Skip to content
Publish to npm

fix(pkg-apt): guard string-destructure that broke strict tsc #12

Sign in to view logs

fix(pkg-apt): guard string-destructure that broke strict tsc

fix(pkg-apt): guard string-destructure that broke strict tsc #12

Workflow file for this run

.github/workflows/publish.yml at e976950
name: Publish to npm
# Triggers:
# - Push a tag matching v*.*.* → auto-publishes core + policy + cli
# - workflow_dispatch → manual run from the Actions tab; supports dry_run
#
# Uses npm provenance via OIDC so no OTP is needed in CI even when the
# account has "Authorization and writes" 2FA mode. Requires:
# - permissions.id-token: write
# - --provenance flag on publish
# - NPM_TOKEN secret (any classic or automation token; provenance handles 2FA bypass)
on:
push:
tags:
- 'v*.*.*'
workflow_dispatch:
inputs:
dry_run:
description: 'Dry run (pack + show what would be published, no upload)'
type: boolean
default: false
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # required for npm provenance
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
# version comes from "packageManager": "pnpm@9.12.0" in root package.json
- uses: actions/setup-node@v4
with:
node-version: 22
registry-url: 'https://registry.npmjs.org'
cache: pnpm
- name: Install
run: pnpm install --frozen-lockfile
- name: Build all publishable packages
run: |
# core/policy/cli build first so adapters that import from
# @profullstack/sh1pt-core resolve to fresh dist/ output.
pnpm --filter @profullstack/sh1pt-core build
pnpm --filter @profullstack/sh1pt-policy build
pnpm -r --filter '!@profullstack/sh1pt-core' --filter '!@profullstack/sh1pt-policy' --filter '!sh1pt-dot-com' build
- name: Publish packages if not already on npm
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
DRY_RUN: ${{ github.event_name == 'workflow_dispatch' && inputs.dry_run && 'true' || 'false' }}
run: |
set -euo pipefail
publish_if_missing() {
local package_json="$1"
local package_name
local package_version
local is_private
is_private=$(node -p "Boolean(require('./${package_json}').private)" 2>/dev/null || echo "false")
if [ "${is_private}" = "true" ]; then
return 0
fi
package_name=$(node -p "require('./${package_json}').name")
package_version=$(node -p "require('./${package_json}').version")
if npm view "${package_name}@${package_version}" version >/dev/null 2>&1; then
echo "::notice::${package_name}@${package_version} is already published; skipping"
return 0
fi
if [ -z "${NODE_AUTH_TOKEN:-}" ]; then
echo "::error::NPM_TOKEN secret is required to publish ${package_name}@${package_version}"
exit 1
fi
local dry_run_arg=""
if [ "${DRY_RUN}" = "true" ]; then
dry_run_arg="--dry-run"
fi
pnpm --filter "${package_name}" publish \
--access public \
--no-git-checks \
--provenance \
${dry_run_arg} || {
echo "::warning::publish failed for ${package_name}@${package_version} — continuing"
return 0
}
}
# Order matters: core has to be on npm before adapters that
# depend on it, otherwise installs of an adapter on a fresh
# machine will 404 on its sh1pt-core dep.
publish_if_missing packages/core/package.json
publish_if_missing packages/policy/package.json
# All adapter packages, anything else (sdk, agent-providers,
# recipes, etc.). Skip top-level cli; we do it last so any
# bundled-via-publishConfig dep changes propagate first.
while IFS= read -r pkg_json; do
case "${pkg_json}" in
packages/core/package.json) continue ;;
packages/policy/package.json) continue ;;
packages/cli/package.json) continue ;;
packages/web/package.json) continue ;;
*) publish_if_missing "${pkg_json}" ;;
esac
done < <(git ls-files 'packages/**/package.json' | sort)
# cli last so users running \`bun add -g @profullstack/sh1pt\`
# get a self-consistent set of adapter versions.
publish_if_missing packages/cli/package.json