From 30a8bddc0db4708656a7eb241dae7beb03351738 Mon Sep 17 00:00:00 2001
From: Braxton Ward <braxton.ward@atomicfi.com>
Date: Wed, 11 Feb 2026 11:03:19 -0900
Subject: [PATCH] chore: update to publish on github release with npm trusted
 publishing

---
 .github/workflows/deploy.yml  | 48 -----------------------------------
 .github/workflows/publish.yml | 28 ++++++++++++++++++++
 docs/RELEASE.md               | 35 +++++++++++++++++++++++++
 3 files changed, 63 insertions(+), 48 deletions(-)
 delete mode 100644 .github/workflows/deploy.yml
 create mode 100644 .github/workflows/publish.yml
 create mode 100644 docs/RELEASE.md

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
deleted file mode 100644
index 2c86491..0000000
--- a/.github/workflows/deploy.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-name: publish
-
-on:
-  push:
-    branches: master
-    paths: package.json
-  workflow_dispatch:
-
-jobs:
-  npm:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@v4
-      - name: node
-        uses: actions/setup-node@v3
-        with:
-          node-version-file: '.nvmrc'
-          registry-url: 'https://registry.npmjs.org'
-          cache: npm
-
-      - name: Install Dependencies
-        run: npm ci
-      - name: Publish
-        run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
-  tag:
-    needs: npm
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: node
-        uses: actions/setup-node@v3
-      - name: tag
-        uses: actions/github-script@v6
-        with:
-          script: |
-            const { version } = require('./package.json')
-            github.rest.git.createRef({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                ref: `refs/tags/${version}`,
-                sha: context.sha
-              })
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..6aeda22
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,28 @@
+name: publish
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  npm:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: node
+        uses: actions/setup-node@v3
+        with:
+          node-version-file: ".nvmrc"
+          registry-url: "https://registry.npmjs.org"
+          cache: npm
+
+      - name: Set version from release tag
+        run: npm version "${GITHUB_REF_NAME#v}" --no-git-tag-version
+      - name: Install Dependencies
+        run: npm ci
+      - name: Publish
+        run: npm publish --access public
diff --git a/docs/RELEASE.md b/docs/RELEASE.md
new file mode 100644
index 0000000..00b18ad
--- /dev/null
+++ b/docs/RELEASE.md
@@ -0,0 +1,35 @@
+# Release Process
+
+## Overview
+
+Publishing a new version of `@atomicfi/transact-javascript` to npm is driven entirely by GitHub Releases. No manual version bumps or npm commands are needed.
+
+## How to Release
+
+1. **Create a GitHub Release** in the [atomicfi/atomic-transact-javascript](https://github.com/atomicfi/atomic-transact-javascript) repository.
+2. **Set the tag** to the desired version (e.g., `3.0.11` or `v3.0.11`). A leading `v` prefix is automatically stripped.
+3. **Publish the release.** This triggers the `publish` workflow.
+
+## What Happens
+
+When a release is published, the [publish workflow](../.github/workflows/publish.yml) runs the following steps:
+
+1. **Set version** - `npm version` updates `package.json` to match the release tag.
+2. **Install dependencies** - `npm ci` installs dependencies from the lockfile.
+3. **Publish to npm** - `npm publish` publishes the package. Before publishing, the `prepublishOnly` script automatically:
+   - Runs `scripts/update-version.js` to replace the `__VERSION__` placeholder in `index.js` with the release version.
+   - Runs `tsc` to generate TypeScript declaration files.
+
+## npm Trusted Publishing
+
+This repository uses [npm trusted publishing](https://docs.npmjs.com/generating-provenance-statements) (also known as provenance-based publishing) to authenticate with npm. Instead of storing a long-lived npm access token, the workflow uses GitHub Actions' OIDC `id-token: write` permission to request a short-lived token directly from npm. This means:
+
+- No manual npm token rotation is required.
+- Published packages include provenance statements linking them back to this repository and the specific workflow run.
+- Only this repository's GitHub Actions workflows can publish to the `@atomicfi/transact-javascript` package.
+
+## Notes
+
+- The release tag is the single source of truth for the published version.
+- There is no need to manually update the version in `package.json` or `index.js`.
+- The workflow only triggers on the `release: published` event.