
             self._values["release_workflow_name"] = release_workflow_name
         if release_workflow_setup_steps is not None:
@@ -3097,6 +3450,19 @@ class ReleaseProjectOptions:
         if workflow_runs_on_group is not None:
             self._values["workflow_runs_on_group"] = workflow_runs_on_group
 
+    @builtins.property
+    def bump_package(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string.
+
+        This can be any compatible package version, including the deprecated ``standard-version@9``.
+
+        :default: - A recent version of "commit-and-tag-version"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bump_package")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def jsii_release_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) Version requirement of ``publib`` which is used to publish modules to npm.
@@ -3138,6 +3504,36 @@ class ReleaseProjectOptions:
         result = self._values.get("min_major_version")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def next_version_command(self) -> typing.Optional[builtins.str]:
+        '''(experimental) A shell command to control the next version to release.
+
+        If present, this shell command will be run before the bump is executed, and
+        it determines what version to release. It will be executed in the following
+        environment:
+
+        - Working directory: the project directory.
+        - ``$VERSION``: the current version. Looks like ``1.2.3``.
+        - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset.
+        - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``.
+
+        The command should print one of the following to ``stdout``:
+
+        - Nothing: the next version number will be determined based on commit history.
+        - ``x.y.z``: the next version number will be ``x.y.z``.
+        - ``major|minor|patch``: the next version number will be the current version number
+          with the indicated component bumped.
+
+        This setting cannot be specified together with ``minMajorVersion``; the invoked
+        script can be used to achieve the effects of ``minMajorVersion``.
+
+        :default: - The next version will be determined based on the commit history and project settings.
+
+        :stability: experimental
+        '''
+        result = self._values.get("next_version_command")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def npm_dist_tag(self) -> typing.Optional[builtins.str]:
         '''(experimental) The npmDistTag to use when publishing from the default branch.
@@ -3233,6 +3629,23 @@ class ReleaseProjectOptions:
         result = self._values.get("release_branches")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, BranchOptions]], result)
 
+    @builtins.property
+    def release_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for the release.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        When multiple artifacts are released, the environment can be overwritten
+        on a per artifact basis.
+
+        :default: - no environment used, unless set at the artifact level
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def release_every_commit(self) -> typing.Optional[builtins.bool]:
         '''(deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``.
@@ -3310,6 +3723,19 @@ class ReleaseProjectOptions:
         result = self._values.get("release_trigger")
         return typing.cast(typing.Optional["ReleaseTrigger"], result)
 
+    @builtins.property
+    def release_workflow_env(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''(experimental) Build environment variables for release workflows.
+
+        :default: {}
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_workflow_env")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
     @builtins.property
     def release_workflow_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the default release workflow.
@@ -3336,7 +3762,7 @@ class ReleaseProjectOptions:
     def versionrc_options(
         self,
     ) -> typing.Optional[typing.Mapping[builtins.str, typing.Any]]:
-        '''(experimental) Custom configuration used when creating changelog with standard-version package.
+        '''(experimental) Custom configuration used when creating changelog with commit-and-tag-version package.
 
         Given values either append to default configuration or overwrite values in it.
 
@@ -3477,6 +3903,15 @@ class ReleaseTrigger(
 
         return typing.cast("ReleaseTrigger", jsii.sinvoke(cls, "scheduled", [options]))
 
+    @jsii.member(jsii_name="workflowDispatch")
+    @builtins.classmethod
+    def workflow_dispatch(cls) -> "ReleaseTrigger":
+        '''(experimental) The release can only be triggered using the GitHub UI.
+
+        :stability: experimental
+        '''
+        return typing.cast("ReleaseTrigger", jsii.sinvoke(cls, "workflowDispatch", []))
+
     @builtins.property
     @jsii.member(jsii_name="isContinuous")
     def is_continuous(self) -> builtins.bool:
@@ -3489,7 +3924,9 @@ class ReleaseTrigger(
     @builtins.property
     @jsii.member(jsii_name="isManual")
     def is_manual(self) -> builtins.bool:
-        '''(experimental) Whether or not this is a manual release trigger.
+        '''(experimental) Whether or not this is a release trigger with a manual task run in a working copy.
+
+        If the ``ReleaseTrigger`` is a GitHub-only manual task, this will return ``false``.
 
         :stability: experimental
         '''
@@ -3591,6 +4028,7 @@ class ScheduledReleaseOptions:
     jsii_type="projen.release.JsiiReleaseMaven",
     jsii_struct_bases=[MavenPublishOptions],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
@@ -3608,6 +4046,7 @@ class JsiiReleaseMaven(MavenPublishOptions):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -3621,15 +4060,16 @@ class JsiiReleaseMaven(MavenPublishOptions):
         maven_username: typing.Optional[builtins.str] = None,
     ) -> None:
         '''
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
-        :param maven_endpoint: (experimental) URL of Nexus repository. if not set, defaults to https://oss.sonatype.org Default: "https://oss.sonatype.org"
+        :param maven_endpoint: (experimental) URL of Nexus repository. if not set, defaults to https://oss.sonatype.org Default: - "https://oss.sonatype.org" or none when publishing to Maven Central
         :param maven_gpg_private_key_passphrase: (experimental) GitHub secret name which contains the GPG private key or file that includes it. This is used to sign your Maven packages. See instructions. Default: "MAVEN_GPG_PRIVATE_KEY_PASSPHRASE" or not set when using GitHub Packages
         :param maven_gpg_private_key_secret: (experimental) GitHub secret name which contains the GPG private key or file that includes it. This is used to sign your Maven packages. See instructions. Default: "MAVEN_GPG_PRIVATE_KEY" or not set when using GitHub Packages
         :param maven_password: (experimental) GitHub secret name which contains the Password for maven repository. For Maven Central, you will need to Create JIRA account and then request a new project (see links). Default: "MAVEN_PASSWORD" or "GITHUB_TOKEN" when using GitHub Packages
         :param maven_repository_url: (experimental) Deployment repository when not deploying to Maven Central. Default: - not set
-        :param maven_server_id: (experimental) Used in maven settings for credential lookup (e.g. use github when publishing to GitHub). Default: "ossrh" (Maven Central) or "github" when using GitHub Packages
+        :param maven_server_id: (experimental) Used in maven settings for credential lookup (e.g. use github when publishing to GitHub). Set to ``central-ossrh`` to publish to Maven Central. Default: "central-ossrh" (Maven Central) or "github" when using GitHub Packages
         :param maven_staging_profile_id: (experimental) GitHub secret name which contains the Maven Central (sonatype) staging profile ID (e.g. 68a05363083174). Staging profile ID can be found in the URL of the "Releases" staging profile under "Staging Profiles" in https://oss.sonatype.org (e.g. https://oss.sonatype.org/#stagingProfiles;11a33451234521). Default: "MAVEN_STAGING_PROFILE_ID" or not set when using GitHub Packages
         :param maven_username: (experimental) GitHub secret name which contains the Username for maven repository. For Maven Central, you will need to Create JIRA account and then request a new project (see links). Default: "MAVEN_USERNAME" or the GitHub Actor when using GitHub Packages
 
