From 9367c4fc71e237641933da883c1f1d479423afc4 Mon Sep 17 00:00:00 2001
From: Anthony Lukach <anthonylukach@gmail.com>
Date: Mon, 25 May 2026 09:49:25 -0700
Subject: [PATCH 1/2] ci: add Release Please workflow for automated releases

Introduce Release Please to manage version bumps, CHANGELOG generation,
git tags, and GitHub releases based on Conventional Commits landing on
main. When the Release PR merges, a second job publishes to npm with
provenance.

Required follow-up before the first Release PR can merge: add an
NPM_TOKEN repo secret (granular access token with "Bypass 2FA on
publish" enabled, scoped to @developmentseed/stac-react).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 53 +++++++++++++++++++++++++++++++++++
 .release-please-manifest.json |  3 ++
 release-please-config.json    | 25 +++++++++++++++++
 3 files changed, 81 insertions(+)
 create mode 100644 .github/workflows/release.yml
 create mode 100644 .release-please-manifest.json
 create mode 100644 release-please-config.json

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..531cf04
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,53 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+    steps:
+      - name: Run release-please
+        id: release
+        uses: googleapis/release-please-action@8b8fd2cc23b2e18957157a9d923d75aa0c6f6ad5 # v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          config-file: release-please-config.json
+          manifest-file: .release-please-manifest.json
+
+  publish:
+    needs: release-please
+    if: ${{ needs.release-please.outputs.release_created == 'true' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Use Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        with:
+          node-version-file: '.nvmrc'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install
+        run: corepack enable && yarn install
+
+      - name: Publish to npm
+        run: npm publish --access public --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.release-please-manifest.json b/.release-please-manifest.json
new file mode 100644
index 0000000..65abc64
--- /dev/null
+++ b/.release-please-manifest.json
@@ -0,0 +1,3 @@
+{
+  ".": "1.0.0-alpha.3"
+}
diff --git a/release-please-config.json b/release-please-config.json
new file mode 100644
index 0000000..0d70e0c
--- /dev/null
+++ b/release-please-config.json
@@ -0,0 +1,25 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "packages": {
+    ".": {
+      "release-type": "node",
+      "package-name": "@developmentseed/stac-react",
+      "prerelease": true,
+      "include-component-in-tag": false,
+      "changelog-sections": [
+        { "type": "feat", "section": "Features" },
+        { "type": "fix", "section": "Bug Fixes" },
+        { "type": "perf", "section": "Performance Improvements" },
+        { "type": "revert", "section": "Reverts" },
+        { "type": "refactor", "section": "Code Refactoring" },
+        { "type": "deps", "section": "Dependencies" },
+        { "type": "docs", "section": "Documentation", "hidden": true },
+        { "type": "style", "section": "Styles", "hidden": true },
+        { "type": "chore", "section": "Miscellaneous Chores", "hidden": true },
+        { "type": "test", "section": "Tests", "hidden": true },
+        { "type": "build", "section": "Build System", "hidden": true },
+        { "type": "ci", "section": "Continuous Integration", "hidden": true }
+      ]
+    }
+  }
+}

From e90233a81041f0b2c5f7ffa467174ed7e8fde61b Mon Sep 17 00:00:00 2001
From: Anthony Lukach <anthonylukach@gmail.com>
Date: Mon, 25 May 2026 09:57:00 -0700
Subject: [PATCH 2/2] ci: use npm trusted publishing instead of NPM_TOKEN

Switch from token-based npm auth to OIDC-based trusted publishing.
The publish job exchanges its GitHub OIDC token for short-lived npm
credentials, removing the need for a long-lived NPM_TOKEN secret
(with 2FA-bypass) and making provenance automatic.

Requires npm >= 11.5.1; Node 22 ships with npm 10.x, so add a step
to install the latest npm before publishing.

Also requires configuring the trusted publisher on npmjs.com to
point at this workflow file and repo.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 531cf04..b8fb6a2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -44,10 +44,11 @@ jobs:
           node-version-file: '.nvmrc'
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Install latest npm for trusted publishing
+        run: npm install -g npm@latest
+
       - name: Install
         run: corepack enable && yarn install
 
       - name: Publish to npm
         run: npm publish --access public --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}