From 4bafdb978199f3ffbe67841d4a9447a9c99a4682 Mon Sep 17 00:00:00 2001
From: Matt Kane <mkane@cloudflare.com>
Date: Wed, 1 Apr 2026 12:01:32 +0100
Subject: [PATCH] Add publish CI with OIDC trusted publishing and changesets

---
 .changeset/config.json            |  1 +
 .github/workflows/release.yml     | 52 +++++++++++++++++++++++++++++++
 .npmrc                            |  1 +
 docs/package.json                 |  1 +
 packages/marketplace/package.json |  1 +
 5 files changed, 56 insertions(+)
 create mode 100644 .github/workflows/release.yml

diff --git a/.changeset/config.json b/.changeset/config.json
index 958dae2..e3a4633 100644
--- a/.changeset/config.json
+++ b/.changeset/config.json
@@ -12,5 +12,6 @@
 	"access": "public",
 	"baseBranch": "main",
 	"updateInternalDependencies": "patch",
+	"bumpVersionsWithWorkspaceProtocolOnly": true,
 	"ignore": ["@demo/*"]
 }
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..30264e0
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,52 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+          cache: pnpm
+          registry-url: https://registry.npmjs.org
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Build packages
+        run: pnpm build
+
+      - name: Update npm
+        run: npm install -g npm@latest
+
+      - name: Create Release Pull Request or Publish
+        id: changesets
+        uses: changesets/action@v1
+        with:
+          version: pnpm changeset version
+          publish: pnpm changeset publish
+          commit: "ci: release"
+          title: "ci: release"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.npmrc b/.npmrc
index 6c59086..84923f7 100644
--- a/.npmrc
+++ b/.npmrc
@@ -1 +1,2 @@
 enable-pre-post-scripts=true
+provenance=true
diff --git a/docs/package.json b/docs/package.json
index 28e620f..57628c8 100644
--- a/docs/package.json
+++ b/docs/package.json
@@ -1,5 +1,6 @@
 {
   "name": "docs",
+  "private": true,
   "type": "module",
   "version": "0.0.1",
   "scripts": {
diff --git a/packages/marketplace/package.json b/packages/marketplace/package.json
index 4c4347f..f649ddc 100644
--- a/packages/marketplace/package.json
+++ b/packages/marketplace/package.json
@@ -1,6 +1,7 @@
 {
   "name": "@emdash-cms/marketplace",
   "version": "0.0.1",
+  "private": true,
   "description": "Plugin marketplace Worker for EmDash CMS",
   "type": "module",
   "main": "src/index.ts",