Update docs

ecraig12345 · ecraig12345 · commit 9bd70c964a3d · 2026-04-17T20:05:16.000-07:00
diff --git a/README.md b/README.md
@@ -1,121 +1,3 @@
-# [beachball](https://microsoft.github.io/beachball/)
+# [beachball](https://microsoft.github.io/beachball/) monorepo
 
-the sunniest version bumping tool
-
-## Prerequisites
-
-A git repo with a remote
-
-## Usage
-
-```
-beachball [command] [options]
-```
-
-## Commands
-
-### [change](https://microsoft.github.io/beachball/cli/change.html) (default)
-
-a tool to help create change files in the change/ folder
-
-### [check](https://microsoft.github.io/beachball/cli/check.html)
-
-checks whether a change file is needed for this branch
-
-### [bump](https://microsoft.github.io/beachball/cli/bump.html)
-
-bumps versions as well as generating changelogs
-
-### [publish](https://microsoft.github.io/beachball/cli/publish.html)
-
-bumps, publishes to npm registry, and pushes changelogs back into the target branch
-
-### [sync](https://microsoft.github.io/beachball/cli/sync.html)
-
-synchronizes published versions of packages from a registry, makes local package.json changes to match what is published
-
-### [config](https://microsoft.github.io/beachball/cli/config.html)
-
-inspect the effective beachball configuration for the repo or a specific package
-
-## Options
-
-Some of the most common options are summarized below. **For all options, see the pages for [CLI options](https://microsoft.github.io/beachball/cli/options.html) and [config file options](https://microsoft.github.io/beachball/overview/configuration.html).**
-
-### `--config`, `-c`
-
-Explicit configuration file to use instead of the configuration automatically detected by cosmicconfig.
-
-### `--registry`, `-r` (config: `registry`)
-
-registry, defaults to https://registry.npmjs.org
-
-### `--tag`, `-t` (config: `tag`)
-
-- for the `publish` command: dist-tag for npm publishes
-- for the `sync` command: will use specified tag to set the version
-
-### `--branch`, `-b` (config: `branch`)
-
-target branch from remote (default: as configured in `git config init.defaultBranch`)
-
-### `--message`, `-m`
-
-- for the `publish` command: message for the checkin (default: "applying package updates")
-- for the `change` command: change file comment for all changed packages
-
-### `--type`
-
-for the `change` command: [change type](https://microsoft.github.io/beachball/concepts/change-types.html) for all changed packages
-
-### `--package`
-
-for the `change` command: specific package(s) to create a change file for
-
-### `--no-push` (config: `push`)
-
-skip pushing changes back to git remote origin
-
-### `--no-publish` (config: `publish`)
-
-skip publishing to the npm registry
-
-### `--help`, `-?`, `-h`
-
-show help message
-
-### `--yes`, `-y`
-
-skips the prompts for publish
-
-## Examples
-
-```sh
-# check for change files
-beachball check
-
-# interactively create change files
-beachball change
-
-# non-interactively create change files
-beachball change --type patch --message "awesome changes"
-
-# publish changes
-beachball publish -r http://localhost:4873 -t beta
-```
-
-## Notes
-
-### Overriding concurrency
-
-In large monorepos, the process of fetching versions for sync or before publishing can be time-consuming due to the high number of packages. To optimize performance, you can override the concurrency for fetching from the registry by setting `options.npmReadConcurrency` (default: 5). You can also increase concurrency for hook calls and publish operations via `options.concurrency` (default: 1; respects topological order).
-
-### API surface
-
-Beachball **does not** have a public API beyond the provided [options](https://microsoft.github.io/beachball/overview/configuration.html). Usage of private APIs is not supported and may break at any time.
-
-If you need to customize something beyond what's currently supported in the options, please open a feature request or talk with the maintainers.
-
-### AI integration
-
-Normally, Beachball uses an interactive CLI prompt for generating change files. Since this doesn't work for AI agents, we provide a **change file skill** that guides AI agents through creating properly formatted change files. See the [AI integration](https://microsoft.github.io/beachball/concepts/ai-integration) docs for setup instructions.
+the sunniest version bumping tool - see [`packages/beachball`](./packages/beachball) for details
diff --git a/beachball.config.js b/beachball.config.js
@@ -1,6 +1,7 @@
 // @ts-check
 /** @type {Partial<import('./packages/beachball/src/types/BeachballOptions').RepoOptions>}*/
 const config = {
+  access: 'public',
   branch: 'main',
   commit: false,
   disallowedChangeTypes: ['major'],
diff --git a/docs/cli/publish.md b/docs/cli/publish.md
@@ -12,21 +12,22 @@ Publishing automates all the bumping and synchronizing of package versions in th
 
 [General options](./options) also apply for this command.
 
