name: Manual NPM Publish on: workflow_dispatch: inputs: version: description: "Version to publish (e.g. 0.2.0-dev)" required: false type: string dist_tag: description: "npm dist-tag" required: false default: dev type: string package_name: description: "Package name to publish (e.g. @neuralnomads/codenomad-dev)" required: false default: "@neuralnomads/codenomad" type: string workflow_call: inputs: ref: required: false default: "" type: string version: required: true type: string dist_tag: required: false type: string default: dev package_name: required: false type: string default: "@neuralnomads/codenomad" secrets: NPM_TOKEN: required: false permissions: contents: read id-token: write jobs: publish: runs-on: ubuntu-latest env: NODE_VERSION: 22 PUBLISH_NPM_VERSION: 11.5.1 steps: - name: Checkout uses: actions/checkout@v4 with: ref: ${{ inputs.ref || github.ref }} - name: Setup Node uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} registry-url: https://registry.npmjs.org - name: Prepare pinned npm CLI shell: bash run: | set -euo pipefail tool_dir="$RUNNER_TEMP/publish-npm" mkdir -p "$tool_dir" npm install --prefix "$tool_dir" "npm@${PUBLISH_NPM_VERSION}" --no-audit --no-fund echo "PINNED_NPM_CLI=$tool_dir/node_modules/npm/bin/npm-cli.js" >> "$GITHUB_ENV" node "$tool_dir/node_modules/npm/bin/npm-cli.js" --version - name: Install dependencies run: node "$PINNED_NPM_CLI" ci --workspaces - name: Ensure rollup native binary run: node "$PINNED_NPM_CLI" install @rollup/rollup-linux-x64-gnu --no-save - name: Build server package (includes UI bundling) run: node "$PINNED_NPM_CLI" run build --workspace packages/server - name: Set publish metadata shell: bash run: | VERSION_INPUT="${{ inputs.version }}" if [ -z "$VERSION_INPUT" ]; then VERSION_INPUT=$(node -p "require('./package.json').version") fi echo "VERSION=$VERSION_INPUT" >> "$GITHUB_ENV" echo "DIST_TAG=${{ inputs.dist_tag || 'dev' }}" >> "$GITHUB_ENV" echo "PACKAGE_NAME=${{ inputs.package_name }}" >> "$GITHUB_ENV" - name: Bump package version for publish run: node "$PINNED_NPM_CLI" version ${VERSION} --workspaces --include-workspace-root --no-git-tag-version --allow-same-version - name: Set server package name for publish shell: bash run: | set -euo pipefail node -e "const fs=require('fs'); const path=require('path'); const p=path.join('packages','server','package.json'); const j=JSON.parse(fs.readFileSync(p,'utf8')); j.name=process.env.PACKAGE_NAME || j.name; fs.writeFileSync(p, JSON.stringify(j, null, 2)+'\n'); console.log('Publishing as', j.name);" - name: Publish server package with provenance env: # Optional: when present, npm will use token auth. # When empty/unset, npm trusted publishing (OIDC) may be used if configured. NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NPM_CONFIG_PROVENANCE: true NPM_CONFIG_REGISTRY: https://registry.npmjs.org shell: bash run: | set -euo pipefail if [ -z "${NODE_AUTH_TOKEN:-}" ]; then echo "NPM_TOKEN not set; attempting npm trusted publishing (OIDC)" unset NODE_AUTH_TOKEN else echo "Using NPM_TOKEN authentication" fi node "$PINNED_NPM_CLI" publish --workspace packages/server --access public --tag ${DIST_TAG} --provenance