zx -based release script as semantic-release alternative (PoC)

Sometimes bloody enterprise enforces you not to use any third-party solutions for sensitive operations (like release, deploy, so on). Old good script copy-paste hurries to the rescue!

Btw, here's an adaptation for monorepos: zx-bulk-release

• macOS / linux
• Node.js >= 14.13.1
• git >= 2.0
• zx >= 1.6.0

• Zero dependencies
• Zero configuration
• Pretty fast
• Tiny, less than 140 lines with comments
• Reliability, safety, simplicity and maintainability (sarcasm)

• Poor conventional commits analysis
• CHANGELOG.md generation
• package.json version bumping
• Git release commit creation
• GitHub Release
• Package publishing to both npmjs and gh registries

1. Copy
2. Tweak up, inject tokens, etc
3. Run

curl https://raw.githubusercontent.com/semrel-extra/zx-semrel/master/release.mjs > ./release.mjs
zx ./release.mjs

or this like if zx is not installed:

# Just replace GIT* env values with your own
GIT_COMMITTER_NAME=antongolub GIT_COMMITER_EMAIL=mailbox@antongolub.ru GITHUB_TOKEN=token npx zx ./release.mjs

or just run it without any edits though npx:

# Cross your fingers for luck
GIT_COMMITTER_NAME=antongolub GIT_COMMITER_EMAIL=mailbox@antongolub.ru GITHUB_TOKEN=token npx zx-semrel

See also gh-actions usage example

Since npm revoked classic tokens the recommended way to publish from CI/CD is OIDC Trusted Publishing.

OIDC mode (priority) — set NPM_OIDC=true or omit NPM_TOKEN in a GitHub Actions environment with id-token: write permission. The npm CLI obtains a short-lived credential automatically; --provenance is enforced.

Legacy mode — provide NPM_TOKEN (granular access token, 90-day max lifetime). Used as fallback when NPM_OIDC is not set.

Auto-detection: if NPM_OIDC is not set and NPM_TOKEN is absent, OIDC is used automatically when ACTIONS_ID_TOKEN_REQUEST_URL is available (GitHub Actions with id-token: write).

• First publish of a package cannot use OIDC — the initial version must be published with a token or locally, then configure trusted publishing on npmjs.com
• Each package supports one trusted publisher at a time — configure it per package (and per alias) at npmjs.com → Settings → Trusted publishing
• The workflow filename in trusted publisher config must match exactly (case-sensitive, .yml vs .yaml)
• Requires npm >= 11.5.1 and Node.js >= 22.14.0
• An existing project .npmrc with an _authToken for registry.npmjs.org will override OIDC — remove it to use trusted publishing
• OIDC applies to npmjs.org only; GitHub Packages still uses GITHUB_TOKEN / GH_TOKEN

• zx + semrel + maven by @malys

MIT

• npm Trusted Publishing docs
• npm classic tokens revoked
• Actually you don’t need 'semantic-release' for semantic release
• stackoverflow.com/github-oauth2-token-how-to-restrict-access-to-read-a-single-private-repo
• npmjs.com/using-private-packages-in-a-ci-cd-workflow
• cli/cli#1425
• https://gist.github.com/Kovrinic/ea5e7123ab5c97d451804ea222ecd78a
• https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token
• https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
• Not invented here