Releasing Fronts
Changesets, local and CI verification, npm trusted publishing bootstrap, prerelease, and stable-release gates.
Fronts publishes four public packages with synchronized versions:
@fronts/core@fronts/mf@fronts/react@fronts/vue3
The repository is currently in Changesets prerelease mode with npm tag next.
Add a change
Every user-visible package change needs a changeset:
pnpm changesetChoose the affected packages and semantic impact. Because the packages are a fixed group, Changesets keeps their public versions synchronized while the protocol is stabilizing.
Local release verification
pnpm install --frozen-lockfile
pnpm check
pnpm test:e2e
pnpm test:e2e:previewpnpm check performs formatting/lint, a topological clean build, tarball consumption checks,
TypeScript checks, all unit/integration tests, and enforced coverage thresholds.
pnpm verify:packages packs each public workspace, rejects missing README/LICENSE/dist or leaked
source/test directories, installs the four tarballs in an isolated temporary consumer, and imports
every public entry through both ESM and CommonJS.
The development-server E2E run catches local composition regressions. The production-preview run performs a fresh build and is the release gate used by CI; it also exercises producer output that is only available after bundling.
Automated flow
Pushes to master run the Changesets action. It either:
- opens/updates a release PR containing version and changelog changes; or
- after that PR is merged, runs
pnpm releaseand publishes pending packages.
The GitHub environment should be configured as an npm trusted publisher for this repository and
the exact release.yml workflow filename. The workflow uses Node 24, upgrades npm to a version
with OIDC support, grants id-token: write, disables the release dependency cache, and requests
npm provenance.
Trusted publishing can only be configured after a package exists. Before the first release:
- confirm the publisher owns the npm
@frontsscope; - enable and test GitHub Private Vulnerability Reporting as required by
SECURITY.md; - add a short-lived granular npm token as the
NPM_TOKENrepository secret; - publish the first prerelease through the protected workflow;
- configure all four packages to trust
unadlib/fronts+release.ymlfornpm publish; - delete the
NPM_TOKENsecret and revoke the bootstrap token.
After bootstrap, the empty token environment values fall through to npm's short-lived OIDC credential. Do not retain a long-lived publish token as a permanent fallback.
Protect master so the Node 22/24 checks and Chromium E2E job are required before merging the
release PR.
Leaving prerelease mode
After the protocol has met the stable compatibility criteria:
pnpm changeset pre exit
pnpm version-packagesReview the resulting stable versions and changelogs in a pull request. Do not publish latest
until compatibility, security, browser, package-consumer, and rollback gates have passed on the final
candidate.
Verification
pnpm checkruns the required non-browser release gate, including isolated packed-package consumption through ESM and CommonJS.pnpm test:e2eandpnpm test:e2e:previewverify development composition and fresh production artifacts.ci.ymlandrelease.ymlare the automation sources of truth.- Support policy and
SECURITY.mdidentify commitments that still require maintainer acceptance or external repository configuration before stable release.
Troubleshooting Fronts Runtime Failures
Phase-oriented diagnosis and recovery for resolution, Module Federation, containers, services, lifecycle, iframe, and cleanup failures.
Contributing to Fronts
Development setup, change boundaries, testing, documentation, Changesets, and review expectations for Fronts contributors.