@@ -3641,6 +4081,7 @@ class JsiiReleaseMaven(MavenPublishOptions):
             publish_tools = _Tools_75b93a2a(**publish_tools)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__370b478ebba8352e12c41a67b57d5954055dba8a6ceae59144e72607fdc6df41)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
@@ -3653,6 +4094,8 @@ class JsiiReleaseMaven(MavenPublishOptions):
             check_type(argname="argument maven_staging_profile_id", value=maven_staging_profile_id, expected_type=type_hints["maven_staging_profile_id"])
             check_type(argname="argument maven_username", value=maven_username, expected_type=type_hints["maven_username"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
@@ -3676,6 +4119,22 @@ class JsiiReleaseMaven(MavenPublishOptions):
         if maven_username is not None:
             self._values["maven_username"] = maven_username
 
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
         '''(experimental) Steps to execute after executing the publishing command.
@@ -3692,7 +4151,7 @@ class JsiiReleaseMaven(MavenPublishOptions):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -3721,7 +4180,7 @@ class JsiiReleaseMaven(MavenPublishOptions):
 
         if not set, defaults to https://oss.sonatype.org
 
-        :default: "https://oss.sonatype.org"
+        :default: - "https://oss.sonatype.org" or none when publishing to Maven Central
 
         :stability: experimental
         '''
@@ -3787,7 +4246,9 @@ class JsiiReleaseMaven(MavenPublishOptions):
     def maven_server_id(self) -> typing.Optional[builtins.str]:
         '''(experimental) Used in maven settings for credential lookup (e.g. use github when publishing to GitHub).
 
-        :default: "ossrh" (Maven Central) or "github" when using GitHub Packages
+        Set to ``central-ossrh`` to publish to Maven Central.
+
+        :default: "central-ossrh" (Maven Central) or "github" when using GitHub Packages
 
         :stability: experimental
         '''
@@ -3836,6 +4297,7 @@ class JsiiReleaseMaven(MavenPublishOptions):
     jsii_type="projen.release.JsiiReleaseNpm",
     jsii_struct_bases=[NpmPublishOptions],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
@@ -3844,12 +4306,14 @@ class JsiiReleaseMaven(MavenPublishOptions):
         "npm_provenance": "npmProvenance",
         "npm_token_secret": "npmTokenSecret",
         "registry": "registry",
+        "trusted_publishing": "trustedPublishing",
     },
 )
 class JsiiReleaseNpm(NpmPublishOptions):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -3858,16 +4322,19 @@ class JsiiReleaseNpm(NpmPublishOptions):
         npm_provenance: typing.Optional[builtins.bool] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
         registry: typing.Optional[builtins.str] = None,
+        trusted_publishing: typing.Optional[builtins.bool] = None,
     ) -> None:
         '''
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
-        :param code_artifact_options: (experimental) Options for publishing npm package to AWS CodeArtifact. Default: - undefined
+        :param code_artifact_options: (experimental) Options for publishing npm package to AWS CodeArtifact. Default: - package is not published to
         :param dist_tag: (deprecated) Tags can be used to provide an alias instead of version numbers. For example, a project might choose to have multiple streams of development and use a different tag for each stream, e.g., stable, beta, dev, canary. By default, the ``latest`` tag is used by npm to identify the current version of a package, and ``npm install <pkg>`` (without any ``@<version>`` or ``@<tag>`` specifier) installs the latest tag. Typically, projects only use the ``latest`` tag for stable release versions, and use other tags for unstable versions such as prereleases. The ``next`` tag is used by some projects to identify the upcoming version. Default: "latest"
-        :param npm_provenance: (experimental) Should provenance statements be generated when package is published. Note that this component is using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Default: - undefined
-        :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: - "NPM_TOKEN" or "GITHUB_TOKEN" if ``registry`` is set to ``npm.pkg.github.com``.
+        :param npm_provenance: (experimental) Should provenance statements be generated when package is published. Note that this component is using ``publib`` to publish packages, which is using npm internally and supports provenance statements independently of the package manager used. Only works in supported CI/CD environments. Default: - enabled for for public packages using trusted publishing, disabled otherwise
+        :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use for publishing packages. Default: - "NPM_TOKEN" or "GITHUB_TOKEN" if ``registry`` is set to ``npm.pkg.github.com``.
         :param registry: (experimental) The domain name of the npm package registry. To publish to GitHub Packages, set this value to ``"npm.pkg.github.com"``. In this if ``npmTokenSecret`` is not specified, it will default to ``GITHUB_TOKEN`` which means that you will be able to publish to the repository's package store. In this case, make sure ``repositoryUrl`` is correctly defined. Default: "registry.npmjs.org"
+        :param trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Requires npm CLI version 11.5.1 or later, this is NOT ensured automatically. When used, ``npmTokenSecret`` will be ignored. Default: - false
 
         :deprecated: Use ``NpmPublishOptions`` instead.
 
@@ -3879,6 +4346,7 @@ class JsiiReleaseNpm(NpmPublishOptions):
             code_artifact_options = CodeArtifactOptions(**code_artifact_options)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__a34680d3cf9e2cc6374987796717402a524a0bb377e9172f0707da67450b3239)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
@@ -3887,7 +4355,10 @@ class JsiiReleaseNpm(NpmPublishOptions):
             check_type(argname="argument npm_provenance", value=npm_provenance, expected_type=type_hints["npm_provenance"])
             check_type(argname="argument npm_token_secret", value=npm_token_secret, expected_type=type_hints["npm_token_secret"])
             check_type(argname="argument registry", value=registry, expected_type=type_hints["registry"])
+            check_type(argname="argument trusted_publishing", value=trusted_publishing, expected_type=type_hints["trusted_publishing"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
@@ -3904,6 +4375,24 @@ class JsiiReleaseNpm(NpmPublishOptions):
             self._values["npm_token_secret"] = npm_token_secret
         if registry is not None:
             self._values["registry"] = registry
+        if trusted_publishing is not None:
+            self._values["trusted_publishing"] = trusted_publishing
+
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
@@ -3921,7 +4410,7 @@ class JsiiReleaseNpm(NpmPublishOptions):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -3948,7 +4437,7 @@ class JsiiReleaseNpm(NpmPublishOptions):
     def code_artifact_options(self) -> typing.Optional[CodeArtifactOptions]:
         '''(experimental) Options for publishing npm package to AWS CodeArtifact.
 
-        :default: - undefined
+        :default: - package is not published to
 
         :stability: experimental
         '''
@@ -3986,7 +4475,9 @@ class JsiiReleaseNpm(NpmPublishOptions):
         Note that this component is using ``publib`` to publish packages,
         which is using npm internally and supports provenance statements independently of the package manager used.
 
-        :default: - undefined
+        Only works in supported CI/CD environments.
+
+        :default: - enabled for for public packages using trusted publishing, disabled otherwise
 
         :see: https://docs.npmjs.com/generating-provenance-statements
         :stability: experimental
@@ -3996,7 +4487,7 @@ class JsiiReleaseNpm(NpmPublishOptions):
 
     @builtins.property
     def npm_token_secret(self) -> typing.Optional[builtins.str]:
-        '''(experimental) GitHub secret which contains the NPM token to use when publishing packages.
+        '''(experimental) GitHub secret which contains the NPM token to use for publishing packages.
 
         :default: - "NPM_TOKEN" or "GITHUB_TOKEN" if ``registry`` is set to ``npm.pkg.github.com``.
 
