Skip to content

ci: consolidate dev publish into publish.yml#77

Merged
ohxyz merged 1 commit into
mainfrom
ci/consolidate-dev-publish
Jun 17, 2026
Merged

ci: consolidate dev publish into publish.yml#77
ohxyz merged 1 commit into
mainfrom
ci/consolidate-dev-publish

Conversation

@ohxyz

@ohxyz ohxyz commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator

Why

PR #76 shipped dev publishing as a separate workflow file (dev-publish.yml). But npm trusted publishing (OIDC) allows only one workflow filename per package, and publish.yml already owns that slot. The separate file can't authenticate — its OIDC token exchange 404s, pnpm falls back to no auth, and the publish dies with E404 PUT .../bwin. (Confirmed live: the #76 merge ran the job and failed exactly this way.)

What

Fold the dev path into publish.yml as a second job, selected by trigger event:

  • publishif: github.event_name == 'workflow_dispatch'. The existing manual stable release: PUBLISH env gate, tag + release notes, latest. Unchanged.
  • dev-publishif: pull_request && merged == true. Unattended on each merged PR to main. Computes an ephemeral <next-patch>-dev-<sha> (e.g. 0.4.5-dev-9e70cf0) via npm version --no-git-tag-version — never written back to the repo — builds, and publishes under the dev dist-tag. No tag, no commit, no re-trigger loop.

Deletes the redundant dev-publish.yml.

npm-side requirement (not code)

For the dev job's OIDC to authenticate, the bwin package's npm Trusted Publisher must have its Environment field blank:

  • npm matches on repo + workflow filename + environment; the dev job runs with no environment.
  • A blank environment matches both jobs. The stable job's GitHub-side environment: PUBLISH approval gate is enforced by GitHub independently, so blanking the npm field does not weaken it.
  • Workflow filename stays publish.yml.

Note

main currently has the broken standalone dev-publish.yml from #76; this PR removes it. Merging this supersedes #76's workflow.

PR #76 shipped dev publishing as a separate workflow file
(dev-publish.yml), but npm trusted publishing (OIDC) allows only one
workflow filename per package — publish.yml already owns that slot. The
separate file's OIDC token exchange 404s, pnpm falls back to no auth,
and the publish fails with E404.

Fold the dev path into publish.yml as a second job, selected by event:
  - workflow_dispatch → stable 'publish' job (PUBLISH env gate, latest)
  - merged PR to main → 'dev-publish' job (unattended, dev dist-tag),
    publishing an ephemeral <next-patch>-dev-<sha> never written back.

Delete the now-redundant dev-publish.yml.

For the dev job's OIDC to work, the npm trusted-publisher's environment
field must be blank so it matches the env-less job; the stable job keeps
its GitHub-side PUBLISH approval gate regardless.
@ohxyz ohxyz merged commit 5488529 into main Jun 17, 2026
@ohxyz ohxyz deleted the ci/consolidate-dev-publish branch June 17, 2026 01:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant