From 8f88a7ea2bcd2f0f5c4d90687232d199cf256a63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mateusz=20Burzy=C5=84ski?= <mateuszburzynski@gmail.com>
Date: Mon, 23 Feb 2026 15:15:06 +0100
Subject: [PATCH 1/2] Prepare workflows for trusted publishing

---
 .github/actions/ci-setup/action.yml     | 13 ++++++---
 .github/workflows/changeset-release.yml | 26 ------------------
 .github/workflows/publish.yml           | 36 +++++++++++++++++++++++++
 3 files changed, 46 insertions(+), 29 deletions(-)
 delete mode 100644 .github/workflows/changeset-release.yml
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/actions/ci-setup/action.yml b/.github/actions/ci-setup/action.yml
index 4bb3a7e..fd57a7b 100644
--- a/.github/actions/ci-setup/action.yml
+++ b/.github/actions/ci-setup/action.yml
@@ -1,12 +1,19 @@
 name: Setup CI
 
+inputs:
+  node-version:
+    description: "Node.js version"
+    required: false
+    default: 22
+
 runs:
   using: composite
   steps:
-    - name: Setup Node.js
-      uses: actions/setup-node@v4
+    - name: Setup Node.js ${{ inputs.node-version }}
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
       with:
-        node-version-file: ".node-version"
+        node-version: ${{ inputs.node-version }}
+        cache: yarn
 
     - name: Install dependencies
       shell: bash
diff --git a/.github/workflows/changeset-release.yml b/.github/workflows/changeset-release.yml
deleted file mode 100644
index e33534f..0000000
--- a/.github/workflows/changeset-release.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-name: Release
-
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  release:
-    name: Release
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: ./.github/actions/ci-setup
-
-      - run: git branch -a
-
-      - name: "Create Pull Request or Publish to npm"
-        uses: changesets/action@v1
-        with:
-          publish: yarn release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..a1ac17b
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,36 @@
+name: Publish
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency: ${{ github.workflow }}-${{ github.ref }}
+
+permissions: {} # each job should define its own permission explicitly
+
+jobs:
+  publish:
+    name: Publish
+    if: github.repository == 'Thinkmill/manypkg'
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      contents: write # to create release (changesets/action)
+      issues: write # to post issue comments (changesets/action)
+      pull-requests: write # to create pull request (changesets/action)
+      id-token: write # to use OpenID Connect token for trusted publishing (changesets/action)
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: ./.github/actions/ci-setup
+        with:
+          node-version: 24
+
+      - run: git branch -a
+
+      - name: "Create Pull Request or Publish to npm"
+        uses: changesets/action@v1
+        with:
+          publish: yarn release

From 1b4c1aac1b218b44f646266c10f038006b2987fb Mon Sep 17 00:00:00 2001
From: Emma Hamilton <git@emmas.town>
Date: Tue, 31 Mar 2026 09:56:53 +1000
Subject: [PATCH 2/2] Update publish workflow

---
 .github/workflows/publish.yml    | 48 ++++++++++++++++++++++++--------
 .github/workflows/release-pr.yml | 29 +++++++++++++++++++
 package.json                     |  2 +-
 3 files changed, 66 insertions(+), 13 deletions(-)
 create mode 100644 .github/workflows/release-pr.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a1ac17b..61ab36e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,11 +1,17 @@
 name: Publish
 
 on:
-  push:
-    branches:
-      - main
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "The npm tag to publish to"
+        required: true
+        type: choice
+        options:
+          - latest
+          - test
 
-concurrency: ${{ github.workflow }}-${{ github.ref }}
+concurrency: publish
 
 permissions: {} # each job should define its own permission explicitly
 
@@ -15,10 +21,9 @@ jobs:
     if: github.repository == 'Thinkmill/manypkg'
     runs-on: ubuntu-latest
     timeout-minutes: 20
+    environment: Release
     permissions:
-      contents: write # to create release (changesets/action)
-      issues: write # to post issue comments (changesets/action)
-      pull-requests: write # to create pull request (changesets/action)
+      contents: write # to push tags
       id-token: write # to use OpenID Connect token for trusted publishing (changesets/action)
     steps:
       - uses: actions/checkout@v4
@@ -28,9 +33,28 @@ jobs:
         with:
           node-version: 24
 
-      - run: git branch -a
+      - run: yarn build
 
-      - name: "Create Pull Request or Publish to npm"
-        uses: changesets/action@v1
-        with:
-          publish: yarn release
+      - name: git config
+        run: |
+          git config --global user.name 'GitHub Actions'
+          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+
+      - name: version packages
+        if: inputs.tag != 'latest'
+        run: |
+          yarn changeset version --snapshot ${{ inputs.tag }}
+          git commit -a -m 'test'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: npm publish, git tag
+        run: yarn changeset publish --tag ${{ inputs.tag }}
+
+      # reset, then we have a tagged dangling commit
+      - name: git push
+        if: inputs.tag != 'latest'
+        run: |
+          git reset HEAD~1 --hard
+
+      - run: git push origin --tags
diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml
new file mode 100644
index 0000000..b6b59bc
--- /dev/null
+++ b/.github/workflows/release-pr.yml
@@ -0,0 +1,29 @@
+name: Create Release PR
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  create-release-pr:
+    name: Create Release PR
+    if: github.repository == 'Thinkmill/manypkg'
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      contents: write # to push for release PR (changesets/action)
+      issues: write # to post issue comments (changesets/action)
+      pull-requests: write # to create pull request (changesets/action)
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: ./.github/actions/ci-setup
+        with:
+          node-version: 24
+
+      - name: "Create Pull Request"
+        uses: changesets/action@v1
diff --git a/package.json b/package.json
index e6903c6..b2c2670 100644
--- a/package.json
+++ b/package.json
@@ -7,11 +7,11 @@
     "packages/*"
   ],
   "scripts": {
+    "build": "preconstruct build",
     "format": "prettier --write .",
     "format:check": "prettier --check .",
     "postinstall": "preconstruct dev && NODE_OPTIONS=--experimental-strip-types packages/cli/bin.js check",
     "knip": "knip",
-    "release": "preconstruct build && changeset publish",
     "test": "vitest"
   },
   "devDependencies": {