@@ -4026,6 +4517,21 @@ class JsiiReleaseNpm(NpmPublishOptions):
         result = self._values.get("registry")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work.
+
+        Requires npm CLI version 11.5.1 or later, this is NOT ensured automatically.
+        When used, ``npmTokenSecret`` will be ignored.
+
+        :default: - false
+
+        :see: https://docs.npmjs.com/trusted-publishers
+        :stability: experimental
+        '''
+        result = self._values.get("trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -4042,29 +4548,38 @@ class JsiiReleaseNpm(NpmPublishOptions):
     jsii_type="projen.release.JsiiReleaseNuget",
     jsii_struct_bases=[NugetPublishOptions],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
         "nuget_api_key_secret": "nugetApiKeySecret",
         "nuget_server": "nugetServer",
+        "nuget_username_secret": "nugetUsernameSecret",
+        "trusted_publishing": "trustedPublishing",
     },
 )
 class JsiiReleaseNuget(NugetPublishOptions):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
         nuget_api_key_secret: typing.Optional[builtins.str] = None,
         nuget_server: typing.Optional[builtins.str] = None,
+        nuget_username_secret: typing.Optional[builtins.str] = None,
+        trusted_publishing: typing.Optional[builtins.bool] = None,
     ) -> None:
         '''
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
         :param nuget_api_key_secret: (experimental) GitHub secret which contains the API key for NuGet. Default: "NUGET_API_KEY"
         :param nuget_server: (experimental) NuGet Server URL (defaults to nuget.org).
+        :param nuget_username_secret: (experimental) The NuGet.org username (profile name, not email address) for trusted publisher authentication. Required when using trusted publishing. Default: "NUGET_USERNAME"
+        :param trusted_publishing: (experimental) Use NuGet trusted publishing instead of API keys. Needs to be setup in NuGet.org.
 
         :deprecated: Use ``NugetPublishOptions`` instead.
 
@@ -4074,12 +4589,17 @@ class JsiiReleaseNuget(NugetPublishOptions):
             publish_tools = _Tools_75b93a2a(**publish_tools)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__14abe6d299c2354a8f22a08788f088aafaa8acf2b85b20f297416346274a9b96)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
             check_type(argname="argument nuget_api_key_secret", value=nuget_api_key_secret, expected_type=type_hints["nuget_api_key_secret"])
             check_type(argname="argument nuget_server", value=nuget_server, expected_type=type_hints["nuget_server"])
+            check_type(argname="argument nuget_username_secret", value=nuget_username_secret, expected_type=type_hints["nuget_username_secret"])
+            check_type(argname="argument trusted_publishing", value=trusted_publishing, expected_type=type_hints["trusted_publishing"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
@@ -4090,6 +4610,26 @@ class JsiiReleaseNuget(NugetPublishOptions):
             self._values["nuget_api_key_secret"] = nuget_api_key_secret
         if nuget_server is not None:
             self._values["nuget_server"] = nuget_server
+        if nuget_username_secret is not None:
+            self._values["nuget_username_secret"] = nuget_username_secret
+        if trusted_publishing is not None:
+            self._values["trusted_publishing"] = trusted_publishing
+
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
@@ -4107,7 +4647,7 @@ class JsiiReleaseNuget(NugetPublishOptions):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -4150,6 +4690,31 @@ class JsiiReleaseNuget(NugetPublishOptions):
         result = self._values.get("nuget_server")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def nuget_username_secret(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The NuGet.org username (profile name, not email address) for trusted publisher authentication.
+
+        Required when using trusted publishing.
+
+        :default: "NUGET_USERNAME"
+
+        :stability: experimental
+        '''
+        result = self._values.get("nuget_username_secret")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use NuGet trusted publishing instead of API keys.
+
+        Needs to be setup in NuGet.org.
+
+        :see: https://learn.microsoft.com/en-us/nuget/nuget-org/trusted-publishing
+        :stability: experimental
+        '''
+        result = self._values.get("trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -4166,10 +4731,13 @@ class JsiiReleaseNuget(NugetPublishOptions):
     jsii_type="projen.release.JsiiReleasePyPi",
     jsii_struct_bases=[PyPiPublishOptions],
     name_mapping={
+        "github_environment": "githubEnvironment",
         "post_publish_steps": "postPublishSteps",
         "pre_publish_steps": "prePublishSteps",
         "publish_tools": "publishTools",
+        "attestations": "attestations",
         "code_artifact_options": "codeArtifactOptions",
+        "trusted_publishing": "trustedPublishing",
         "twine_password_secret": "twinePasswordSecret",
         "twine_registry_url": "twineRegistryUrl",
         "twine_username_secret": "twineUsernameSecret",
@@ -4179,19 +4747,25 @@ class JsiiReleasePyPi(PyPiPublishOptions):
     def __init__(
         self,
         *,
+        github_environment: typing.Optional[builtins.str] = None,
         post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
+        attestations: typing.Optional[builtins.bool] = None,
         code_artifact_options: typing.Optional[typing.Union[CodeArtifactOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+        trusted_publishing: typing.Optional[builtins.bool] = None,
         twine_password_secret: typing.Optional[builtins.str] = None,
         twine_registry_url: typing.Optional[builtins.str] = None,
         twine_username_secret: typing.Optional[builtins.str] = None,
     ) -> None:
         '''
+        :param github_environment: (experimental) The GitHub Actions environment used for publishing. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. Set this to overwrite a package level publishing environment just for this artifact. Default: - no environment used, unless set at the package level
         :param post_publish_steps: (experimental) Steps to execute after executing the publishing command. These can be used to add/update the release artifacts ot any other tasks needed. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPostPublishingSteps``.
-        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
+        :param pre_publish_steps: (experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed. These steps are executed after ``dist/`` has been populated with the build output. Note that when using this in ``publishToGitHubReleases`` this will override steps added via ``addGitHubPrePublishingSteps``.
         :param publish_tools: (experimental) Additional tools to install in the publishing job. Default: - no additional tools are installed
+        :param attestations: (experimental) Generate and publish cryptographic attestations for files uploaded to PyPI. Attestations provide package provenance and integrity an can be viewed on PyPI. They are only available when using a Trusted Publisher for publishing. Default: - enabled when using trusted publishing, otherwise not applicable
         :param code_artifact_options: (experimental) Options for publishing to AWS CodeArtifact. Default: - undefined
+        :param trusted_publishing: (experimental) Use PyPI trusted publishing instead of tokens or username & password. Needs to be setup in PyPI.
         :param twine_password_secret: (experimental) The GitHub secret which contains PyPI password. Default: "TWINE_PASSWORD"
         :param twine_registry_url: (experimental) The registry url to use when releasing packages. Default: - twine default
         :param twine_username_secret: (experimental) The GitHub secret which contains PyPI user name. Default: "TWINE_USERNAME"
@@ -4206,22 +4780,31 @@ class JsiiReleasePyPi(PyPiPublishOptions):
             code_artifact_options = CodeArtifactOptions(**code_artifact_options)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__0fa7c01cc40634bf771011bf4e8ddb9e3be28efd1b3f15b5d0768a4e810d37bc)
+            check_type(argname="argument github_environment", value=github_environment, expected_type=type_hints["github_environment"])
             check_type(argname="argument post_publish_steps", value=post_publish_steps, expected_type=type_hints["post_publish_steps"])
             check_type(argname="argument pre_publish_steps", value=pre_publish_steps, expected_type=type_hints["pre_publish_steps"])
             check_type(argname="argument publish_tools", value=publish_tools, expected_type=type_hints["publish_tools"])
+            check_type(argname="argument attestations", value=attestations, expected_type=type_hints["attestations"])
             check_type(argname="argument code_artifact_options", value=code_artifact_options, expected_type=type_hints["code_artifact_options"])
+            check_type(argname="argument trusted_publishing", value=trusted_publishing, expected_type=type_hints["trusted_publishing"])
             check_type(argname="argument twine_password_secret", value=twine_password_secret, expected_type=type_hints["twine_password_secret"])
             check_type(argname="argument twine_registry_url", value=twine_registry_url, expected_type=type_hints["twine_registry_url"])
             check_type(argname="argument twine_username_secret", value=twine_username_secret, expected_type=type_hints["twine_username_secret"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if github_environment is not None:
+            self._values["github_environment"] = github_environment
         if post_publish_steps is not None:
             self._values["post_publish_steps"] = post_publish_steps
         if pre_publish_steps is not None:
             self._values["pre_publish_steps"] = pre_publish_steps
         if publish_tools is not None:
             self._values["publish_tools"] = publish_tools
+        if attestations is not None:
+            self._values["attestations"] = attestations
         if code_artifact_options is not None:
             self._values["code_artifact_options"] = code_artifact_options
+        if trusted_publishing is not None:
+            self._values["trusted_publishing"] = trusted_publishing
         if twine_password_secret is not None:
             self._values["twine_password_secret"] = twine_password_secret
         if twine_registry_url is not None:
@@ -4229,6 +4812,22 @@ class JsiiReleasePyPi(PyPiPublishOptions):
         if twine_username_secret is not None:
             self._values["twine_username_secret"] = twine_username_secret
 
