Cutting a release

Internal guide for maintainers.

Cadence

Pre-1.0 — minor (0.x) bumps for any user-visible change; patch (0.x.y) for fixes only.

Update CHANGELOG.md — flip [Unreleased] to a dated section, add an empty new [Unreleased], update compare links at the bottom.
Bump version in engine/package.json.
Commit: chore(release): vX.Y.Z.
Tag: git tag vX.Y.Z && git push origin vX.Y.Z.
The push triggers .github/workflows/release.yml. It will:
- Build, typecheck, test, lint.
- npm publish ./engine --provenance --access public using the OIDC trusted-publisher token.
- Create a GitHub Release with auto-generated notes from the matching CHANGELOG section.
- Attach the npm pack tarball.
Verify on npm: npm view fixedcode@X.Y.Z and confirm the provenance attestation.
Smoke test from npm on a clean machine: npm install -g fixedcode && fixedcode --version.

Reserve @fixedcode org and fixedcode package name on npmjs.com.
On npm package settings → Publishing access → "Add a trusted publisher".
Provide:
- Owner: gibbon
- Repository: fixedcode
- Workflow filename: release.yml
- Environment: (none)
The first tag-triggered release will use OIDC; no NPM_TOKEN secret needed.

If trusted publisher isn't an option:

Apply via the GitHub UI:

Require a pull request before merging (1 review; relax to 0 for solo maintainer).
Require status checks: CI / test (20), CI / test (22), CodeQL.
Require branches up-to-date before merging.
Auto-delete head branches after merge.
Allow squash-merge only.

git status clean on master
CI green for the head commit
CHANGELOG.md [Unreleased] summarises every user-visible change
Version bumped in engine/package.json
npm pack --dry-run from engine/ shows only intended files (no src/, no test/, no tsconfig.json)
SECURITY.md lists this version as supported
No critical/high security findings open
npm audit --audit-level=high clean across packages