From 49c7058f856556e630b148666214cda81e0115f1 Mon Sep 17 00:00:00 2001
From: Haseeb Ahmad <haseeb.ahmad@mapbox.com>
Date: Wed, 24 Jun 2026 12:22:39 +0200
Subject: [PATCH] CLOUDPLAT-3162: add npm OIDC publish workflow

https://mapbox.atlassian.net/browse/CLOUDPLAT-3162
---
 .github/workflows/npm-release.yml | 15 +++++++++++++++
 CONTRIBUTING.md                   | 24 ++++++++++++++++++++++++
 package.json                      |  5 ++++-
 3 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/npm-release.yml
 create mode 100644 CONTRIBUTING.md

diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
new file mode 100644
index 0000000..ba2ea44
--- /dev/null
+++ b/.github/workflows/npm-release.yml
@@ -0,0 +1,15 @@
+name: NPM release
+
+on:
+  workflow_dispatch:
+
+jobs:
+  npm-release:
+    uses: mapbox/gha-public/.github/workflows/workflow-npm-oidc-publish.yml@main
+    permissions:
+      id-token: write
+      contents: write
+    with:
+      create-github-release: true
+      environment: npm-release
+      run-tests: false
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..5dfcb63
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,24 @@
+# Contributing to parse-mapbox-token
+
+## Development
+
+```bash
+npm ci
+npm test
+```
+
+## Releasing a new version
+
+Releases are published to npm via GitHub Actions.
+
+### Steps
+
+1. **Bump the version** in `package.json` (follow [semver](https://semver.org))
+2. **Update `CHANGELOG.md`** with a summary of what changed
+3. **Open a PR**, get it reviewed and merged to `master`
+4. **Trigger the release** from the [Actions tab](../../actions/workflows/npm-release.yml):
+   - Select **NPM release** → **Run workflow** → run from `master`
+
+The workflow will publish to npm and create a GitHub release with auto-generated notes.
+
+> **Note:** Only Mapbox maintainers with write access to this repository can trigger the release workflow. External contributors can open and contribute to PRs, but releases are always cut by the owning team.
diff --git a/package.json b/package.json
index 5176b4a..d8bb08c 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@mapbox/parse-mapbox-token",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Parse a Mapbox API token, in Node or the browser",
   "main": "index.js",
   "scripts": {
@@ -32,5 +32,8 @@
   },
   "dependencies": {
     "base-64": "^0.1.0"
+  },
+  "publishConfig": {
+    "access": "public"
   }
 }