+    @builtins.property
+    def github_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for publishing.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        Set this to overwrite a package level publishing environment just for this artifact.
+
+        :default: - no environment used, unless set at the package level
+
+        :stability: experimental
+        '''
+        result = self._values.get("github_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def post_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
         '''(experimental) Steps to execute after executing the publishing command.
@@ -4245,7 +4844,7 @@ class JsiiReleasePyPi(PyPiPublishOptions):
 
     @builtins.property
     def pre_publish_steps(self) -> typing.Optional[typing.List[_JobStep_c3287c05]]:
-        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if neede.
+        '''(experimental) Steps to execute before executing the publishing command. These can be used to prepare the artifact for publishing if needed.
 
         These steps are executed after ``dist/`` has been populated with the build
         output.
@@ -4268,6 +4867,21 @@ class JsiiReleasePyPi(PyPiPublishOptions):
         result = self._values.get("publish_tools")
         return typing.cast(typing.Optional[_Tools_75b93a2a], result)
 
+    @builtins.property
+    def attestations(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Generate and publish cryptographic attestations for files uploaded to PyPI.
+
+        Attestations provide package provenance and integrity an can be viewed on PyPI.
+        They are only available when using a Trusted Publisher for publishing.
+
+        :default: - enabled when using trusted publishing, otherwise not applicable
+
+        :see: https://docs.pypi.org/attestations/producing-attestations/
+        :stability: experimental
+        '''
+        result = self._values.get("attestations")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def code_artifact_options(self) -> typing.Optional[CodeArtifactOptions]:
         '''(experimental) Options for publishing to AWS CodeArtifact.
@@ -4279,6 +4893,18 @@ class JsiiReleasePyPi(PyPiPublishOptions):
         result = self._values.get("code_artifact_options")
         return typing.cast(typing.Optional[CodeArtifactOptions], result)
 
+    @builtins.property
+    def trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use PyPI trusted publishing instead of tokens or username & password.
+
+        Needs to be setup in PyPI.
+
+        :see: https://docs.pypi.org/trusted-publishers/adding-a-publisher/
+        :stability: experimental
+        '''
+        result = self._values.get("trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def twine_password_secret(self) -> typing.Optional[builtins.str]:
         '''(experimental) The GitHub secret which contains PyPI password.
@@ -4328,9 +4954,11 @@ class JsiiReleasePyPi(PyPiPublishOptions):
     jsii_type="projen.release.ReleaseOptions",
     jsii_struct_bases=[ReleaseProjectOptions],
     name_mapping={
+        "bump_package": "bumpPackage",
         "jsii_release_version": "jsiiReleaseVersion",
         "major_version": "majorVersion",
         "min_major_version": "minMajorVersion",
+        "next_version_command": "nextVersionCommand",
         "npm_dist_tag": "npmDistTag",
         "post_build_steps": "postBuildSteps",
         "prerelease": "prerelease",
@@ -4338,12 +4966,14 @@ class JsiiReleasePyPi(PyPiPublishOptions):
         "publish_tasks": "publishTasks",
         "releasable_commits": "releasableCommits",
         "release_branches": "releaseBranches",
+        "release_environment": "releaseEnvironment",
         "release_every_commit": "releaseEveryCommit",
         "release_failure_issue": "releaseFailureIssue",
         "release_failure_issue_label": "releaseFailureIssueLabel",
         "release_schedule": "releaseSchedule",
         "release_tag_prefix": "releaseTagPrefix",
         "release_trigger": "releaseTrigger",
+        "release_workflow_env": "releaseWorkflowEnv",
         "release_workflow_name": "releaseWorkflowName",
         "release_workflow_setup_steps": "releaseWorkflowSetupSteps",
         "versionrc_options": "versionrcOptions",
@@ -4352,9 +4982,10 @@ class JsiiReleasePyPi(PyPiPublishOptions):
         "workflow_runs_on_group": "workflowRunsOnGroup",
         "artifacts_directory": "artifactsDirectory",
         "branch": "branch",
-        "task": "task",
         "version_file": "versionFile",
         "github_release": "githubRelease",
+        "task": "task",
+        "tasks": "tasks",
         "workflow_node_version": "workflowNodeVersion",
         "workflow_permissions": "workflowPermissions",
     },
@@ -4363,9 +4994,11 @@ class ReleaseOptions(ReleaseProjectOptions):
     def __init__(
         self,
         *,
+        bump_package: typing.Optional[builtins.str] = None,
         jsii_release_version: typing.Optional[builtins.str] = None,
         major_version: typing.Optional[jsii.Number] = None,
         min_major_version: typing.Optional[jsii.Number] = None,
+        next_version_command: typing.Optional[builtins.str] = None,
         npm_dist_tag: typing.Optional[builtins.str] = None,
         post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         prerelease: typing.Optional[builtins.str] = None,
@@ -4373,12 +5006,14 @@ class ReleaseOptions(ReleaseProjectOptions):
         publish_tasks: typing.Optional[builtins.bool] = None,
         releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
         release_schedule: typing.Optional[builtins.str] = None,
         release_tag_prefix: typing.Optional[builtins.str] = None,
         release_trigger: typing.Optional[ReleaseTrigger] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
         versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -4387,17 +5022,20 @@ class ReleaseOptions(ReleaseProjectOptions):
         workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
         artifacts_directory: builtins.str,
         branch: builtins.str,
-        task: _Task_9fa875b6,
         version_file: builtins.str,
         github_release: typing.Optional[builtins.bool] = None,
+        task: typing.Optional[_Task_9fa875b6] = None,
+        tasks: typing.Optional[typing.Sequence[_Task_9fa875b6]] = None,
         workflow_node_version: typing.Optional[builtins.str] = None,
         workflow_permissions: typing.Optional[typing.Union[_JobPermissions_3b5b53dc, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
         '''(experimental) Options for ``Release``.
 
