If you are moving a single-package TypeScript library off @changesets/cli
and onto forgesworn/anvil, this is the diff. Monorepo users:
anvil is single-package by design. Stay on changesets, or
split your packages into separate repos.
You need:
- A single-package library that already publishes to npm.
- Commit rights to the repo and publish rights to the package on npmjs.com.
Read the README's "Trusted publisher caveat" section first. npm's trusted publisher matches the caller workflow, not the reusable workflow. Get this wrong and you will burn an hour.
Five concrete changes.
Create .github/workflows/release.yml:
name: release
on:
release:
types: [published]
permissions:
contents: write
id-token: write
jobs:
release:
uses: forgesworn/anvil/.github/workflows/release.yml@v0If you want automatic versioning from conventional commits (closest to
the changesets experience), add .github/workflows/auto-release.yml
alongside the release.yml above. You'll also need to add a
workflow_dispatch trigger with a tag input to release.yml:
# Add to .github/workflows/release.yml triggers:
on:
release:
types: [published]
workflow_dispatch:
inputs:
tag:
description: Release tag to publish
type: string
required: true
# And pass tag through in the job:
jobs:
release:
uses: forgesworn/anvil/.github/workflows/release.yml@v0
with:
tag: ${{ inputs.tag || '' }}# .github/workflows/auto-release.yml
name: auto-release
on:
push:
branches: [main]
permissions:
contents: write
actions: write
jobs:
auto-release:
uses: forgesworn/anvil/.github/workflows/auto-release.yml@v0If your CI currently runs changeset publish or uses the
changesets/action GitHub Action, remove that workflow entirely.
git rm -r .changeset/This removes the config file and any pending changeset markdown files.
Remove changesets devDependencies:
"devDependencies": {
- "@changesets/cli": "^2.30.0",
- "@changesets/changelog-github": "^0.5.0",Remove any changeset-related scripts:
"scripts": {
- "changeset": "changeset",
- "release": "changeset publish",
- "version": "changeset version",Make sure publishConfig.provenance is set:
"publishConfig": {
"provenance": true
}Regenerates package-lock.json without the changesets tree.
On npmjs.com, go to your package's Settings -> Trusted Publishers and
add GitHub Actions:
| Field | Value |
|---|---|
| Publisher | GitHub Actions |
| Organization or user | your org or user |
| Repository | your package's repo (not forgesworn/anvil) |
| Workflow filename | release.yml (your caller workflow) |
| Environment | npm-publish |
Create a matching GitHub Environment named npm-publish if you want
required reviewers, prevent self-review, or release-ref restrictions
before npm publish.
- Bump
package.jsonversion. - Add a CHANGELOG entry under a heading containing the version number.
- Commit, push, tag (
git tag v1.2.0 && git push --tags). - Create a GitHub Release pointing at the tag.
- Watch the workflow turn green.
If you set up auto-release.yml, skip steps 1-4: just push conventional
commits to main and the workflow handles the rest.
| Before (changesets) | After (anvil) |
|---|---|
npx changeset to describe changes |
Write CHANGELOG directly (or use auto-release.yml) |
.changeset/*.md files in PRs |
No extra files |
changeset version to bump |
Manual bump (or auto-release.yml) |
changeset publish to release |
GitHub Release triggers pipeline |
| ~300 transitive deps | Zero release-tool deps |
| No OIDC, no provenance | OIDC + SLSA provenance on every publish |
| No supply-chain gates | Secret scan, exports check, reproducible builds |
- Native monorepo support with dependency graph awareness.
- The changeset-per-PR workflow that decouples versioning from commits.
- If you relied on changesets for monorepo inter-package versioning, there is no replacement in anvil today.