fix(ci): ignore npm scripts when publishing bazel pkg

[Jesssullivan]

Summary:

• stop re-running package lifecycle scripts when publishing the validated Bazel pkg artifact to npm
• apply the same ignore-scripts behavior to the dry-run path
• keep release metadata and artifact validation in the upstream test job, where they already run

Validation:

• pnpm run check:release-metadata
• npx --yes @bazel/bazelisk build //:pkg
• npm publish ./bazel-bin/pkg --access public --dry-run --ignore-scripts

Root cause:
The publish-npm job was publishing ./pkg, whose packaged prepublishOnly script referenced repo files like scripts/check-release-metadata.mjs that are not present inside the stripped Bazel artifact. The workflow had already validated the artifact in test, so rerunning lifecycle scripts during publish was redundant and broke the release lane.

[greptile-apps]

Greptile Summary

This PR adds --ignore-scripts to all npm publish invocations in publish.yml (both the npm and GitHub Packages jobs, and both the real and dry-run paths), preventing the Bazel artifact's prepublishOnly lifecycle script from executing against a stripped artifact that lacks scripts/check-release-metadata.mjs. Validation steps continue to run in the upstream test job, so nothing is lost.

Confidence Score: 5/5

Safe to merge — the fix is minimal, correctly targeted, and no P0/P1 issues found.

All publish commands now carry --ignore-scripts, the condition logic for publish vs dry-run is correctly mutually exclusive across release and workflow_dispatch triggers, and validation remains in the test job. The only finding is a pre-existing P2: the GitHub Packages dry-run skips the package.json name mutation, reducing its fidelity as a pre-flight check.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/publish.yml	Adds --ignore-scripts to all npm publish commands (both npm and GitHub Packages, both real and dry-run paths); validation steps remain in the upstream test job.
.github/workflows/ci.yml	CI workflow unchanged in substance; build job retains release-metadata verification and publint validation on every push/PR.

Sequence Diagram

sequenceDiagram
    participant T as test job (publish.yml)
    participant A as GitHub Artifact Store
    participant N as publish-npm job
    participant G as publish-github job
    participant NPM as registry.npmjs.org
    participant GHP as npm.pkg.github.com

    T->>T: Verify release metadata
    T->>T: npx bazelisk build //:pkg
    T->>T: npm pack --dry-run ./bazel-bin/pkg
    T->>T: tar -czf bazel-pkg.tgz -C bazel-bin pkg
    T->>A: upload-artifact (bazel-pkg)

    A->>N: download-artifact (bazel-pkg)
    N->>N: tar -xzf bazel-pkg.tgz → ./pkg
    N->>N: chmod -R u+w pkg
    N->>NPM: npm publish ./pkg --ignore-scripts [--provenance]

    A->>G: download-artifact (bazel-pkg)
    G->>G: tar -xzf bazel-pkg.tgz → ./pkg
    G->>G: cp -R pkg pkg-github
    G->>G: node -e mutate package.json (name + publishConfig)
    G->>GHP: npm publish ./pkg-github --ignore-scripts

Loading

Comments Outside Diff (1)

1. .github/workflows/publish.yml, line 170-173 (link)

   GitHub Packages dry-run skips package.json mutation

   The actual publish step (line 160–166) mutates pkg-github/package.json to override the package name to @jesssullivan/scheduling-kit and set publishConfig.registry before calling npm publish. The dry-run step at line 171 skips that mutation, so it publishes with whatever name is baked into the Bazel artifact. If the artifact's name, scope, or registry config is wrong for GitHub Packages, the dry-run will still succeed while the real publish would fail.

   Consider moving the mutation into a dedicated step so both paths share it:

   - name: Prepare GitHub Packages publish directory
     run: |
       cp -R pkg pkg-github
       chmod -R u+w pkg-github
       node -e "
         const pkg = require('./pkg-github/package.json');
         pkg.name = '@jesssullivan/scheduling-kit';
         pkg.publishConfig = { registry: 'https://npm.pkg.github.com' };
         require('fs').writeFileSync('./pkg-github/package.json', JSON.stringify(pkg, null, 2) + '\n');
       "
   
   - name: Publish to GitHub Packages
     if: ${{ github.event_name == 'release' || github.event.inputs.dry_run != 'true' }}
     run: npm publish ./pkg-github --ignore-scripts
     env:
       NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   
   - name: Publish dry run
     if: ${{ github.event.inputs.dry_run == 'true' }}
     run: npm publish ./pkg-github --dry-run --ignore-scripts
     env:
       NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

_{Reviews (1): Last reviewed commit: "fix(ci): clean stale bazel publish artif..." | Re-trigger Greptile}