-| Option                        | Alias | Default                        | Description                                                                      |
-| ----------------------------- | ----- | ------------------------------ | -------------------------------------------------------------------------------- |
-| `--auth-type`                 | `-a`  | `'authtoken'`                  | npm auth type: `'authtoken'` or `'password'`                                     |
-| `--git-tags`, `--no-git-tags` |       | `true` (`--git-tags`)          | whether to create git tags for published package versions                        |
-| `--keep-change-files`         |       |                                | don't delete the change files from disk after bumping                            |
-| `--message`                   | `-m`  | `'applying package updates'`   | custom commit message                                                            |
-| `--prerelease-prefix`         |       |                                | prerelease prefix (e.g. `beta`) for packages that will receive a prerelease bump |
-| `--publish`, `--no-publish`   |       | `true` (`--publish`)           | whether to publish to the npm registry                                           |
-| `--push`, `--no-push`         |       | `true` (`--push`)              | whether to commit changes and push them back to the git remote                   |
-| `--registry`                  | `-r`  | `'https://registry.npmjs.org'` | npm registry for publishing                                                      |
-| `--retries`                   |       | `3`                            | number of retries for a package publish before failing                           |
-| `--tag`                       | `-t`  | `'latest'`                     | dist-tag for npm publishes                                                       |
-| `--token`                     | `-n`  |                                | credential to use with npm commands (type specified by `--auth-type`)            |
-| `--verbose`                   |       | `false`                        | prints additional information to the console                                     |
-| `--yes`                       | `-y`  | if CI detected, `true`         | skips the prompts for publish                                                    |
+<!-- prettier-ignore -->
+| Option | Alias | Default | Description |
+| ------ | ----- | ------- | ----------- |
+| `--auth-type` | `-a` | `'authtoken'` | npm auth type: `'authtoken'` or `'password'` |
+| `--git-tags`, `--no-git-tags` | | `true` (`--git-tags`) | whether to create git tags for published package versions |
+| `--keep-change-files` | | | don't delete the change files from disk after bumping |
+| `--message` | `-m` | `'applying package updates'` | custom commit message |
+| `--prerelease-prefix` | | | prerelease prefix (e.g. `beta`) for packages that will receive a prerelease bump |
+| `--publish`, `--no-publish` | | `true` (`--publish`) | whether to publish to the npm registry |
+| `--push`, `--no-push` | | `true` (`--push`) | whether to commit changes and push them back to the git remote |
+| `--registry` | `-r` | `'https://registry.npmjs.org'` | npm registry for publishing |
+| `--retries` | | `3` | number of retries for a package publish before failing |
+| `--tag` | `-t` | `'latest'` | dist-tag for npm publishes |
+| `--token` | `-n` | | credential to use with npm commands (type is specified by `--auth-type`) - locally, use `npm login` instead, or see [alternatives for CI](../concepts/ci-integration) |
+| `--verbose` | | `false` | prints additional information to the console |
+| `--yes` | `-y` | if CI detected, `true` | skips the prompts for publish |
 
 ### Algorithm
 
diff --git a/docs/concepts/ci-integration.md b/docs/concepts/ci-integration.md
@@ -15,23 +15,25 @@ To automate the bumping of package versions based on change files, you'll need t
 
 ## Authentication
 
-Automated publishing from a GitHub repo to the public npm registry (`registry.npmjs.org`) typically uses personal access tokens for authentication. These tokens are stored as secrets in your CI system. You should ensure that these secrets are only available to release builds.
+Automated publishing from a GitHub repo to the public npm registry (`registry.npmjs.org`) typically uses personal access tokens (and/or trusted publishing) for authentication. These tokens are stored as secrets in your CI system. You should ensure that these secrets are only available to release builds.
 
 For Azure DevOps repos publishing to a private registry, there are other possible approaches (such as using a service account with credentials stored in a key vault) which are not currently covered by these docs.
 
