|
| 1 | +# Releasing opencode-sdlc-wizard |
| 2 | + |
| 3 | +Repeatable release flow. Each version takes ~2 minutes once you've done it once. |
| 4 | + |
| 5 | +## Cutting a new version |
| 6 | + |
| 7 | +From a clean `main` with all v0.X.Y work merged + green tests: |
| 8 | + |
| 9 | +```bash |
| 10 | +# 1. Bump version (npm rewrites package.json + creates a vX.Y.Z tag) |
| 11 | +npm version <patch|minor|major> |
| 12 | + |
| 13 | +# 2. Push commit + tag together |
| 14 | +AFTERHOURS_SKIP=1 git push origin main --follow-tags |
| 15 | +``` |
| 16 | + |
| 17 | +The push triggers `.github/workflows/release.yml`, which: |
| 18 | + |
| 19 | +1. Verifies tag is on `main` and matches `package.json` version |
| 20 | +2. Runs `npm test` (113/113 must pass) |
| 21 | +3. Calls `npm publish --provenance --access public` using the |
| 22 | + `NPM_TOKEN` repo secret |
| 23 | +4. Creates a GitHub release with auto-generated notes |
| 24 | + |
| 25 | +If the workflow lights green: done. v`X.Y.Z` is on npm + a release exists. |
| 26 | + |
| 27 | +## When the workflow fails the npm publish step |
| 28 | + |
| 29 | +This happens when your npm account has **2FA on writes** (the strictest |
| 30 | +mode), even with an automation token. Symptom: the workflow logs show |
| 31 | +`npm error code E404 - PUT /<package>` after the provenance attestation |
| 32 | +is signed. |
| 33 | + |
| 34 | +Two ways to resolve: |
| 35 | + |
| 36 | +### Option A — manual OTP publish (one extra step per release) |
| 37 | + |
| 38 | +```bash |
| 39 | +# After the workflow fails at npm publish: |
| 40 | +npm publish --access public --otp=<6-digit-code> |
| 41 | + |
| 42 | +# Then create the GitHub release manually: |
| 43 | +gh release create vX.Y.Z --generate-notes -R BaseInfinity/opencode-sdlc-wizard |
| 44 | +``` |
| 45 | + |
| 46 | +### Option B — switch npm 2FA mode to "auth-only" (forever zero-touch) |
| 47 | + |
| 48 | +Visit https://www.npmjs.com/settings/baseinfinity/profile → 2FA section |
| 49 | +→ change from "Auth and writes" to "Auth only". Automation tokens then |
| 50 | +bypass 2FA on publish; the workflow becomes hands-off for every future |
| 51 | +release. (You still need 2FA to log in, mint tokens, change account |
| 52 | +settings — the change only affects publish/unpublish operations.) |
| 53 | + |
| 54 | +**Recommended:** Option B for a wizard with frequent minor releases. |
| 55 | +Option A if you prefer the extra friction as a brake against unintended |
| 56 | +publishes. |
| 57 | + |
| 58 | +## Preflight before any release |
| 59 | + |
| 60 | +```bash |
| 61 | +npm test # 113/113 must pass |
| 62 | +npm pack --dry-run | tail -10 # tarball contents look right |
| 63 | +git diff origin/main..HEAD # what's actually shipping |
| 64 | +``` |
| 65 | + |
| 66 | +## Cross-model review |
| 67 | + |
| 68 | +Standing standard before tagging anything past v0.2.0: a Codex round-N |
| 69 | +recheck against the last release's `.reviews/handoff.json` + |
| 70 | +`.reviews/response.json`. Pattern documented in |
| 71 | +`.reviews/handoff.json:review_instructions`. Skip only if the diff is |
| 72 | +docs-only. |
| 73 | + |
| 74 | +```bash |
| 75 | +codex exec \ |
| 76 | + -c 'model_reasoning_effort="xhigh"' \ |
| 77 | + -s danger-full-access \ |
| 78 | + -o .reviews/latest-review.md \ |
| 79 | + "ROUND-N RECHECK ..." </dev/null |
| 80 | +``` |
| 81 | + |
| 82 | +The `</dev/null` is required — codex hangs on stdin without it (verified |
| 83 | +v0.128.0). |
| 84 | + |
| 85 | +## After the release lands |
| 86 | + |
| 87 | +- Mirror issues in the three sibling repos so their READMEs add OpenCode |
| 88 | + to the ecosystem table: |
| 89 | + ```bash |
| 90 | + for REPO in claude-sdlc-wizard codex-sdlc-wizard claude-gdlc-wizard; do |
| 91 | + gh issue create -R "BaseInfinity/$REPO" \ |
| 92 | + --title "Add opencode-sdlc-wizard to ecosystem table" \ |
| 93 | + --body-file MIRROR_ISSUE_BODY.md |
| 94 | + done |
| 95 | + ``` |
| 96 | +- Update parent `claude-sdlc-wizard`'s ROADMAP #9 with the new tag URL. |
| 97 | +- Bump the npm package readme + GitHub topic tags if positioning changes. |
| 98 | + |
| 99 | +## Capability floor (Phase B reminder) |
| 100 | + |
| 101 | +A failed install or run on a model below the 30B+ code-tuned class |
| 102 | +(Qwen2.5-Coder, DeepSeek-Coder, Sonnet, Opus, GPT-5.x) is a capability |
| 103 | +result, not a release bug. Don't gate releases on small-local-model |
| 104 | +performance. |
0 commit comments