Skip to content

fix: iteration on the publish-npm workflow #8087

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alexhancock merged 1 commit into from
Mar 24, 2026
Merged

fix: iteration on the publish-npm workflow #8087

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/build-native-packages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ jobs:
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: goose-acp-server-${{ matrix.platform }}
path: artifact/bin/
path: artifact/
if-no-files-found: error
retention-days: 7

Expand Down
53 changes: 51 additions & 2 deletions .github/workflows/publish-npm.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,25 @@
name: Publish to npm

# Security: This workflow uses the 'npm-production-publishing' environment to protect against
# accidental publishes from feature branches. The environment must be configured in
# GitHub Settings → Environments with:
# - Deployment branches: Selected branches → main
# - Environment secret: NPM_PUBLISH_TOKEN (npm publish token with write access)
#
# This ensures that even if the workflow file is modified on a feature branch to
# bypass the ref checks, GitHub will block access to the NPM_PUBLISH_TOKEN secret.

on:
push:
branches:
- main
workflow_dispatch:
inputs:
dry-run:
description: 'Dry run (skip actual npm publish)'
required: false
type: boolean
default: true

concurrency: ${{ github.workflow }}-${{ github.ref }}

Expand Down Expand Up @@ -43,6 +59,11 @@ jobs:
name: ${{ needs.build-native.outputs.artifact-name }}
path: native-binaries

- name: List downloaded artifacts (debug)
run: |
echo "Downloaded artifact structure:"
ls -R native-binaries/

- name: Copy binaries to package directories
run: |
for platform_dir in native-binaries/goose-acp-server-*; do
Expand All @@ -55,6 +76,10 @@ jobs:
chmod +x "${pkg_dir}/bin/"*
done

echo ""
echo "Verification - copied binaries:"
ls -lh ui/goose-acp-server/*/bin/

- name: Install dependencies
run: |
cd ui
Expand All @@ -68,9 +93,33 @@ jobs:
cd ../text
npm run build

- name: Dry run summary
if: inputs.dry-run == true || github.ref != 'refs/heads/main'
run: |
echo "## 🧪 Dry Run Mode" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "✅ Native binaries downloaded and copied successfully" >> $GITHUB_STEP_SUMMARY
echo "✅ Packages built successfully" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ "${{ github.ref }}" != "refs/heads/main" ]; then
echo "⚠️ Skipping actual npm publish (not on main branch)" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Current branch:** \`${{ github.ref }}\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Publishing is only allowed from the \`main\` branch for security." >> $GITHUB_STEP_SUMMARY
else
echo "⚠️ Skipping actual npm publish (dry-run mode)" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "To publish for real, run this workflow without dry-run enabled." >> $GITHUB_STEP_SUMMARY
fi

- name: Create Release Pull Request or Publish to npm
if: inputs.dry-run != true && github.ref == 'refs/heads/main'
id: changesets
uses: changesets/action@6d3568c53fbe1db6c1f9ab1c7fbf9092bc18627f # v1
environment:
name: npm-production-publishing
url: https://www.npmjs.com/org/block
Comment on lines +120 to +122
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Place deployment environment at job scope

Define environment on the release job instead of this step, because GitHub Actions does not apply deployment environments at step scope. With it here, the workflow either fails validation (Unexpected value 'environment') or runs without attaching npm-production-publishing, so the protected NPM_PUBLISH_TOKEN environment secret is not provided to changesets/action and main-branch publishes cannot proceed as intended.

Useful? React with 👍 / 👎.

with:
publish: npm run release
version: npm run version
Expand All @@ -79,11 +128,11 @@ jobs:
cwd: ui
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
NPM_CONFIG_PROVENANCE: true

- name: Summary
if: steps.changesets.outputs.published == 'true'
if: steps.changesets.outputs.published == 'true' && inputs.dry-run != true && github.ref == 'refs/heads/main'
run: |
echo "## Published Packages" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
Expand Down
Loading