ci(core): refine release workflow (npm auth, registry, branch fetch)

ScriptedAlchemy · ScriptedAlchemy · commit 038ebe8acd04 · 2025-09-19T16:45:51.000-07:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,7 +16,10 @@ on:
         default: 'main'
 
 permissions:
+  # Needed for npm provenance or token auth
   id-token: write
+  # Harmless here; no tag push, but keeps flexibility if added later
+  contents: write
 
 jobs:
   release:
@@ -43,6 +46,7 @@ jobs:
         with:
           node-version: 22
           cache: 'pnpm'
+          registry-url: 'https://registry.npmjs.org'
 
       # Update npm to the latest version to enable OIDC
       - name: Update npm
@@ -60,17 +64,22 @@ jobs:
 
       - name: Build and test Packages
         run: |
-          git fetch origin main
+          git fetch origin ${{ github.event.inputs.branch }} --tags --prune
           npx nx run-many --targets=build --projects=tag:type:pkg --skip-nx-cache
           npx nx run-many --targets=build --projects=tag:type:metro
           ls -l packages/*/dist packages/*/package.json
 
       - name: Publish latest version
         if: github.event.inputs.version == 'latest'
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           pnpm -r publish --tag ${{ github.event.inputs.version }} --publish-branch ${{ github.event.inputs.branch }}
 
       - name: Publish preview version
         if: github.event.inputs.version == 'next'
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: 'true'
         run: |
           pnpm -r publish --tag next --no-git-checks