 ### Generating tokens
 
 #### npm token
 
-If publishing to the public npm registry (`registry.npmjs.org`), [create a granular access token](https://docs.npmjs.com/creating-and-viewing-access-tokens#creating-granular-access-tokens-on-the-website) with write access to **only** the relevant package(s) and/or scope(s). Classic automation tokens are not recommended due to their overly broad permissions.
+If publishing to the public npm registry (`registry.npmjs.org`) from a platform that supports [trusted publishing](https://docs.npmjs.com/trusted-publishers), such as GitHub Actions, you should use trusted publishing instead of a token.
 
-#### GitHub token
+Azure DevOps unfortunately doesn't support trusted publishing, so there it's still necessary to [create a granular access token](https://docs.npmjs.com/creating-and-viewing-access-tokens#creating-granular-access-tokens-on-the-website) with write access to **only** the relevant package(s) and/or scope(s).
 
-Since a repo's `main`/`master` branch should be protected, this creates some difficulties for pushing changes back during automated publishing.
+#### GitHub token
 
-The main way to allow `beachball` to push back to a repo with branch protections is by using a [**fine-grained** personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token) with write permissions for **only** the specific repo. (If the repo is in an org that doesn't allow persistent admin access, see [these instructions](https://github.com/microsoft/beachball/issues/1008).)
+Since a repo's `main`/`master` branch should be protected, this creates some difficulties for pushing changes back during automated publishing. There are a few options:
 
-An alternative approach is creating a fine-grained PAT with a "machine user" account. Create a new account with an alternate email or [subaddress](https://en.wikipedia.org/wiki/Email_address#Subaddressing) (`+` address), give it contributor permissions to only this repo, and add it under "Restrict who can push to matching branches" in the branch protection rule.
+- Traditional approach: use a [**fine-grained** personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token) (PAT) with write permissions for **only** the specific repo. (If the repo is in an org that doesn't allow persistent admin access, see [these instructions](https://github.com/microsoft/beachball/issues/1008).)
+  - Variant: create a fine-grained PAT with a "machine user" account. Create a new account with an alternate email or [subaddress](https://en.wikipedia.org/wiki/Email_address#Subaddressing) (`+` address), give it contributor permissions to only this repo, and add it under "Restrict who can push to matching branches" in the branch protection rule.
+- Alternative if publishing via GitHub Actions: use [`actions/create-github-app-token`](https://github.com/actions/create-github-app-token) to generate short-lived tokens. For this purpose, an "app" is essentially just an identity with permissions; you don't need to define any logic or endpoints. Create a GitHub app, install it in your repo, give it permission to bypass policies, and pass its ID and key to the action.
 
 (Note that the [built-in `GITHUB_TOKEN`](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) won't work for publishing because that actor can't be given permission to bypass policies.)
 
@@ -57,7 +59,7 @@ There are a couple of options here:
 
 If you're passing any custom options besides the npm token to `beachball publish`, it's recommended to set them in either the `beachball` config (if they don't interfere with other commands), or a `package.json` script (if specific to `publish`).
 
-For example, the following script could be used for publishing public scoped packages:
+For example, the following script could be used for publishing public scoped packages (`access` is also safe to set in the beachball config):
 
 ```json
 {
@@ -87,7 +89,7 @@ The exact publishing setup will vary depending on your CI setup, but the overall
    git config user.email "someone@example.com"
    ```
 2. Set up git authentication. This could use tokens (covered below), SSH keys, or some other non-interactive method.
-3. Set up npm authentication. This could use tokens passed on the command line (covered below), tokens set in `.npmrc`, or some other method.
+3. Set up npm authentication. This could use [trusted publishing](https://docs.npmjs.com/trusted-publishers), tokens set in `.npmrc`, tokens passed on the command line (covered below), or some other method.
 4. Run `beachball publish`!
 
 ### GitHub repo + GitHub Actions
@@ -98,39 +100,35 @@ This sample assumes the following:
 
 - An environment called `release` (set up [as described above](#storing-tokens)) with the following secrets:
   - `REPO_PAT`: A GitHub fine-grained personal access token with write access ([as described above](#github-token))
-  - `NPM_TOKEN`: An npm token with write access to the package(s) and/or scope(s), such as a [fine-grained token for public npm](#npm-token)
+- [Trusted publishing](https://docs.npmjs.com/trusted-publishers) is enabled for the package(s), linked to this workflow, and given access to the `release` environment.
 - A repo root `package.json` script `release` which runs `beachball publish`
-- The build is running on a Linux/Mac agent. (This could be easily adapted to a Windows agent with different syntax in the commands.)
 
 Note that in GitHub Actions, it's easiest to set up authentication if you set `persist-credentials: false` when checking out code.
 
