ci: add release workflow via workflow_dispatch

.github/chainguard/self.release.sts.yaml

@@ -0,0 +1,13 @@
+# Docs: https://datadoghq.atlassian.net/wiki/spaces/SECENG/pages/5138645099/User+guide+dd-octo-sts
+issuer: https://token.actions.githubusercontent.com
+
+subject: repo:DataDog/dc-polyfill:ref:refs/heads/main
+
+claim_pattern:
+  event_name: workflow_dispatch
+  job_workflow_ref: DataDog/dc-polyfill/\.github/workflows/release\.yml@refs/heads/main
+  ref: refs/heads/main
+  repository: DataDog/dc-polyfill
+
+permissions:
+  contents: write

.github/workflows/release.yml

@@ -0,0 +1,63 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      bump:
+        description: Version bump type
+        required: true
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    environment:
+      name: npm
+      url: https://www.npmjs.com/package/dc-polyfill
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
+        id: octo-sts
+        with:
+          scope: DataDog/dc-polyfill
+          policy: self.release
+
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          registry-url: https://registry.npmjs.org
+
+      - run: npm install
+
+      - name: Configure git
+        run: |
+          git config user.name 'github-actions[bot]'
+          git config user.email 'github-actions[bot]@users.noreply.github.com'
+
+      - run: npm version ${{ inputs.bump }}
+
+      - run: npm publish --provenance
+
+      - run: |
+          git push \
+            https://x-access-token:${{ steps.octo-sts.outputs.token }}@github.com/${{ github.repository }}.git \
+            main --follow-tags
+
+      - name: Create GitHub release
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          gh release create "v${VERSION}" --generate-notes
+        env:
+          GH_TOKEN: ${{ github.token }}

RELEASING.md

@@ -1,38 +1,22 @@
 # Releasing
 
-`dc-polyfill` is published to npm as [`dc-polyfill`](https://www.npmjs.com/package/dc-polyfill). Releases are currently cut manually by a maintainer with publish access to the package on npm.
+`dc-polyfill` is published to npm as [`dc-polyfill`](https://www.npmjs.com/package/dc-polyfill).
 
 ## Prerequisites
 
-- Push access to `main` on this repository.
-- The [`gh`](https://cli.github.com/) CLI, authenticated against `DataDog/dc-polyfill`.
-- Log in to the npm account with publish access to `dc-polyfill`. Check with `npm whoami`; run `npm login` if needed. If you don't have publish access, ask an existing maintainer.
+- Write access to `DataDog/dc-polyfill` on GitHub.
 
 ## Cutting a release
 
-```sh
-# Make sure main is green and up to date.
-git checkout main
-git pull origin main
-
-# Bump the version. Pick patch, minor, or major per semver.
-# This updates package.json, creates a commit (e.g. "0.1.11"),
-# and creates a matching v0.1.11 tag locally.
-npm version patch
-
-# Sanity-check what will be packed before publishing anything public.
-npm publish --dry-run
+1. Go to the [Release workflow](https://github.com/DataDog/dc-polyfill/actions/workflows/release.yml) in GitHub Actions.
+2. Click **Run workflow**.
+3. Select the bump type (`patch`, `minor`, or `major`) and click **Run workflow**.
 
-# Publish to npm. Do this before pushing the tag so a failed publish
-# doesn't leave a release tag in the repo that points at no npm version.
-npm publish
-
-# Push the version-bump commit and the tag.
-git push origin main --follow-tags
-
-# Create the GitHub release with autogenerated notes.
-gh release create "v$(node -p "require('./package.json').version")" --generate-notes
-```
+The workflow will:
+- Bump the version in `package.json` and create a version commit and tag.
+- Publish the package to npm with provenance.
+- Push the commit and tag to `main`.
+- Create a GitHub release with auto-generated notes.
 
 ## Verifying the release
 
@@ -41,5 +25,5 @@ gh release create "v$(node -p "require('./package.json').version")" --generate-n
 npm view dc-polyfill version
 
 # Confirm the GitHub release exists.
-gh release view "v$(node -p "require('./package.json').version")"
+gh release view "v$(npm view dc-polyfill version)"
 ```