+        :param bump_package: (experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string. This can be any compatible package version, including the deprecated ``standard-version@9``. Default: - A recent version of "commit-and-tag-version"
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
         :param major_version: (experimental) Major version to release from the default branch. If this is specified, we bump the latest version of this major version line. If not specified, we bump the global latest version. Default: - Major version is not enforced.
         :param min_major_version: (experimental) Minimal Major version to release. This can be useful to set to 1, as breaking changes before the 1.x major release are not incrementing the major version number. Can not be set together with ``majorVersion``. Default: - No minimum version is being enforced
+        :param next_version_command: (experimental) A shell command to control the next version to release. If present, this shell command will be run before the bump is executed, and it determines what version to release. It will be executed in the following environment: - Working directory: the project directory. - ``$VERSION``: the current version. Looks like ``1.2.3``. - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset. - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``. The command should print one of the following to ``stdout``: - Nothing: the next version number will be determined based on commit history. - ``x.y.z``: the next version number will be ``x.y.z``. - ``major|minor|patch``: the next version number will be the current version number with the indicated component bumped. This setting cannot be specified together with ``minMajorVersion``; the invoked script can be used to achieve the effects of ``minMajorVersion``. Default: - The next version will be determined based on the commit history and project settings.
         :param npm_dist_tag: (experimental) The npmDistTag to use when publishing from the default branch. To set the npm dist-tag for release branches, set the ``npmDistTag`` property for each branch. Default: "latest"
         :param post_build_steps: (experimental) Steps to execute after build as part of the release workflow. Default: []
         :param prerelease: (experimental) Bump versions from the default branch as pre-releases (e.g. "beta", "alpha", "pre"). Default: - normal semantic versions
@@ -4405,24 +5043,27 @@ class ReleaseOptions(ReleaseProjectOptions):
         :param publish_tasks: (experimental) Define publishing tasks that can be executed manually as well as workflows. Normally, publishing only happens within automated workflows. Enable this in order to create a publishing task for each publishing activity. Default: false
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
         :param release_schedule: (deprecated) CRON schedule to trigger new releases. Default: - no scheduled releases
         :param release_tag_prefix: (experimental) Automatically add the given prefix to release tags. Useful if you are releasing on multiple branches with overlapping version numbers. Note: this prefix is used to detect the latest tagged version when bumping, so if you change this on a project with an existing version history, you may need to manually tag your latest release with the new prefix. Default: "v"
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
-        :param versionrc_options: (experimental) Custom configuration used when creating changelog with standard-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
+        :param versionrc_options: (experimental) Custom configuration used when creating changelog with commit-and-tag-version package. Given values either append to default configuration or overwrite values in it. Default: - standard configuration applicable for GitHub repositories
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
         :param workflow_runs_on_group: (experimental) Github Runner Group selection options.
         :param artifacts_directory: (experimental) A directory which will contain build artifacts. Default: "dist"
         :param branch: (experimental) The default branch name to release from. Use ``majorVersion`` to restrict this branch to only publish releases with a specific major version. You can add additional branches using ``addBranch()``.
-        :param task: (experimental) The task to execute in order to create the release artifacts. Artifacts are expected to reside under ``artifactsDirectory`` (defaults to ``dist/``) once build is complete.
         :param version_file: (experimental) A name of a .json file to set the ``version`` field in after a bump.
         :param github_release: (experimental) Create a GitHub release for each release. Default: true
-        :param workflow_node_version: (experimental) Node version to setup in GitHub workflows if any node-based CLI utilities are needed. For example ``publib``, the CLI projen uses to publish releases, is an npm library. Default: 18.x
+        :param task: (deprecated) The task to execute in order to create the release artifacts. Artifacts are expected to reside under ``artifactsDirectory`` (defaults to ``dist/``) once build is complete.
+        :param tasks: (experimental) The tasks to execute in order to create the release artifacts. Artifacts are expected to reside under ``artifactsDirectory`` (defaults to ``dist/``) once build is complete.
+        :param workflow_node_version: (experimental) Node version to setup in GitHub workflows if any node-based CLI utilities are needed. For example ``publib``, the CLI projen uses to publish releases, is an npm library. Default: "lts/*""
         :param workflow_permissions: (experimental) Permissions granted to the release workflow job. Default: ``{ contents: JobPermission.WRITE }``
 
