Skip to content

ci: auto-publish dev release to npm on merged PR#76

Merged
ohxyz merged 1 commit into
mainfrom
ci/dev-publish-on-merge
Jun 17, 2026
Merged

ci: auto-publish dev release to npm on merged PR#76
ohxyz merged 1 commit into
mainfrom
ci/dev-publish-on-merge

Conversation

@ohxyz

@ohxyz ohxyz commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator

What

Adds .github/workflows/dev-publish.yml: on every PR merged into main, automatically publish a dev build to npm under the dev dist-tag.

How

  • Trigger: pull_request: closed on main, guarded by if: github.event.pull_request.merged == true (ignores closed-without-merge).
  • Ephemeral version: reads package.json, auto-increments the patch field, appends -dev-<shortsha> → e.g. 0.4.5-dev-9e70cf0. Applied with npm version --no-git-tag-version, so it edits only the runner's copy — no commit, no tag, nothing pushed back to main. This is what avoids any version-bump-PR / re-trigger loop.
  • Publish: pnpm publish --no-git-checks --access public --tag dev via OIDC. Runs unattended (no PUBLISH environment gate, by design). latest is never touched.

Notes

  • Mirrors the existing publish.yml step structure; that manual stable-release workflow is unchanged.
  • Next-patch assumes the next release is a patch; if a release is minor/major, the dev label lags until package.json is bumped on main — expected.
  • Requires npm trusted-publishing (OIDC) to accept this workflow without the PUBLISH environment. If the npm trusted-publisher config is scoped to that environment, it must be widened to cover this workflow.

Adds dev-publish.yml: on every PR merged to main, compute an ephemeral
<next-patch>-dev-<shortsha> version, build, and publish to npm under the
dev dist-tag via OIDC. The version is never written back to the repo
(npm version --no-git-tag-version), so there is no bump commit and no
re-trigger loop. Runs unattended (no PUBLISH environment gate); latest
is never touched.
@ohxyz ohxyz merged commit d6d527b into main Jun 17, 2026
@ohxyz ohxyz deleted the ci/dev-publish-on-merge branch June 17, 2026 01:21
ohxyz added a commit that referenced this pull request Jun 17, 2026
PR #76 shipped dev publishing as a separate workflow file
(dev-publish.yml), but npm trusted publishing (OIDC) allows only one
workflow filename per package — publish.yml already owns that slot. The
separate file's OIDC token exchange 404s, pnpm falls back to no auth,
and the publish fails with E404.

Fold the dev path into publish.yml as a second job, selected by event:
  - workflow_dispatch → stable 'publish' job (PUBLISH env gate, latest)
  - merged PR to main → 'dev-publish' job (unattended, dev dist-tag),
    publishing an ephemeral <next-patch>-dev-<sha> never written back.

Delete the now-redundant dev-publish.yml.

For the dev job's OIDC to work, the npm trusted-publisher's environment
field must be blank so it matches the env-less job; the stable job keeps
its GitHub-side PUBLISH approval gate regardless.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant