From 6af7abbcb3e95702b66473e8943f982624af83dc Mon Sep 17 00:00:00 2001
From: Nelson Wittwer <nelson.wittwer@shopify.com>
Date: Mon, 6 Apr 2026 19:01:31 -0400
Subject: [PATCH 1/2] Add npm publish pipeline for @shopify/shopify-ai-toolkit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Update package.json: name → @shopify/shopify-ai-toolkit, remove private,
  add files (skills/ + README.md), repository and homepage fields
- Add publish-npm.yml workflow: triggers on GitHub release published,
  stamps version from the release tag, publishes with provenance

Requires an NPM_TOKEN secret in repo settings (with publish access to
the @shopify org on npm).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/publish-npm.yml | 27 +++++++++++++++++++++++++++
 package.json                      | 16 ++++++++++++----
 2 files changed, 39 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/publish-npm.yml

diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
new file mode 100644
index 0000000..90bda73
--- /dev/null
+++ b/.github/workflows/publish-npm.yml
@@ -0,0 +1,27 @@
+name: Publish to npm
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Set version from release tag
+        run: npm version --no-git-tag-version "${GITHUB_REF_NAME#v}"
+
+      - name: Publish
+        run: npm publish --access public --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/package.json b/package.json
index 810e5a7..be1ad0a 100644
--- a/package.json
+++ b/package.json
@@ -1,9 +1,17 @@
 {
-  "name": "shopify-plugin",
+  "name": "@shopify/shopify-ai-toolkit",
   "version": "1.0.0",
-  "private": true,
-  "description": "AI agent plugin manifests for the Shopify Dev MCP server",
+  "description": "AI agent skills for building Shopify apps — GraphQL, Liquid, Hydrogen, UI Extensions, and more",
   "author": "Shopify",
   "license": "MIT",
-  "keywords": ["shopify", "mcp", "graphql", "liquid", "storefront", "admin-api", "plugin"]
+  "keywords": ["shopify", "agent-skills", "graphql", "liquid", "storefront", "admin-api", "hydrogen", "polaris"],
+  "files": [
+    "skills/",
+    "README.md"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Shopify/shopify-ai-toolkit.git"
+  },
+  "homepage": "https://github.com/Shopify/shopify-ai-toolkit#readme"
 }

From 9e096e7016be444fec50e3014b74c7ba604e14d2 Mon Sep 17 00:00:00 2001
From: Nelson Wittwer <nelson.wittwer@shopify.com>
Date: Mon, 6 Apr 2026 19:03:02 -0400
Subject: [PATCH 2/2] Update npm publish workflow to match dev-mcp conventions

- Use shopify-ubuntu-latest runner (handles npm auth internally)
- Pin action SHAs to match dev-mcp security practice
- Use release: created (consistent with dev-mcp)
- Add version verification step (package.json must match release tag)
- Remove explicit NPM_TOKEN secret (not needed with internal runner)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/publish-npm.yml | 31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
index 90bda73..736a4a8 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@@ -2,26 +2,35 @@ name: Publish to npm
 
 on:
   release:
-    types: [published]
+    types: [created]
+
+permissions:
+  contents: read
+  id-token: write
 
 jobs:
   publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
+    runs-on: shopify-ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: '20'
           registry-url: 'https://registry.npmjs.org'
 
-      - name: Set version from release tag
-        run: npm version --no-git-tag-version "${GITHUB_REF_NAME#v}"
+      - name: Verify version matches release tag
+        run: |
+          PACKAGE_VERSION=$(node -p "require('./package.json').version")
+          TAG_VERSION=${GITHUB_REF#refs/tags/v}
+
+          echo "Package version: $PACKAGE_VERSION"
+          echo "Tag version:     $TAG_VERSION"
+
+          if [ "$PACKAGE_VERSION" != "$TAG_VERSION" ]; then
+            echo "Version mismatch: package.json ($PACKAGE_VERSION) != tag ($TAG_VERSION)"
+            exit 1
+          fi
 
       - name: Publish
         run: npm publish --access public --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}