Problem
Neither `packages/core/package.json` nor `packages/too-many-cooks/package.json` has a `prepublishOnly` script. If anyone runs `npm publish` from a laptop (typo, muscle memory, accidental autocomplete) it will publish whatever happens to be on disk — at whatever version is on disk, possibly with uncommitted changes, possibly without going through CI provenance.
The CI workflow itself is fine; the concern is human-driven mishaps bypassing it.
Fix
Add to both packages:
```json
"scripts": {
"prepublishOnly": "node -e "if(!process.env.CI)throw new Error('publish only from CI')""
}
```
This blocks `npm publish` unless `CI=1` (true on GitHub Actions, false locally). A typo on a laptop fails fast with a clear error.
Related
Found while reviewing release workflow after fixing the missing `files` field in `too-many-cooks/package.json`.
Problem
Neither `packages/core/package.json` nor `packages/too-many-cooks/package.json` has a `prepublishOnly` script. If anyone runs `npm publish` from a laptop (typo, muscle memory, accidental autocomplete) it will publish whatever happens to be on disk — at whatever version is on disk, possibly with uncommitted changes, possibly without going through CI provenance.
The CI workflow itself is fine; the concern is human-driven mishaps bypassing it.
Fix
Add to both packages:
```json
"scripts": {
"prepublishOnly": "node -e "if(!process.env.CI)throw new Error('publish only from CI')""
}
```
This blocks `npm publish` unless `CI=1` (true on GitHub Actions, false locally). A typo on a laptop fails fast with a clear error.
Related
Found while reviewing release workflow after fixing the missing `files` field in `too-many-cooks/package.json`.