From 1d8ff0c222a4fd082c42facc14bee1656b29cfb5 Mon Sep 17 00:00:00 2001
From: Haseeb Ahmad <haseeb.ahmad@mapbox.com>
Date: Wed, 24 Jun 2026 12:22:30 +0200
Subject: [PATCH] CLOUDPLAT-3162: add npm OIDC publish workflow

https://mapbox.atlassian.net/browse/CLOUDPLAT-3162
---
 .github/workflows/npm-release.yml | 15 +++++++++++++++
 CONTRIBUTING.md                   | 18 +++++++++++++++++-
 package.json                      |  5 ++++-
 3 files changed, 36 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/npm-release.yml

diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
new file mode 100644
index 0000000..ba2ea44
--- /dev/null
+++ b/.github/workflows/npm-release.yml
@@ -0,0 +1,15 @@
+name: NPM release
+
+on:
+  workflow_dispatch:
+
+jobs:
+  npm-release:
+    uses: mapbox/gha-public/.github/workflows/workflow-npm-oidc-publish.yml@main
+    permissions:
+      id-token: write
+      contents: write
+    with:
+      create-github-release: true
+      environment: npm-release
+      run-tests: false
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 4ee8951..debc073 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -20,4 +20,20 @@ We also use [`clang-tidy`](https://clang.llvm.org/extra/clang-tidy/) as a C++ li
 
 	make tidy
 
-These commands are set from within [the Makefile](./Makefile).
\ No newline at end of file
+These commands are set from within [the Makefile](./Makefile).
+
+## Releasing a new version
+
+Releases are published to npm via GitHub Actions.
+
+### Steps
+
+1. **Bump the version** in `package.json` (follow [semver](https://semver.org))
+2. **Update `CHANGELOG.md`** with a summary of what changed
+3. **Open a PR**, get it reviewed and merged to `main`
+4. **Trigger the release** from the [Actions tab](../../actions/workflows/npm-release.yml):
+   - Select **NPM release** → **Run workflow** → run from `main`
+
+The workflow will publish to npm and create a GitHub release with auto-generated notes.
+
+> **Note:** Only Mapbox maintainers with write access to this repository can trigger the release workflow. External contributors can open and contribute to PRs, but releases are always cut by the owning team.
diff --git a/package.json b/package.json
index 95d6661..fe1e246 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@mapbox/node-cpp-skel",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Skeleton for bindings to C++ libraries for Node.js using N-API (node-addon-api)",
   "url": "http://github.com/mapbox/node-cpp-skel",
   "main": "./lib/index.js",
@@ -33,5 +33,8 @@
     "host": "https://mapbox-node-binary.s3.amazonaws.com",
     "remote_path": "./{name}/v{version}/{configuration}/{toolset}/",
     "package_name": "{platform}-{arch}.tar.gz"
+  },
+  "publishConfig": {
+    "access": "public"
   }
 }