chore: add npm publish workflow and release script

[gre]

Summary

• Adds .github/workflows/publish.yml: publishes all 5 packages to npm automatically when a v* tag is pushed, using npm's Trusted Publishers (OIDC) — no secrets needed
• Adds scripts/release.sh: bumps versions across all packages (including devDependencies), guards against dirty working tree, commits, and creates the git tag

Setup (one-time, already done)

Configure Trusted Publishers on npmjs.com for each of the 5 packages (gl-react, gl-react-dom, gl-react-expo, gl-react-headless, gl-react-native):

• Owner: gre / Repository: gl-react / Workflow: publish.yml

How to release

git checkout master && git pull
./scripts/release.sh 5.3.0
git push && git push --tags

The workflow triggers on the tag push, builds, and publishes all 5 packages with provenance attestation.

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Adds automated release tooling for the monorepo: a shell script to bump versions/tag releases, and a GitHub Actions workflow to publish workspace packages to npm on v* tags.

Changes:

• Added scripts/release.sh to bump versions across the 5 publishable packages, commit, and create a v<version> tag.
• Added .github/workflows/publish.yml to build and publish the 5 packages to npm when a v* tag is pushed.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
scripts/release.sh	Automates version bumping + tagging for the 5 publishable packages.
.github/workflows/publish.yml	CI workflow that installs/builds and publishes all packages to npm on tag push.

Comments suppressed due to low confidence (3)

scripts/release.sh:25

• The release script only updates inter-package version pins in dependencies, but the workspace packages currently pin gl-react in devDependencies (e.g. gl-react-dom/expo/headless/native). After a release bump, these devDependency pins will stay on the old version, which can lead to inconsistent local builds/tests and future diffs. Consider updating the same pins in devDependencies as well (and any other sections you expect to carry a version range, such as optionalDependencies).

    if (d.dependencies) {
      if (d.dependencies['gl-react']) d.dependencies['gl-react'] = '^$VERSION';
      if (d.dependencies['gl-react-expo']) d.dependencies['gl-react-expo'] = '^$VERSION';
    }
    fs.writeFileSync(p, JSON.stringify(d, null, 2) + '\n');

scripts/release.sh:13

• This script tags and commits without verifying the working tree is clean. If the caller has unrelated local changes, they’ll be included in the release commit/tag unintentionally. Consider adding an early guard (e.g. fail if git diff / git diff --cached is non-empty) before mutating package.json files.

cd $(dirname $0)/..

PACKAGES="packages/gl-react packages/gl-react-dom packages/gl-react-expo packages/gl-react-headless packages/gl-react-native"

scripts/release.sh:11

• cd $(dirname $0)/.. is unquoted, which can break if the repo path contains spaces or special characters. Quoting $0 and the command substitution (or using a more robust script-dir pattern) would make the script safer to run in more environments.

cd $(dirname $0)/..

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.