Add back dry-run

jamadeo · jamadeo · commit 66550a542cbf · 2026-04-10T09:06:51.000-04:00
diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
@@ -1,28 +1,27 @@
 name: Publish to npm
 
-# Security: This workflow uses npm trusted publishing via GitHub Actions OIDC tokens.
-# The 'npm-production-publishing' environment is configured in GitHub Settings → Environments with:
-#   - Deployment branches: Selected branches → main
-#
-# npm packages are configured to trust this repository's OIDC claims via:
-#   https://docs.npmjs.com/trusted-publishers
-#
-# No npm access tokens are needed — authentication uses short-lived OIDC tokens
-# automatically issued by GitHub Actions.
-
 on:
   workflow_call:
     inputs:
       release-tag:
         description: 'Release tag to fetch binaries from (e.g. v1.0.0)'
         required: true
         type: string
+      dry-run:
+        required: false
+        type: boolean
+        default: false
   workflow_dispatch:
     inputs:
       release-tag:
         description: 'Release tag to fetch binaries from (e.g. v1.0.0)'
         required: true
         type: string
+      dry-run:
+        description: 'Dry run (build packages but skip publish)'
+        required: false
+        type: boolean
+        default: true
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
@@ -84,12 +83,11 @@ jobs:
           if-no-files-found: error
           retention-days: 7
 
-  # Publish to npm
-  release:
-    name: Release to npm
+  # Build npm packages (no environment needed)
+  build:
+    name: Build npm packages
     runs-on: ubuntu-latest
     needs: [generate-schema]
-    environment: npm-production-publishing
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -177,11 +175,19 @@ jobs:
           cd ui/acp
           # Build only TypeScript, schema is already generated
           pnpm run build:ts
-          
+
           cd ../text
           pnpm run build
 
-      - name: Prepare summary
+      - name: Upload built packages
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: npm-packages
+          path: ui/
+          if-no-files-found: error
+          retention-days: 7
+
+      - name: Build summary
         run: |
           {
             echo "## 📦 Build Summary"
@@ -200,11 +206,46 @@ jobs:
             done
             echo ""
             echo "### npm Packages"
-            echo "✅ @aaif/goose-acp"
-            echo "✅ @aaif/goose (TUI)"
+            cd ui
+            for pkg in acp text goose-binary/*/; do
+              if [ -f "$pkg/package.json" ]; then
+                name=$(jq -r '.name' "$pkg/package.json")
+                version=$(jq -r '.version' "$pkg/package.json")
+                echo "- $name@$version"
+              fi
+            done
             echo ""
+            if [ "${{ inputs.dry-run }}" = "true" ]; then
+              echo "### ⚠️ Dry run — packages were built but will NOT be published"
+            fi
           } >> "$GITHUB_STEP_SUMMARY"
 
+  # Publish to npm (requires environment approval for OIDC token)
+  publish:
+    name: Publish to npm
+    if: inputs.dry-run != true
+    runs-on: ubuntu-latest
+    needs: [build]
+    environment: npm-production-publishing
+    steps:
+      - name: Download built packages
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        with:
+          name: npm-packages
+          path: ui/
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: '24.10.0'
+          registry-url: 'https://registry.npmjs.org'
+          always-auth: true
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4
+        with:
+          version: 10.30.3
+
       - name: Publish to npm
         run: |
           cd ui
