CodeNomad/.github/workflows/manual-npm-publish.yml

name: Manual NPM Publish

on:
  workflow_dispatch:
    inputs:
      version:
        description: "Version to publish (e.g. 0.2.0-dev)"
        required: false
        type: string
      dist_tag:
        description: "npm dist-tag"
        required: false
        default: dev
        type: string
      package_name:
        description: "Package name to publish (e.g. @neuralnomads/codenomad-dev)"
        required: false
        default: "@neuralnomads/codenomad"
        type: string
  workflow_call:
    inputs:
      version:
        required: true
        type: string
      dist_tag:
        required: false
        type: string
        default: dev
      package_name:
        required: false
        type: string
        default: "@neuralnomads/codenomad"
    secrets:
      NPM_TOKEN:
        required: false

permissions:
  contents: read
  id-token: write

jobs:
  publish:
    runs-on: ubuntu-latest
    env:
      NODE_VERSION: 20
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
          registry-url: https://registry.npmjs.org

      - name: Ensure npm >=11.5.1
        run: npm install -g npm@latest

      - name: Install dependencies
        run: npm ci --workspaces

      - name: Ensure rollup native binary
        run: npm install @rollup/rollup-linux-x64-gnu --no-save

      - name: Build server package (includes UI bundling)
        run: npm run build --workspace packages/server

      - name: Set publish metadata
        shell: bash
        run: |
          VERSION_INPUT="${{ inputs.version }}"
          if [ -z "$VERSION_INPUT" ]; then
            VERSION_INPUT=$(node -p "require('./package.json').version")
          fi
          echo "VERSION=$VERSION_INPUT" >> "$GITHUB_ENV"
          echo "DIST_TAG=${{ inputs.dist_tag || 'dev' }}" >> "$GITHUB_ENV"
          echo "PACKAGE_NAME=${{ inputs.package_name }}" >> "$GITHUB_ENV"

      - name: Bump package version for publish
        run: npm version ${VERSION} --workspaces --include-workspace-root --no-git-tag-version --allow-same-version

      - name: Set server package name for publish
        shell: bash
        run: |
          set -euo pipefail
          node -e "const fs=require('fs'); const path=require('path'); const p=path.join('packages','server','package.json'); const j=JSON.parse(fs.readFileSync(p,'utf8')); j.name=process.env.PACKAGE_NAME || j.name; fs.writeFileSync(p, JSON.stringify(j, null, 2)+'\n'); console.log('Publishing as', j.name);"

      - name: Publish server package with provenance
        env:
          # Optional: when present, npm will use token auth.
          # When empty/unset, npm trusted publishing (OIDC) may be used if configured.
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
          NPM_CONFIG_PROVENANCE: true
          NPM_CONFIG_REGISTRY: https://registry.npmjs.org
        shell: bash
        run: |
          set -euo pipefail
          if [ -z "${NODE_AUTH_TOKEN:-}" ]; then
            echo "NPM_TOKEN not set; attempting npm trusted publishing (OIDC)"
            unset NODE_AUTH_TOKEN
          else
            echo "Using NPM_TOKEN authentication"
          fi
          npm publish --workspace packages/server --access public --tag ${DIST_TAG} --provenance