         :stability: experimental
@@ -4433,9 +5074,11 @@ class ReleaseOptions(ReleaseProjectOptions):
             workflow_permissions = _JobPermissions_3b5b53dc(**workflow_permissions)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__abcbb9106f2fe858c4efa7a5934906e63b00b56fa33c47c5f910dac2a904f472)
+            check_type(argname="argument bump_package", value=bump_package, expected_type=type_hints["bump_package"])
             check_type(argname="argument jsii_release_version", value=jsii_release_version, expected_type=type_hints["jsii_release_version"])
             check_type(argname="argument major_version", value=major_version, expected_type=type_hints["major_version"])
             check_type(argname="argument min_major_version", value=min_major_version, expected_type=type_hints["min_major_version"])
+            check_type(argname="argument next_version_command", value=next_version_command, expected_type=type_hints["next_version_command"])
             check_type(argname="argument npm_dist_tag", value=npm_dist_tag, expected_type=type_hints["npm_dist_tag"])
             check_type(argname="argument post_build_steps", value=post_build_steps, expected_type=type_hints["post_build_steps"])
             check_type(argname="argument prerelease", value=prerelease, expected_type=type_hints["prerelease"])
@@ -4443,12 +5086,14 @@ class ReleaseOptions(ReleaseProjectOptions):
             check_type(argname="argument publish_tasks", value=publish_tasks, expected_type=type_hints["publish_tasks"])
             check_type(argname="argument releasable_commits", value=releasable_commits, expected_type=type_hints["releasable_commits"])
             check_type(argname="argument release_branches", value=release_branches, expected_type=type_hints["release_branches"])
+            check_type(argname="argument release_environment", value=release_environment, expected_type=type_hints["release_environment"])
             check_type(argname="argument release_every_commit", value=release_every_commit, expected_type=type_hints["release_every_commit"])
             check_type(argname="argument release_failure_issue", value=release_failure_issue, expected_type=type_hints["release_failure_issue"])
             check_type(argname="argument release_failure_issue_label", value=release_failure_issue_label, expected_type=type_hints["release_failure_issue_label"])
             check_type(argname="argument release_schedule", value=release_schedule, expected_type=type_hints["release_schedule"])
             check_type(argname="argument release_tag_prefix", value=release_tag_prefix, expected_type=type_hints["release_tag_prefix"])
             check_type(argname="argument release_trigger", value=release_trigger, expected_type=type_hints["release_trigger"])
+            check_type(argname="argument release_workflow_env", value=release_workflow_env, expected_type=type_hints["release_workflow_env"])
             check_type(argname="argument release_workflow_name", value=release_workflow_name, expected_type=type_hints["release_workflow_name"])
             check_type(argname="argument release_workflow_setup_steps", value=release_workflow_setup_steps, expected_type=type_hints["release_workflow_setup_steps"])
             check_type(argname="argument versionrc_options", value=versionrc_options, expected_type=type_hints["versionrc_options"])
@@ -4457,23 +5102,27 @@ class ReleaseOptions(ReleaseProjectOptions):
             check_type(argname="argument workflow_runs_on_group", value=workflow_runs_on_group, expected_type=type_hints["workflow_runs_on_group"])
             check_type(argname="argument artifacts_directory", value=artifacts_directory, expected_type=type_hints["artifacts_directory"])
             check_type(argname="argument branch", value=branch, expected_type=type_hints["branch"])
-            check_type(argname="argument task", value=task, expected_type=type_hints["task"])
             check_type(argname="argument version_file", value=version_file, expected_type=type_hints["version_file"])
             check_type(argname="argument github_release", value=github_release, expected_type=type_hints["github_release"])
+            check_type(argname="argument task", value=task, expected_type=type_hints["task"])
+            check_type(argname="argument tasks", value=tasks, expected_type=type_hints["tasks"])
             check_type(argname="argument workflow_node_version", value=workflow_node_version, expected_type=type_hints["workflow_node_version"])
             check_type(argname="argument workflow_permissions", value=workflow_permissions, expected_type=type_hints["workflow_permissions"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "artifacts_directory": artifacts_directory,
             "branch": branch,
-            "task": task,
             "version_file": version_file,
         }
+        if bump_package is not None:
+            self._values["bump_package"] = bump_package
         if jsii_release_version is not None:
             self._values["jsii_release_version"] = jsii_release_version
         if major_version is not None:
             self._values["major_version"] = major_version
         if min_major_version is not None:
             self._values["min_major_version"] = min_major_version
+        if next_version_command is not None:
+            self._values["next_version_command"] = next_version_command
         if npm_dist_tag is not None:
             self._values["npm_dist_tag"] = npm_dist_tag
         if post_build_steps is not None:
@@ -4488,6 +5137,8 @@ class ReleaseOptions(ReleaseProjectOptions):
             self._values["releasable_commits"] = releasable_commits
         if release_branches is not None:
             self._values["release_branches"] = release_branches
+        if release_environment is not None:
+            self._values["release_environment"] = release_environment
         if release_every_commit is not None:
             self._values["release_every_commit"] = release_every_commit
         if release_failure_issue is not None:
@@ -4500,6 +5151,8 @@ class ReleaseOptions(ReleaseProjectOptions):
             self._values["release_tag_prefix"] = release_tag_prefix
         if release_trigger is not None:
             self._values["release_trigger"] = release_trigger
+        if release_workflow_env is not None:
+            self._values["release_workflow_env"] = release_workflow_env
         if release_workflow_name is not None:
             self._values["release_workflow_name"] = release_workflow_name
         if release_workflow_setup_steps is not None:
@@ -4514,11 +5167,28 @@ class ReleaseOptions(ReleaseProjectOptions):
             self._values["workflow_runs_on_group"] = workflow_runs_on_group
         if github_release is not None:
             self._values["github_release"] = github_release
+        if task is not None:
+            self._values["task"] = task
+        if tasks is not None:
+            self._values["tasks"] = tasks
         if workflow_node_version is not None:
             self._values["workflow_node_version"] = workflow_node_version
         if workflow_permissions is not None:
             self._values["workflow_permissions"] = workflow_permissions
 
+    @builtins.property
+    def bump_package(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The ``commit-and-tag-version`` compatible package used to bump the package version, as a dependency string.
+
+        This can be any compatible package version, including the deprecated ``standard-version@9``.
+
+        :default: - A recent version of "commit-and-tag-version"
+
+        :stability: experimental
+        '''
+        result = self._values.get("bump_package")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def jsii_release_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) Version requirement of ``publib`` which is used to publish modules to npm.
@@ -4560,6 +5230,36 @@ class ReleaseOptions(ReleaseProjectOptions):
         result = self._values.get("min_major_version")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def next_version_command(self) -> typing.Optional[builtins.str]:
+        '''(experimental) A shell command to control the next version to release.
+
+        If present, this shell command will be run before the bump is executed, and
+        it determines what version to release. It will be executed in the following
+        environment:
+
+        - Working directory: the project directory.
+        - ``$VERSION``: the current version. Looks like ``1.2.3``.
+        - ``$LATEST_TAG``: the most recent tag. Looks like ``prefix-v1.2.3``, or may be unset.
+        - ``$SUGGESTED_BUMP``: the suggested bump action based on commits. One of ``major|minor|patch|none``.
+
+        The command should print one of the following to ``stdout``:
+
+        - Nothing: the next version number will be determined based on commit history.
+        - ``x.y.z``: the next version number will be ``x.y.z``.
+        - ``major|minor|patch``: the next version number will be the current version number
+          with the indicated component bumped.
+
+        This setting cannot be specified together with ``minMajorVersion``; the invoked
+        script can be used to achieve the effects of ``minMajorVersion``.
+
+        :default: - The next version will be determined based on the commit history and project settings.
+
+        :stability: experimental
+        '''
+        result = self._values.get("next_version_command")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def npm_dist_tag(self) -> typing.Optional[builtins.str]:
         '''(experimental) The npmDistTag to use when publishing from the default branch.
@@ -4655,6 +5355,23 @@ class ReleaseOptions(ReleaseProjectOptions):
         result = self._values.get("release_branches")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, BranchOptions]], result)
 
+    @builtins.property
+    def release_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for the release.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        When multiple artifacts are released, the environment can be overwritten
+        on a per artifact basis.
+
+        :default: - no environment used, unless set at the artifact level
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def release_every_commit(self) -> typing.Optional[builtins.bool]:
         '''(deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``.
@@ -4732,6 +5449,19 @@ class ReleaseOptions(ReleaseProjectOptions):
         result = self._values.get("release_trigger")
         return typing.cast(typing.Optional[ReleaseTrigger], result)
 
+    @builtins.property
+    def release_workflow_env(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''(experimental) Build environment variables for release workflows.
+
+        :default: {}
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_workflow_env")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
     @builtins.property
     def release_workflow_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the default release workflow.
@@ -4758,7 +5488,7 @@ class ReleaseOptions(ReleaseProjectOptions):
     def versionrc_options(
         self,
     ) -> typing.Optional[typing.Mapping[builtins.str, typing.Any]]:
-        '''(experimental) Custom configuration used when creating changelog with standard-version package.
+        '''(experimental) Custom configuration used when creating changelog with commit-and-tag-version package.
 
         Given values either append to default configuration or overwrite values in it.
 
