Add iso-route release workflow + check-source guard

AceGreenman · claude · AceGreenman · commit efc4f3cd137e · 2026-04-19T00:52:15.000-04:00
Mirrors iso-harness: tag iso-route-vX.Y.Z → GitHub release fires the
workflow, which verifies the build-test-lint CI check-run succeeded
for that commit and that package.json version matches the tag before
running npm publish --provenance.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/iso-route-release.yml b/.github/workflows/iso-route-release.yml
@@ -0,0 +1,71 @@
+name: iso-route Release to npm
+
+on:
+  release:
+    types: [published]
+
+defaults:
+  run:
+    working-directory: packages/iso-route
+
+jobs:
+  publish:
+    if: startsWith(github.ref_name, 'iso-route-v')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+          registry-url: 'https://registry.npmjs.org'
+          cache: 'npm'
+
+      - name: Set version from release tag
+        run: |
+          VERSION="${GITHUB_REF_NAME#iso-route-v}"
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Verify CI build-test-lint passed for release commit
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        working-directory: .
+        run: |
+          SHA=$(git rev-parse HEAD)
+          echo "Verifying CI build-test-lint check-run for $SHA"
+          DEADLINE=$(( $(date +%s) + 1800 ))
+          STATUS=""
+          CONCLUSION=""
+          while [ "$(date +%s)" -lt "$DEADLINE" ]; do
+            read -r STATUS CONCLUSION <<<"$(gh api "repos/${{ github.repository }}/commits/$SHA/check-runs" \
+              --jq '[.check_runs[] | select(.name == "build-test-lint")] | sort_by(.started_at) | last | "\(.status // "missing") \(.conclusion // "null")"')"
+            echo "build-test-lint check-run: status=$STATUS conclusion=$CONCLUSION"
+            if [ "$STATUS" = "completed" ]; then
+              break
+            fi
+            sleep 15
+          done
+          if [ "$STATUS" != "completed" ]; then
+            echo "::error::CI build-test-lint for $SHA never completed within 30min (last status: $STATUS)."
+            exit 1
+          fi
+          if [ "$CONCLUSION" != "success" ]; then
+            echo "::error::CI build-test-lint for $SHA did not succeed (conclusion: $CONCLUSION). Fix before re-releasing."
+            exit 1
+          fi
+          echo "CI build-test-lint succeeded for $SHA"
+
+      - name: Verify package.json version matches release tag
+        run: npm run release:check-source -- "$VERSION"
+
+      - name: Install (workspace root)
+        run: npm ci
+        working-directory: .
+
+      - name: Publish to npm (with provenance)
+        run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/packages/iso-route/package.json b/packages/iso-route/package.json
@@ -25,6 +25,7 @@
     "typecheck": "tsc -p tsconfig.json --noEmit",
     "example": "tsx src/cli.ts build examples/models.yaml --out examples/out --dry-run",
     "ci": "npm run typecheck && npm test",
+    "release:check-source": "node ./scripts/release/check-source.mjs",
     "prepublishOnly": "npm run clean && npm run build && npm test"
   },
   "dependencies": {
diff --git a/packages/iso-route/scripts/release/check-source.mjs b/packages/iso-route/scripts/release/check-source.mjs
@@ -0,0 +1,37 @@
+import { readFile } from 'node:fs/promises';
+import { fileURLToPath } from 'node:url';
+import path from 'node:path';
+
+const version = process.argv[2];
+
+if (!version) {
+  console.error('Usage: node scripts/release/check-source.mjs <version>');
+  process.exit(1);
+}
+
+const root = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..', '..');
+const pkgPath = path.join(root, 'package.json');
+const pkg = JSON.parse(await readFile(pkgPath, 'utf8'));
+
+if (pkg.version !== version) {
+  console.error(
+    `package.json version ${pkg.version ?? 'unknown'} does not match release tag ${version}. ` +
+      `Bump "version" in package.json, commit, and retag before publishing.`,
+  );
+  process.exit(1);
+}
+
+for (const section of ['dependencies', 'devDependencies', 'peerDependencies', 'optionalDependencies']) {
+  const deps = pkg[section];
+  if (!deps) continue;
+  for (const [name, spec] of Object.entries(deps)) {
+    if (typeof spec === 'string' && spec.startsWith('file:')) {
+      console.error(
+        `${section}["${name}"] is "${spec}" — file: deps are published verbatim and break consumers.`,
+      );
+      process.exit(1);
+    }
+  }
+}
+
+console.log(`${pkg.name}: ${pkg.version}`);
