Merge pull request #173 from lambda-curry/changeset-release/main #172

	name: Release

	on:
	push:
	branches:
	- main

	concurrency: ${{ github.workflow }}-${{ github.ref }}

	permissions:
	id-token: write # Required for OIDC trusted publishing
	contents: read

	jobs:
	release:
	name: Release
	runs-on: ubuntu-latest
	steps:
	- name: Checkout Repo
	uses: actions/checkout@v4

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: '22'
	registry-url: 'https://registry.npmjs.org'
	# registry-url enables OIDC authentication for npm publish

	- name: Enable Corepack
	run: corepack enable

	- name: Install Correct Yarn Version
	run: corepack prepare yarn@4.9.1 --activate

	- name: Install Dependencies
	run: yarn install --immutable

	- name: Verify npm and OIDC setup
	run: \|
	echo "npm version: $(npm --version)"
	echo "Node version: $(node --version)"
	# Check if we're in a GitHub Actions OIDC environment
	if [ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]; then
	echo "✓ OIDC environment detected"
	else
	echo "⚠ OIDC environment not detected"
	fi

	- name: Create Release Pull Request or Publish to npm
	id: changesets
	uses: changesets/action@v1
	with:
	# This expects you to have a script called release which does a build for your packages and calls changeset publish
	publish: yarn release
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	# No NPM_TOKEN needed - using trusted publishing via OIDC
	# The registry-url in setup-node@v4 enables OIDC authentication
	# npm CLI 11.5.1+ automatically detects OIDC and uses it for publish

Provide feedback