@@ -4831,20 +5561,6 @@ class ReleaseOptions(ReleaseProjectOptions):
         assert result is not None, "Required property 'branch' is missing"
         return typing.cast(builtins.str, result)
 
-    @builtins.property
-    def task(self) -> _Task_9fa875b6:
-        '''(experimental) The task to execute in order to create the release artifacts.
-
-        Artifacts are
-        expected to reside under ``artifactsDirectory`` (defaults to ``dist/``) once
-        build is complete.
-
-        :stability: experimental
-        '''
-        result = self._values.get("task")
-        assert result is not None, "Required property 'task' is missing"
-        return typing.cast(_Task_9fa875b6, result)
-
     @builtins.property
     def version_file(self) -> builtins.str:
         '''(experimental) A name of a .json file to set the ``version`` field in after a bump.
@@ -4870,6 +5586,34 @@ class ReleaseOptions(ReleaseProjectOptions):
         result = self._values.get("github_release")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def task(self) -> typing.Optional[_Task_9fa875b6]:
+        '''(deprecated) The task to execute in order to create the release artifacts.
+
+        Artifacts are
+        expected to reside under ``artifactsDirectory`` (defaults to ``dist/``) once
+        build is complete.
+
+        :deprecated: Use ``tasks`` instead
+
+        :stability: deprecated
+        '''
+        result = self._values.get("task")
+        return typing.cast(typing.Optional[_Task_9fa875b6], result)
+
+    @builtins.property
+    def tasks(self) -> typing.Optional[typing.List[_Task_9fa875b6]]:
+        '''(experimental) The tasks to execute in order to create the release artifacts.
+
+        Artifacts are
+        expected to reside under ``artifactsDirectory`` (defaults to ``dist/``) once
+        build is complete.
+
+        :stability: experimental
+        '''
+        result = self._values.get("tasks")
+        return typing.cast(typing.Optional[typing.List[_Task_9fa875b6]], result)
+
     @builtins.property
     def workflow_node_version(self) -> typing.Optional[builtins.str]:
         '''(experimental) Node version to setup in GitHub workflows if any node-based CLI utilities are needed.
@@ -4877,7 +5621,7 @@ class ReleaseOptions(ReleaseProjectOptions):
         For example ``publib``, the CLI projen uses to publish releases,
         is an npm library.
 
-        :default: 18.x
+        :default: "lts/*""
 
         :stability: experimental
         '''
@@ -4940,6 +5684,7 @@ publication.publish()
 def _typecheckingstub__6f62eb98000deee3820f046309b2262c5063c0cb9581232fd1a44731f86986d7(
     *,
     major_version: jsii.Number,
+    environment: typing.Optional[builtins.str] = None,
     min_major_version: typing.Optional[jsii.Number] = None,
     minor_version: typing.Optional[jsii.Number] = None,
     npm_dist_tag: typing.Optional[builtins.str] = None,
@@ -4962,6 +5707,7 @@ def _typecheckingstub__9a328fe64db40633fedae889a7376e6885e1983f57d171d4f4ef85af6
 
 def _typecheckingstub__9603f09b67279d5ef3dc921367168d873983210161b1d6382c369d0b9ec13b0a(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -4978,6 +5724,7 @@ def _typecheckingstub__95b36779f92c5190c3ac9d8a636a537bfe6ebc844a55942ee5dfc0a96
 
 def _typecheckingstub__c7008ba35b00dedc375d87db7a317e8f077475b6a4e334303337c92bb77171fb(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -5002,13 +5749,13 @@ def _typecheckingstub__d5537e1435c9eea568279fa140de950e1b7275db307b3741959861863
 
 def _typecheckingstub__81a5b8a4f17bcea99089b42477d5b778fd3a9066d3d1126736ccf21a9c44bfbc(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
     git_branch: typing.Optional[builtins.str] = None,
     git_commit_message: typing.Optional[builtins.str] = None,
     github_deploy_key_secret: typing.Optional[builtins.str] = None,
-    github_repo: typing.Optional[builtins.str] = None,
     github_token_secret: typing.Optional[builtins.str] = None,
     github_use_ssh: typing.Optional[builtins.bool] = None,
     git_user_email: typing.Optional[builtins.str] = None,
@@ -5019,13 +5766,13 @@ def _typecheckingstub__81a5b8a4f17bcea99089b42477d5b778fd3a9066d3d1126736ccf21a9
 
 def _typecheckingstub__44bae65cd3313afa37ada6dbaab99141ff7744458e985bc9c53faa021220e167(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
     git_branch: typing.Optional[builtins.str] = None,
     git_commit_message: typing.Optional[builtins.str] = None,
     github_deploy_key_secret: typing.Optional[builtins.str] = None,
-    github_repo: typing.Optional[builtins.str] = None,
     github_token_secret: typing.Optional[builtins.str] = None,
     github_use_ssh: typing.Optional[builtins.bool] = None,
     git_user_email: typing.Optional[builtins.str] = None,
@@ -5045,6 +5792,7 @@ def _typecheckingstub__2492d83058b766179e85fd785d08928e38b53ce70b0f2dc9a1c5edccb
 
 def _typecheckingstub__da2d55bfa47dd9e6869b7f55b573dea54539ab2e9b833766e4140d6d4c4c3d7e(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -5062,6 +5810,7 @@ def _typecheckingstub__da2d55bfa47dd9e6869b7f55b573dea54539ab2e9b833766e4140d6d4
 
 def _typecheckingstub__458289050585e6e895f9ee709ee4e102166b0f71e3c8b2a0617efa2d24e990fb(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -5070,17 +5819,21 @@ def _typecheckingstub__458289050585e6e895f9ee709ee4e102166b0f71e3c8b2a0617efa2d2
     npm_provenance: typing.Optional[builtins.bool] = None,
     npm_token_secret: typing.Optional[builtins.str] = None,
     registry: typing.Optional[builtins.str] = None,
+    trusted_publishing: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
     pass
 
 def _typecheckingstub__584d4125e43e970396e9062b357de30ef32a6d1b30bd3a0f00fc7db041ea0bec(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
     nuget_api_key_secret: typing.Optional[builtins.str] = None,
     nuget_server: typing.Optional[builtins.str] = None,
+    nuget_username_secret: typing.Optional[builtins.str] = None,
+    trusted_publishing: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -5138,10 +5891,13 @@ def _typecheckingstub__4e430972b008e5968049196f964ee9dfa036c68b2195f125119bc2629
 
 def _typecheckingstub__f90cd44def59be822b686bcd759d7f0a910b9936ca8acc0ef3e69cda5ddc21d2(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
+    attestations: typing.Optional[builtins.bool] = None,
     code_artifact_options: typing.Optional[typing.Union[CodeArtifactOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    trusted_publishing: typing.Optional[builtins.bool] = None,
     twine_password_secret: typing.Optional[builtins.str] = None,
     twine_registry_url: typing.Optional[builtins.str] = None,
     twine_username_secret: typing.Optional[builtins.str] = None,
@@ -5154,14 +5910,17 @@ def _typecheckingstub__b447ecb34d36869391ee159467e6c78b74da704722d4c6a517e05bbae
     *,
     artifacts_directory: builtins.str,
     branch: builtins.str,
-    task: _Task_9fa875b6,
     version_file: builtins.str,
     github_release: typing.Optional[builtins.bool] = None,
+    task: typing.Optional[_Task_9fa875b6] = None,
+    tasks: typing.Optional[typing.Sequence[_Task_9fa875b6]] = None,
     workflow_node_version: typing.Optional[builtins.str] = None,
     workflow_permissions: typing.Optional[typing.Union[_JobPermissions_3b5b53dc, typing.Dict[builtins.str, typing.Any]]] = None,
+    bump_package: typing.Optional[builtins.str] = None,
     jsii_release_version: typing.Optional[builtins.str] = None,
     major_version: typing.Optional[jsii.Number] = None,
     min_major_version: typing.Optional[jsii.Number] = None,
+    next_version_command: typing.Optional[builtins.str] = None,
     npm_dist_tag: typing.Optional[builtins.str] = None,
     post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     prerelease: typing.Optional[builtins.str] = None,
@@ -5169,12 +5928,14 @@ def _typecheckingstub__b447ecb34d36869391ee159467e6c78b74da704722d4c6a517e05bbae
     publish_tasks: typing.Optional[builtins.bool] = None,
     releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
     release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+    release_environment: typing.Optional[builtins.str] = None,
     release_every_commit: typing.Optional[builtins.bool] = None,
     release_failure_issue: typing.Optional[builtins.bool] = None,
     release_failure_issue_label: typing.Optional[builtins.str] = None,
     release_schedule: typing.Optional[builtins.str] = None,
     release_tag_prefix: typing.Optional[builtins.str] = None,
     release_trigger: typing.Optional[ReleaseTrigger] = None,
+    release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     release_workflow_name: typing.Optional[builtins.str] = None,
     release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -5195,6 +5956,7 @@ def _typecheckingstub__e0f66d9106b15a88644bb5efb62c4d4d18bb7c7b73bb22b904010a8a6
     branch: builtins.str,
     *,
     major_version: jsii.Number,
+    environment: typing.Optional[builtins.str] = None,
     min_major_version: typing.Optional[jsii.Number] = None,
     minor_version: typing.Optional[jsii.Number] = None,
     npm_dist_tag: typing.Optional[builtins.str] = None,
@@ -5213,9 +5975,11 @@ def _typecheckingstub__e8df2839c98abec4e8a1e84ad0fc953b4051cdf361a30544804281bc9
 