 ```yml
-# Example trigger configurations (choose one or more, or another setup)
-# on:
-#   # Release on push to main
-#   push:
-#     branches: [main]
-#   # Release daily (see https://crontab-generator.org/ for help with schedules)
-#   schedule:
-#     - cron: '0 8 * * *'
-#   # Release on manual trigger (can be used alone or with other options)
-#   workflow_dispatch:
+# Add trigger configuration of your choice (this one is manual only)
+on:
+  workflow_dispatch:
 
 environment: release
 
 # Variable syntax below assumes Linux/Mac but could be easily adapted to Windows
 runs-on: ubuntu-latest
 
+permissions:
+  # Required for trusted publishing
+  id-token: write
+
 steps:
   - name: Check out code
-    uses: actions/checkout@v3
+    uses: actions/checkout@v6
     with:
       # Prevent the action from storing credentials in a way that's hard to override
       persist-credentials: false
 
   # ... Other steps to prepare for publishing (install, build, test, etc) ...
 
-  # Set the name, email, and URL with PAT
+  # Set the name, email, and URL with PAT (use Windows variable syntax if needed)
   - name: Set git credentials
     run: |
       git config user.name "someone"
@@ -139,11 +137,9 @@ steps:
     env:
       REPO_PAT: ${{ secrets.REPO_PAT }}
 
-  # Pass the token on the command line for publishing
+  # No token needed with trusted publishing
   - name: Publish
-    run: npm run release -- --token "$NPM_TOKEN"
-    env:
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+    run: npm run release
 ```
 
 ### GitHub repo + Azure Pipelines
@@ -156,20 +152,15 @@ This sample assumes the following:
   - `REPO_PAT`: A GitHub fine-grained personal access token with write access ([as described above](#github-token))
   - `NPM_TOKEN`: An npm token with write access to the package(s) and/or scope(s), such as a [fine-grained token for public npm](#npm-token)
 - A repo root `package.json` script `release` which runs `beachball publish`
-- The build is running on a Linux/Mac agent. (This could be easily adapted to a Windows agent with different syntax in the commands.)
+- A `.npmrc` file with the following content (change the registry if needed):
+  ```txt
+  //registry.npmjs.org/:_authToken=${NPM_TOKEN}
+  ```
 
 ```yml
-# Example trigger configurations (choose one or more, or another setup)
-#
-# # Release on push to main
-# trigger: [main]
-#
-# # Release on a schedule
-# # https://docs.microsoft.com/en-us/azure/devops/pipelines/build/triggers?tabs=yaml&view=azure-devops#supported-cron-syntax
-# schedules:
-#   - cron: '0 8 * * *'
-#     branches:
-#       include: [main]
+# Add trigger configuration of your choice (this one is manual only)
+pr: none
+trigger: none
 
 # This group should only be accessible to the release pipeline
 variables:
@@ -182,16 +173,20 @@ pool:
 steps:
   # ... Other steps to set up repo and prepare for publishing (install, build, test, etc) ...
 
-  # Set the name, email, and URL with PAT
+  # Set the name, email, and URL with PAT (use Windows variable syntax if needed)
   - script: |
       git config user.name "someone"
       git config user.email "someone@example.com"
-      git remote set-url origin "https://$(REPO_PAT)@github.com/your-org/your-repo"
+      git remote set-url origin "https://$REPO_PAT@github.com/your-org/your-repo"
     name: Set git credentials
+    env:
+      REPO_PAT: $(REPO_PAT)
 
-  # Pass the token on the command line for publishing
-  - script: npm run release -- --token "$(NPM_TOKEN)"
+  - script: npm run release
     name: Publish
+    # This works because .npmrc references NPM_TOKEN
+    env:
+      NPM_TOKEN: $(NPM_TOKEN)
 ```
 
 ### Azure Repos + Azure Pipelines
diff --git a/docs/overview/configuration.md b/docs/overview/configuration.md
diff --git a/packages/beachball/README.md b/packages/beachball/README.md
