Skip to content

ci: fix npm upgrade in publish job + add workflow_dispatch fallback #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ktamas77 merged 1 commit into from
May 4, 2026
Merged

ci: fix npm upgrade in publish job + add workflow_dispatch fallback #3

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@ name: Release
on:
push:
branches: [main]
workflow_dispatch:
inputs:
tag:
description: 'Existing release tag to publish (e.g. v0.1.3). Used when a previous publish failed.'
required: true

permissions:
contents: write
Expand All @@ -11,6 +16,7 @@ permissions:

jobs:
release-please:
if: ${{ github.event_name == 'push' }}
runs-on: ubuntu-latest
outputs:
release_created: ${{ steps.release.outputs.release_created }}
Expand All @@ -23,23 +29,26 @@ jobs:

publish:
needs: release-please
if: ${{ needs.release-please.outputs.release_created == 'true' }}
if: ${{ always() && (needs.release-please.outputs.release_created == 'true' || github.event_name == 'workflow_dispatch') }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
with:
Copy link
Copy Markdown

@codemouseai codemouseai Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In workflow_dispatch, inputs.tag is passed directly to actions/checkout as ref, which can be any branch/commit/ref string, not necessarily a release tag. This makes it possible to accidentally (or intentionally) publish arbitrary code to npm instead of an immutable release tag.

Suggested change
with:
ref: refs/tags/${{ inputs.tag }}
Fix prompt (copy to your AI agent) 
Update `.github/workflows/release.yml` so manual publish only accepts real tags: use `ref: refs/tags/${{ inputs.tag }}` (not raw input), and add a validation step before publish that fails unless `inputs.tag` matches your release pattern (for example `^v[0-9]+\.[0-9]+\.[0-9]+$`) and exists in `refs/tags/`.

ref: ${{ needs.release-please.outputs.tag_name }}
ref: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || needs.release-please.outputs.tag_name }}
- uses: actions/setup-node@v4
with:
node-version: '22.x'
registry-url: 'https://registry.npmjs.org'
cache: npm
- run: npm install -g npm@latest
- run: npm ci
- run: npm run lint
- run: npm run typecheck
- run: npm run build
- run: npm publish --provenance --access public
# Trusted Publisher OIDC needs npm >= 11.5.1. Node 22's bundled npm
# is 10.x, and `npm install -g npm@latest` is currently broken on
# 22.22.2 (missing 'promise-retry'). Use npx to invoke a known-good
# npm version just for the publish step.
- run: npx -y npm@11.5.2 publish --provenance --access public
Loading