ci(release): publish to npm on tag push#118
Merged
stackbilt-admin merged 2 commits intomainfrom Apr 18, 2026
Merged
Conversation
The existing Release workflow only creates a GitHub Release tag — it doesn't publish to npm. v0.11.0 has shipped on GitHub since 2026-04-16 but npm is still at 0.10.0 across all 11 workspace packages because no step invokes `pnpm publish`. Add a `publish-npm` job parallel to `publish-release`: - `pnpm -r publish --access public --no-git-checks --provenance` - version-sync guard (fails if any packages/*/package.json version doesn't match the tag) - `id-token: write` for npm provenance attestation - same triggers as publish-release (tag push + workflow_dispatch backfill) After merge, backfill v0.11.0 via: gh workflow run release.yml -f tag=v0.11.0 Requires `NPM_TOKEN` repository secret (granular automation token with publish permission on @stackbilt/*). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
One-line comment documenting that the guard enforces unified workspace versioning. Pre-merge cleanup from CodeBeast review of #118. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
stackbilt-admin
pushed a commit
that referenced
this pull request
Apr 18, 2026
Surface Zod-Core-Out vertical slice (#117): - analyze() + Zod schemas on @stackbilt/surface - charter_surface MCP tool in charter serve - CLI argv routed through SurfaceInputSchema First release cut through the automated Release workflow (#118) with npm trusted-publisher OIDC auth across all 11 packages. Provenance attestations replace long-lived NPM_TOKEN. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
stackbilt-admin
pushed a commit
that referenced
this pull request
Apr 18, 2026
Surface Zod-Core-Out vertical slice (#117): - analyze() + Zod schemas on @stackbilt/surface - charter_surface MCP tool in charter serve - CLI argv routed through SurfaceInputSchema First release cut through the automated Release workflow (#118) with npm trusted-publisher OIDC auth across all 11 packages. Provenance attestations replace long-lived NPM_TOKEN. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced Apr 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Releaseworkflow has only ever created a GitHub Release tag — npm publishes were done manually from a maintainer workstation and stopped landing after v0.10.0 (2026-04-09). v0.11.0 tagged 2026-04-16 but never made it to npm; all 11@stackbilt/*packages still show0.10.0.publish-npmjob runningpnpm -r publish --access public --no-git-checks --provenanceon tag push (andworkflow_dispatchfor backfill). Parallel to the existingpublish-releasejob — neither blocks the other on failure.packages/*/package.json; fails the workflow before any publish call if any package version ≠ tag. Catches half-bumped release PRs.--provenance+id-token: writepermission links each npm tarball to this GHA run via a cryptographic attestation. Reasonable supply-chain hygiene for an OSS governance package.Prerequisites
NPM_TOKENrepo (or org) secret exists with publish access on@stackbilt/*. Confirmed externally; not set in this PR.Test plan
gh workflow run release.yml -f tag=v0.11.0.pnpm -r publishis idempotent on already-published versions, so already-shipped 0.10.0 packages no-op and 0.11.0-tagged packages ship.npm view @stackbilt/cli versionreturns0.11.0(and same for the other 10 workspace packages).🤖 Generated with Claude Code