 def _typecheckingstub__cc5e99254de9f29d2ac3b86e193164816e1ed36e491e602128e7d16fb86aa377(
     *,
+    bump_package: typing.Optional[builtins.str] = None,
     jsii_release_version: typing.Optional[builtins.str] = None,
     major_version: typing.Optional[jsii.Number] = None,
     min_major_version: typing.Optional[jsii.Number] = None,
+    next_version_command: typing.Optional[builtins.str] = None,
     npm_dist_tag: typing.Optional[builtins.str] = None,
     post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     prerelease: typing.Optional[builtins.str] = None,
@@ -5223,12 +5987,14 @@ def _typecheckingstub__cc5e99254de9f29d2ac3b86e193164816e1ed36e491e602128e7d16fb
     publish_tasks: typing.Optional[builtins.bool] = None,
     releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
     release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+    release_environment: typing.Optional[builtins.str] = None,
     release_every_commit: typing.Optional[builtins.bool] = None,
     release_failure_issue: typing.Optional[builtins.bool] = None,
     release_failure_issue_label: typing.Optional[builtins.str] = None,
     release_schedule: typing.Optional[builtins.str] = None,
     release_tag_prefix: typing.Optional[builtins.str] = None,
     release_trigger: typing.Optional[ReleaseTrigger] = None,
+    release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     release_workflow_name: typing.Optional[builtins.str] = None,
     release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -5248,6 +6014,7 @@ def _typecheckingstub__629cc7488dbd6e87168962d964694e088625a8e208d09e45c120eac7e
 
 def _typecheckingstub__370b478ebba8352e12c41a67b57d5954055dba8a6ceae59144e72607fdc6df41(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -5265,6 +6032,7 @@ def _typecheckingstub__370b478ebba8352e12c41a67b57d5954055dba8a6ceae59144e72607f
 
 def _typecheckingstub__a34680d3cf9e2cc6374987796717402a524a0bb377e9172f0707da67450b3239(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -5273,27 +6041,34 @@ def _typecheckingstub__a34680d3cf9e2cc6374987796717402a524a0bb377e9172f0707da674
     npm_provenance: typing.Optional[builtins.bool] = None,
     npm_token_secret: typing.Optional[builtins.str] = None,
     registry: typing.Optional[builtins.str] = None,
+    trusted_publishing: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
     pass
 
 def _typecheckingstub__14abe6d299c2354a8f22a08788f088aafaa8acf2b85b20f297416346274a9b96(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
     nuget_api_key_secret: typing.Optional[builtins.str] = None,
     nuget_server: typing.Optional[builtins.str] = None,
+    nuget_username_secret: typing.Optional[builtins.str] = None,
+    trusted_publishing: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
     pass
 
 def _typecheckingstub__0fa7c01cc40634bf771011bf4e8ddb9e3be28efd1b3f15b5d0768a4e810d37bc(
     *,
+    github_environment: typing.Optional[builtins.str] = None,
     post_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     pre_publish_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     publish_tools: typing.Optional[typing.Union[_Tools_75b93a2a, typing.Dict[builtins.str, typing.Any]]] = None,
+    attestations: typing.Optional[builtins.bool] = None,
     code_artifact_options: typing.Optional[typing.Union[CodeArtifactOptions, typing.Dict[builtins.str, typing.Any]]] = None,
+    trusted_publishing: typing.Optional[builtins.bool] = None,
     twine_password_secret: typing.Optional[builtins.str] = None,
     twine_registry_url: typing.Optional[builtins.str] = None,
     twine_username_secret: typing.Optional[builtins.str] = None,
@@ -5303,9 +6078,11 @@ def _typecheckingstub__0fa7c01cc40634bf771011bf4e8ddb9e3be28efd1b3f15b5d0768a4e8
 
 def _typecheckingstub__abcbb9106f2fe858c4efa7a5934906e63b00b56fa33c47c5f910dac2a904f472(
     *,
+    bump_package: typing.Optional[builtins.str] = None,
     jsii_release_version: typing.Optional[builtins.str] = None,
     major_version: typing.Optional[jsii.Number] = None,
     min_major_version: typing.Optional[jsii.Number] = None,
+    next_version_command: typing.Optional[builtins.str] = None,
     npm_dist_tag: typing.Optional[builtins.str] = None,
     post_build_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     prerelease: typing.Optional[builtins.str] = None,
@@ -5313,12 +6090,14 @@ def _typecheckingstub__abcbb9106f2fe858c4efa7a5934906e63b00b56fa33c47c5f910dac2a
     publish_tasks: typing.Optional[builtins.bool] = None,
     releasable_commits: typing.Optional[_ReleasableCommits_d481ce10] = None,
     release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+    release_environment: typing.Optional[builtins.str] = None,
     release_every_commit: typing.Optional[builtins.bool] = None,
     release_failure_issue: typing.Optional[builtins.bool] = None,
     release_failure_issue_label: typing.Optional[builtins.str] = None,
     release_schedule: typing.Optional[builtins.str] = None,
     release_tag_prefix: typing.Optional[builtins.str] = None,
     release_trigger: typing.Optional[ReleaseTrigger] = None,
+    release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     release_workflow_name: typing.Optional[builtins.str] = None,
     release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_JobStep_c3287c05, typing.Dict[builtins.str, typing.Any]]]] = None,
     versionrc_options: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
@@ -5327,9 +6106,10 @@ def _typecheckingstub__abcbb9106f2fe858c4efa7a5934906e63b00b56fa33c47c5f910dac2a
     workflow_runs_on_group: typing.Optional[typing.Union[_GroupRunnerOptions_148c59c1, typing.Dict[builtins.str, typing.Any]]] = None,
     artifacts_directory: builtins.str,
     branch: builtins.str,
-    task: _Task_9fa875b6,
     version_file: builtins.str,
     github_release: typing.Optional[builtins.bool] = None,
+    task: typing.Optional[_Task_9fa875b6] = None,
+    tasks: typing.Optional[typing.Sequence[_Task_9fa875b6]] = None,
     workflow_node_version: typing.Optional[builtins.str] = None,
     workflow_permissions: typing.Optional[typing.Union[_JobPermissions_3b5b53dc, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None: