Simplify npm publish workflow#26
Conversation
## Summary - update the publish workflow to Node.js 24 on macos-15-intel - pack the npm tarball before publishing and attest that exact artifact with GitHub artifact attestations - publish to npm with provenance enabled and public scoped package access ## Verification - ruby YAML parse for publish workflow - HFS test volume + ROOT_VOLUME=/Volumes/macos_alias npm test - npm audit --audit-level=moderate - npm ls --omit=dev --all - npm pack --dry-run
## Summary - skip npm publishing for GitHub prereleases so prerelease releases cannot publish the default latest dist-tag - check whether the exact package version already exists on npm - skip pack, attestation, artifact upload, and publish steps when the version is already published so workflow reruns are safe ## Verification - YAML parse for publish workflow
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 97e47e0ec6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| name: publish to npmjs | ||
| if: github.event.release.prerelease == false | ||
| needs: check | ||
| if: needs.check.outputs.should_publish == 'true' |
There was a problem hiding this comment.
Using needs.check.outputs.should_publish as the sole gate means the publish decision is made at workflow start, then reused after a long macOS test/audit job. If two runs for the same release overlap (for example, a manual rerun while the first run is still executing), both can pass the early check, but the later run will still attempt npm publish and fail once the first run has already published that version. Previously, the check happened near the publish step, which greatly reduced this race window and allowed late runs to skip cleanly.
Useful? React with 👍 / 👎.
|
Closing after force-resetting main back before the npm publish workflow work, per maintainer request. |
1 participant
Summary
tehpsalmist/npm-publish-status-actionpinned to01cb25946b194a7a5468f22c8e74db04c283f121.exists == 0.npm ci,npm pack, GitHub artifact attestation, andnpm publish --provenance.Validation
.github/workflows/publish.ymlwith Ruby YAML.actionlint v1.7.12.git diff --check.Leaving this PR open for maintainer review.