ci: release in ci when a v3 tag is pushed

.github/workflows/changelog.yml

@@ -1,4 +1,4 @@
-name: Release
+name: changelog
 
 on:
   push:
@@ -15,7 +15,7 @@ concurrency:
   cancel-in-progress: ${{ github.event_name != 'push' }}
 
 jobs:
-  update-changelog:
+  update:
     if: github.repository_owner == 'nuxt' && !contains(github.event.head_commit.message, 'v3.')
     runs-on: ubuntu-latest
 

.github/workflows/release-pr.yml

@@ -1,4 +1,4 @@
-name: release
+name: release-pr
 
 on:
   issue_comment:

.github/workflows/release.yml

@@ -0,0 +1,39 @@
+name: release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+# Remove default permissions of GITHUB_TOKEN for security
+# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+permissions: {}
+
+jobs:
+  release:
+    if: github.repository == 'nuxt/nuxt' && startsWith(github.event.head_commit.message, 'v3.')
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+      - run: corepack enable
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: 20
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Build (stub)
+        run: pnpm dev:prepare
+
+      - name: Release
+        run: ./scripts/release.sh
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.RELEASE_NODE_AUTH_TOKEN}}
+          NPM_CONFIG_PROVENANCE: true

scripts/release.sh

@@ -24,6 +24,3 @@ for PKG in packages/* ; do
   pnpm publish --access public --no-git-checks --tag $TAG
   popd > /dev/null
 done
-
-# Restore environment to dev mode
-pnpm dev:prepare