Add guarded publish recovery#18
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f4766bb154
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| (github.event_name == 'workflow_dispatch' && | ||
| github.ref == 'refs/heads/main')) |
There was a problem hiding this comment.
Pin the recovery publish to the failed release
When the failed publish is recovered after main has advanced, this manual path still accepts the latest main checkout and the later bun run release step will publish that current tarball under the still-unpublished package version. That can ship unreleased commits as the recovery version instead of the exact release PR contents; consider requiring and checking out a specific release SHA/version for workflow_dispatch rather than accepting branch head.
Useful? React with 👍 / 👎.
What changed
mainbranchPUBLISHenvironment gateWhy
The first standalone
4.1.0publish failed before trusted publishing was enabled. GitHub reruns use the original workflow revision, so a guarded manual trigger is needed to retry with the corrected OIDC workflow without manufacturing another release PR.Validation
bun run formatbun run lintbun test tests/workflow-security.test.tsbun run type-checkgit diff --check