name: Publish to GitHub Packages on: push: tags: - 'v*.*.*' permissions: contents: read packages: write jobs: # F34-A: validate all prepublishOnly gates on Node 20 + 22 before publish. # Catches Node-version-specific stdlib mismatches (e.g. globSync added in Node 22) # that local dev (Node 22+) would miss but CI runner Node 20 would hit at import time. audit-matrix: runs-on: ubuntu-latest strategy: fail-fast: false matrix: node-version: ['20', '22'] steps: - name: Checkout uses: actions/checkout@v4 - name: Setup pnpm uses: pnpm/action-setup@v3 with: version: 10.28.2 - name: Setup Node ${{ matrix.node-version }} uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} cache: 'pnpm' - name: Install run: pnpm install --frozen-lockfile - name: Run prepublishOnly gates run: pnpm run prepublishOnly publish: needs: audit-matrix runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup pnpm uses: pnpm/action-setup@v3 with: version: 10.28.2 - name: Setup Node + GitHub Packages registry uses: actions/setup-node@v4 with: node-version: '20' registry-url: 'https://npm.pkg.github.com' scope: '@nancyzeng0210' cache: 'pnpm' - name: Install (triggers prepare → typecheck + build) run: pnpm install --frozen-lockfile # prepublishOnly already validated above (audit-matrix dependency). # Run runs strict audit gates again via pnpm publish prepublishOnly hook. # Explicitly write token so pnpm v10 doesn't treat ${NODE_AUTH_TOKEN} as a literal string - name: Publish to GitHub Packages run: | echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc pnpm publish --no-git-checks env: NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}