Skip to content

Release engineering: npm publish, provenance, CDN, dry-run, security #42

Open
Open
Release engineering: npm publish, provenance, CDN, dry-run, security#42
Labels
release-blockerBlocks v2.0.0 releaserelease-engRelease engineering / publishing

Description

@jjeff
jjeff
opened on May 23, 2026

Scope

Everything required to flip from "alpha tarball" to "published 2.0.0".

Deliverables

  • Decide final package name & npm scope (e.g., `resortable` vs `@jjeff/resortable`); reserve on npm.
  • Set `npmPublish: true` in `.releaserc.json`, store `NPM_TOKEN` secret.
  • Enable npm provenance (`id-token: write` is already in `release.yml`).
  • `semantic-release --dry-run` clean from `main`, `develop`, `alpha`.
  • Confirm UMD reachable via unpkg + jsDelivr after first publish.
  • `npm audit` clean; add dependency-review CI workflow.
  • Verify MIT license headers, add NOTICE crediting upstream Sortable.js.
  • Cut `2.0.0-beta.1` from `develop`, run community feedback cycle.
  • `2.0.0-rc.1` once beta has no blockers, then 2.0.0.

Metadata

Metadata

Assignees

No one assigned

    Labels

    release-blockerBlocks v2.0.0 releaserelease-engRelease engineering / publishing

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions