📦 Release Process
This document outlines the release process for CSP Kit using Changesets and conventional commits.
Overview
CSP Kit uses:
- Changesets for version management and changelog generation
- Conventional Commits for standardized commit messages
- GitHub Actions for automated CI/CD and releases
- Package-scoped tags (e.g.,
@csp-kit/generator@1.0.0) for better monorepo support
Release Types
1. Regular Release (Automated)
The standard release flow is fully automated:
-
Development Phase
- Developers create feature branches
- Make changes using conventional commits
- Add changesets for their changes
- Submit PRs to
mainbranch
-
Changeset Creation
# Add a changeset for your changes
pnpm changeset
# Select packages affected
# Choose version bump type (patch/minor/major)
# Write a summary of changes -
Automated Release PR
- When changes with changesets are merged to
main - GitHub Actions creates a "Version Packages" PR
- This PR updates versions and changelogs
- Review and merge when ready to release
- When changes with changesets are merged to
-
Automatic Publishing
- Merging the release PR triggers publishing
- Packages are published to npm
- GitHub releases are created automatically
- Package-specific tags are created
2. Manual Package Release
For releasing specific packages manually:
- Go to Actions → Release workflow
- Click "Run workflow"
- Select the package to release (or leave empty for all)
- Click "Run workflow"
3. Emergency Release
For critical fixes:
# Create changeset with patch bump
pnpm changeset
# Select affected packages
# Choose "patch" for version bump
# Add description: "Emergency fix for [issue]"
# Commit and push
git add .
git commit -m "fix: emergency fix for critical issue"
git push
# Fast-track the release PR
Conventional Commits
Commit Format
<type>(<scope>): <subject>
[optional body]
[optional footer(s)]
Types
feat: New feature → Minor version bumpfix: Bug fix → Patch version bumpdocs: Documentation changesstyle: Code style changes (formatting, etc.)refactor: Code refactoringperf: Performance improvementstest: Test additions/changesbuild: Build system changesci: CI/CD changeschore: Other changesrevert: Revert a previous commit
Scopes
Valid scopes (enforced by commitlint):
generator,data,cli,ui(packages)web,docs(apps)deps,release,config,ci,root(other)
Examples
# Feature
git commit -m "feat(generator): add support for new CSP directive"
# Bug fix
git commit -m "fix(data): correct Google Analytics CSP rules"
# Breaking change (triggers major version)
git commit -m "feat(generator)!: change API to use service objects
BREAKING CHANGE: generateCSP now requires service objects instead of strings"
# Using commitizen (interactive)
pnpm commit
Version Management
Package Versioning
- Packages can be versioned independently
- Each package maintains its own version
- Internal dependencies are updated automatically
Version Bump Guidelines
| Change Type | Version Bump | When to Use |
|---|---|---|
| Patch | 1.0.0 → 1.0.1 | Bug fixes, documentation |
| Minor | 1.0.0 → 1.1.0 | New features, non-breaking changes |
| Major | 1.0.0 → 2.0.0 | Breaking changes |
Breaking Changes
Mark breaking changes clearly:
- Use
!after type:feat!:orfix!: - Add
BREAKING CHANGE:in commit body - Document migration path in changeset
Changeset Workflow
Adding a Changeset
# Interactive mode
pnpm changeset
# Follow prompts:
# 1. Select changed packages (space to select, enter to confirm)
# 2. Choose version bump for each package
# 3. Write a summary (this becomes the changelog entry)
Changeset Best Practices
- One changeset per feature/fix
- Clear, user-focused summaries
- Link to issues/PRs: Use
#123format - Group related changes
Example Changeset
---
'@csp-kit/generator': minor
'@csp-kit/data': patch
---
Add support for Cloudflare Turnstile service (#123)
- Added new Cloudflare Turnstile service definition
- Updated generator to handle challenge-response directives
- Fixed typing issue in service configuration
CI/CD Pipeline
Pull Request Checks
- Lint: Code quality checks
- Type Check: TypeScript validation
- Tests: Unit test suite
- Build: Verify build artifacts
- Commit Lint: Validate commit messages
- Format Check: Prettier formatting
Release Pipeline
- Changeset Bot: Comments on PRs about changesets
- Version PR: Auto-created when changesets exist
- Publishing: Triggered by merging version PR
- GitHub Releases: Created with changelogs
- npm Publishing: With provenance disabled
Pre-release Checklist
- All CI checks passing
- Changesets added for all changes
- Documentation updated if needed
- Breaking changes clearly marked
- Migration guide written (if breaking)
- Version PR reviewed
Post-release Steps
- Verify npm packages: Check all packages published correctly
- Verify GitHub releases: Ensure releases created with changelogs
- Update documentation site: If needed
- Announce release: If major version or significant features
Troubleshooting
Failed Publish
- Check npm authentication:
npm whoami - Verify
NPM_TOKENsecret in GitHub - Check for npm registry issues
- Retry with manual workflow
Missing Changesets
# Add changeset after the fact
pnpm changeset
# Commit and push
git add .changeset
git commit -m "chore: add missing changeset"
git push
Version Conflicts
- Pull latest changes:
git pull - Regenerate changesets:
pnpm changeset version - Resolve conflicts in package.json files
- Commit and push
Rollback Procedure
If a release has critical issues:
-
Deprecate on npm (don't unpublish):
npm deprecate @csp-kit/package@version "Critical issue, use previous version" -
Create fix:
- Fix the issue
- Add changeset
- Fast-track release
-
Document issue:
- Create GitHub issue
- Add to release notes
- Notify users if needed
Release Schedule
- Regular releases: As needed when changes accumulate
- Security fixes: Immediate release
- Major versions: Coordinate with documentation updates
Access Requirements
npm Access
- Publish access to
@csp-kitscope - 2FA enabled on npm account
GitHub Access
- Write access to repository
- Access to GitHub Actions secrets