Add release

[andrew-fleming]

Fixes #6. Supersedes #19.

Summary by CodeRabbit

• Documentation

  • Added release process documentation describing how to initiate releases, select version bump types (patch/minor/major), and manage the automated workflow from testing through npm publishing.

• Chores

  • Implemented automated release workflow for consistent package deployment.
  • Made CLI and simulator packages publicly available on npm.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Introduces an automated release workflow for two npm packages (compact-tools-cli and compact-tools-simulator) with semantic version bumping, testing, and publishing to npm. Package visibility is updated by removing private flags, enabling public distribution. Release documentation guides maintainers through the manual workflow-dispatch trigger and automated steps.

Changes

Cohort / File(s)	Change Summary
Release Automation Infrastructure .github/workflows/release.yml	New GitHub Actions workflow implementing package-agnostic release orchestration: handles workflow_dispatch inputs for package selection and SemVer bump type, executes environment setup, testing, building, version bumping via yarn, git tagging, and npm publishing with token authentication
Release Documentation RELEASING.md	New documentation detailing manual release process: navigating GitHub Actions UI, selecting package and bump type, awaiting maintainer approval, and post-publish GitHub release creation from generated tags
Package Visibility Updates packages/cli/package.json, packages/simulator/package.json	Removed "private": true field from both packages to enable public npm distribution

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Areas requiring extra attention:

• Release workflow security: Verify NPM_TOKEN is properly masked and not logged in workflow outputs
• Package directory resolution logic: Confirm conditional package path mapping correctly resolves for both packages
• Version management flow: Validate yarn version command execution, version capture, and tag creation sequence
• Git operations: Ensure commit message formatting, tag naming conventions, and potential error handling for existing tags/branches

Poem

📦 A workflow born, in YAML's embrace,
Two packages ready to find their place,
With buttons to click and versions to bump,
Automation's leap over the maintenance hump,
Hop-hop to npm, our packages go free! 🐰

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Add release' is vague and generic. While it relates to the changeset, it lacks specificity about what release functionality is being added.	Consider using a more descriptive title such as 'Add GitHub Actions release workflow for npm packages' to better clarify the scope of changes.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	The pull request successfully implements the core requirement from issue #6 by adding a complete GitHub Actions release workflow that automates packaging and publishing for two packages (compact-tools-cli and compact-tools-simulator) to npm.
Out of Scope Changes check	✅ Passed	All changes are directly related to the release workflow objective: the GitHub Actions workflow automates releases, the RELEASING.md documents the process, and package.json modifications remove 'private' flags to enable npm publishing.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

RELEASING.md (1)

7-8: Use hyphens for compound adjectives.

Compound adjectives modifying nouns should be hyphenated. Apply this diff:

-   - **Patch** - Backward compatible bug fixes.
+   - **Patch** - Backward-compatible bug fixes.
-   - **Minor** - New functionality in a backward compatible way.
+   - **Minor** - New functionality in a backward-compatible way.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ed4131c and 23e2608.

📒 Files selected for processing (4)

• .github/workflows/release.yml (1 hunks)
• RELEASING.md (1 hunks)
• packages/cli/package.json (0 hunks)
• packages/simulator/package.json (0 hunks)

💤 Files with no reviewable changes (2)

• packages/simulator/package.json
• packages/cli/package.json

🧰 Additional context used

🪛 LanguageTool

RELEASING.md

[uncategorized] ~7-~7: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ...(https://semver.org/): - Patch - Backward compatible bug fixes. - Minor - New functio...

(EN_COMPOUND_ADJECTIVE_INTERNAL)

---

[grammar] ~8-~8: Use a hyphen to join words.
Context: ...inor** - New functionality in a backward compatible way. - Major - Breakin...

(QB_NEW_EN_HYPHEN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (5)

.github/workflows/release.yml (5)

63-73: Verify yarn version command syntax.

The command at line 67 uses a positional argument, but yarn version expects a named flag. Verify that the correct syntax is used:

-          yarn version ${{ inputs.version_bump }}
+          yarn version --${{ inputs.version_bump }}

This would produce yarn version --patch, yarn version --minor, or yarn version --major depending on the input.

---

78-83: Confirm git-auto-commit-action pushes tags.

The git-auto-commit-action is configured to commit and tag the version bump. Verify that the action also pushes the tag to the remote repository, as the workflow doesn't explicitly call git push after tagging.

---

60-61: Build artifacts must be committed or available for publishing.

The build step (line 60-61) compiles the package, but the subsequent commit (line 78-83) only includes package.json. Verify that the compiled artifacts (dist, lib, or equivalent) are either:

1. Generated at build time and included in the npm package via the files field in package.json, or
2. Committed to the repository

Without this, publishing may fail or distribute incomplete artifacts.

---

37-91: LGTM! Workflow structure is sound.

The overall workflow design is well-structured:

• Environment approval gate (compact-npm-prod) provides security oversight for releases
• Action versions are pinned to commit hashes (good supply-chain security practice)
• Comprehensive steps: test → build → version → verify → tag → publish
• NPM_TOKEN is correctly isolated in the publish step using env
• The package directory mapping correctly handles multiple packages from a monorepo
• Dry-run pack verification catches issues before publishing

Once the yarn version syntax is confirmed, this should provide a reliable release pipeline.

---

85-91: All npm publish configuration is correct.

The --provenance flag is fully supported in Yarn 4.10.3 (which exceeds the required Yarn v4.9.0+), and the flag works correctly in GitHub Actions contexts. The compact-npm-prod environment is properly configured with approval requirements, and the NPM_TOKEN secret is correctly passed to the publish step.

[andrew-fleming]

The changes look good @emnul! Just left a question

[andrew-fleming]

Does this need to be read-all? read is more restrictive unless I'm missing something

[emnul]

You're totally right. I misunderstood what read-all does

[0xisk]

Not sure if we should still remove this. Because I think the name of the package will be a bit misleading, I was thinking to to leave this private and if we are we follow the proposal I had regarding copmact-tools, wdyt?

[emnul]

Let's discuss this in a separate PR / Issue to avoid blocking it.

[0xisk]

The same here, but more specifically for those packages I think its better to remove the -tools- word from the name to be @openzeppelin/compact-simulator wdyt?

[son-oz]

Not sure if there's anything else that needs to be added function-wise but LGTM.