[codex] Harden release publishing by stackbilt-admin · Pull Request #134 · Stackbilt-dev/charter

stackbilt-admin · 2026-04-29T23:02:59Z

Summary

Hardens the Charter release path so workspace protocol dependencies cannot leak into published npm tarballs.

Add a root publish:check script that packs each publishable package and inspects the packed package.json for workspace: dependency specifiers.
Add prepublishOnly guards for packages with workspace deps so direct npm publishes fail before source manifests can leak.
Update the npm release workflow to validate tag format, run packed-manifest verification, pack with pnpm, and publish the generated tarballs with npm provenance.
Document the synchronized package-version invariant and release validation steps in PUBLISHING.md.

Addresses #122
Addresses #123
Addresses #131

pnpm run publish:check
npm run prepublishOnly in packages/cli fails with the intended direct-npm guard
pnpm run prepublishOnly in packages/cli passes
Local release packing exercise produced all 11 expected tarballs

stackbilt-admin · 2026-05-06T08:44:12Z

Superseded by #141 (consolidated branch: codex/consolidate-pre-repo-work). Closing this PR in favor of the combined review.

Harden release publishing

66c0842

stackbilt-admin mentioned this pull request May 6, 2026

[codex] Consolidate pre-repo work #141

Merged

stackbilt-admin closed this May 6, 2026

stackbilt-admin deleted the codex/release-publish-hardening branch May 6, 2026 08:44