Our review

Automates the end-to-end release process for QraftBox using Taskfile tasks, including GitHub Release and npm publish.

Strengths

Standardizes release execution with a clear contract and verification checklist.
Handles common failure scenarios like auth issues or missing dependencies.
Supports both full release and scoped (GitHub-only or npm-only) operations.
Provides secure npm auth using NPM_TOKEN environment variable.

Limitations

Tightly coupled to the QraftBox repository structure and Taskfile conventions.
Assumes preconditions like clean git state and correct version in package.json.
Relies on external tools (gh, npm, bun) which must be installed and authenticated.

When to use it

When you need to perform a release or publish artifacts for the QraftBox repository after a merge.

When not to use it

When performing ad-hoc testing or debugging where a full release would be premature or risky.

name: release-workflow description: Execute QraftBox release operations end-to-end using Taskfile tasks, including GitHub Release and npm publish. Use when users ask to release, publish a version, or run post-merge release operations. allowed-tools: Bash, Read, Write, Grep, Glob

Release Workflow Skill

This skill standardizes release execution for QraftBox using the repository Taskfile.

When to Apply

Apply this skill when the user asks to:

release a merged version
publish artifacts
publish to npm
run GitHub release operations

Release Contract

In this repository, interpret an unscoped "release" request as:

GitHub Release publish
npm publish

If the user explicitly says GitHub-only or npm-only, run only the requested scope.

Preconditions

Ensure branch is up to date and clean.
Ensure package.json version is the intended release version.
Ensure required auth is valid:
- gh auth status
- npm auth/token for publish (NPM_TOKEN environment variable)
Ensure dependencies are installed: bun install.

npm Auth Standard

Use NPM_TOKEN environment variable for all npm publish flows.

export NPM_TOKEN=xxxx
TMP_NPMRC=$(mktemp)
cat > "$TMP_NPMRC" <<'EOF'
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
EOF
NPM_CONFIG_USERCONFIG="$TMP_NPMRC" <publish command>
rm -f "$TMP_NPMRC"

Do not hardcode tokens in committed files.

Standard Commands

Full Release (GitHub + npm)

task release:github
task release:npm-publish

GitHub Release Only

task release:github

npm Publish Only

task release:npm
cd release/npm
NPM_CONFIG_USERCONFIG="$TMP_NPMRC" bunx npm publish --access public

Verification Checklist

After release commands finish:

Confirm GitHub release URL exists for v{version}.
Confirm tag points to expected commit on origin.
Confirm npm package/version is published.
Confirm working tree remains clean.

For npm verification, prefer direct registry metadata:

curl -s https://registry.npmjs.org/qraftbox/latest

(npm view may temporarily show stale/cached values right after publish.)

Failure Handling

If version/tag mismatch exists, fix package.json version first and commit.
If local environment was scrubbed (git clean -fdX), reinstall deps before release.
If GitHub release already exists, skip recreate and verify uploaded artifacts.
If npm publish fails due to existing version, report clearly and stop retry loops.
If task release:npm-publish fails with "npm": executable file not found, switch to:
- task release:npm
- cd release/npm && bunx npm publish --access public
If npm publish fails with EOTP:
- Use an automation/granular token that supports non-interactive publish, exported as NPM_TOKEN
- Or provide OTP and publish with --otp <code>

QraftBox Release Workflow

Recommended for