From f4766bb1549ce54992c3a40bba334c43c74a1b01 Mon Sep 17 00:00:00 2001 From: Dimitri Kennedy Date: Fri, 10 Jul 2026 20:35:39 -0400 Subject: [PATCH] Add guarded publish recovery --- .github/workflows/publish.yml | 12 ++++++++---- tests/workflow-security.test.ts | 4 +++- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 44d3c6e..3b7d796 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,6 +4,7 @@ on: pull_request: types: - closed + workflow_dispatch: concurrency: ${{ github.workflow }}-${{ github.ref }} @@ -13,10 +14,13 @@ jobs: publish: if: >- github.repository == 'hack-dance/schema-stream' && - github.event.pull_request.merged == true && - github.base_ref == 'main' && - github.event.pull_request.head.repo.full_name == github.repository && - github.head_ref == 'changeset-release/main' + ((github.event_name == 'pull_request' && + github.event.pull_request.merged == true && + github.base_ref == 'main' && + github.event.pull_request.head.repo.full_name == github.repository && + github.head_ref == 'changeset-release/main') || + (github.event_name == 'workflow_dispatch' && + github.ref == 'refs/heads/main')) runs-on: ubuntu-latest environment: PUBLISH permissions: diff --git a/tests/workflow-security.test.ts b/tests/workflow-security.test.ts index ed971d7..2bea35c 100644 --- a/tests/workflow-security.test.ts +++ b/tests/workflow-security.test.ts @@ -39,7 +39,7 @@ describe("GitHub Actions security", () => { expect(workflow.match(persistedCredentialsPattern)).toHaveLength(2) }) - test("limits trusted publishing to the merged canonical release PR", async () => { + test("limits trusted publishing to canonical release paths", async () => { const workflow = await readWorkflow("publish.yml") expect(workflow).toContain("github.repository == 'hack-dance/schema-stream'") @@ -47,6 +47,8 @@ describe("GitHub Actions security", () => { expect(workflow).toContain("github.base_ref == 'main'") expect(workflow).toContain("github.event.pull_request.head.repo.full_name == github.repository") expect(workflow).toContain("github.head_ref == 'changeset-release/main'") + expect(workflow).toContain("github.event_name == 'workflow_dispatch'") + expect(workflow).toContain("github.ref == 'refs/heads/main'") expect(workflow).toMatch(publishEnvironmentPattern) expect(workflow).toMatch(publishPermissionsPattern) expect(workflow).toContain("persist-credentials: false")