From bb9b9d8444859a6869c1018e0286e014593516b1 Mon Sep 17 00:00:00 2001
From: Haseeb Ahmad <haseeb.ahmad@mapbox.com>
Date: Wed, 24 Jun 2026 11:59:54 +0200
Subject: [PATCH] CLOUDPLAT-3162: add npm OIDC publish workflow

https://mapbox.atlassian.net/browse/CLOUDPLAT-3162
---
 .github/workflows/npm-release.yml | 15 +++++++++++++++
 CONTRIBUTING.md                   | 18 +++++++++++++++++-
 package.json                      |  5 ++++-
 3 files changed, 36 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/npm-release.yml

diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
new file mode 100644
index 0000000..ba2ea44
--- /dev/null
+++ b/.github/workflows/npm-release.yml
@@ -0,0 +1,15 @@
+name: NPM release
+
+on:
+  workflow_dispatch:
+
+jobs:
+  npm-release:
+    uses: mapbox/gha-public/.github/workflows/workflow-npm-oidc-publish.yml@main
+    permissions:
+      id-token: write
+      contents: write
+    with:
+      create-github-release: true
+      environment: npm-release
+      run-tests: false
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 97a91c5..2745def 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -20,4 +20,20 @@ We also use [`clang-tidy`](https://clang.llvm.org/extra/clang-tidy/) as a C++ li
 
 	make tidy
 
-These commands are set from within [the Makefile](./Makefile).
\ No newline at end of file
+These commands are set from within [the Makefile](./Makefile).
+
+## Releasing a new version
+
+Releases are published to npm via GitHub Actions.
+
+### Steps
+
+1. **Bump the version** in `package.json` (follow [semver](https://semver.org))
+2. **Update `CHANGELOG.md`** with a summary of what changed
+3. **Open a PR**, get it reviewed and merged to `master`
+4. **Trigger the release** from the [Actions tab](../../actions/workflows/npm-release.yml):
+   - Select **NPM release** → **Run workflow** → run from `master`
+
+The workflow will publish to npm and create a GitHub release with auto-generated notes.
+
+> **Note:** Only Mapbox maintainers with write access to this repository can trigger the release workflow. External contributors can open and contribute to PRs, but releases are always cut by the owning team.
diff --git a/package.json b/package.json
index 5514615..708c4a6 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@mapbox/vtvalidate",
-  "version": "0.3.1",
+  "version": "0.3.2",
   "description": "Simply checks if a vector tile contains valid/invalid geometries",
   "url": "http://github.com/mapbox/vtvalidate",
   "main": "./lib/index.js",
@@ -38,5 +38,8 @@
     "host": "https://mapbox-node-binary.s3.amazonaws.com",
     "remote_path": "./{name}/v{version}/{configuration}/{toolset}/",
     "package_name": "{platform}-{arch}.tar.gz"
+  },
+  "publishConfig": {
+    "access": "public"
   }
 }