Skip to content

ci: gate npm publish on Node.js CI success#164

Merged
mcampa merged 1 commit into
masterfrom
chore/publish-after-ci
May 22, 2026
Merged

ci: gate npm publish on Node.js CI success#164
mcampa merged 1 commit into
masterfrom
chore/publish-after-ci

Conversation

@mcampa
Copy link
Copy Markdown
Owner

@mcampa mcampa commented May 22, 2026

Summary

Switches the `NPM Publish` workflow trigger from a direct `push` to `workflow_run` so it only runs after `Node.js CI` completes successfully on master.

Why

Today both workflows are triggered independently by `push: branches: [master]`, with no `needs:` relationship. They race in parallel — if `Node.js CI` happens to be slower than `NPM Publish` (which is common, since publish runs only a subset of tests via `pnpm run build`), a broken release can go live before CI flags the issue.

What changed

  • `on:` switched from `push` to `workflow_run` listening for `Node.js CI` completion on master
  • Added `if: ${{ github.event.workflow_run.conclusion == 'success' }}` so we don't publish when CI failed (workflow_run fires on all completion states)
  • Pinned `actions/checkout` to `github.event.workflow_run.head_sha` — without this, the publish job checks out master HEAD at trigger time, which could differ from the SHA that actually passed CI if concurrent pushes landed
  • Concurrency group keyed off `head_sha` instead of `github.ref` for the same reason

Caveat about workflow_run

`workflow_run` triggers always use the workflow file from the default branch, not the branch under test. This means the new behavior won't take effect until this PR is merged. Verification will have to happen on the next release after merge.

Test plan

  • YAML parses (workflow shows up in the Actions UI on push)
  • After merge: next push to master triggers `Node.js CI`, then `NPM Publish` runs only after CI green
  • Manually verify that a CI failure now blocks publish

🤖 Generated with Claude Code

@mcampa @claude
ci: gate npm publish on Node.js CI success
577233c 
Switch the NPM Publish workflow from a direct `push` trigger to
`workflow_run`, so it only runs after Node.js CI completes successfully
on master.

Previously both workflows ran in parallel on every master push, which
meant a broken release could go live if `Node.js CI` happened to be
slower than `NPM Publish`.

Also pin `actions/checkout` to `github.event.workflow_run.head_sha` so
we publish the exact commit that CI validated, not whatever master HEAD
happens to be at trigger time.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mcampa mcampa merged commit 266b899 into master May 22, 2026
3 checks passed
@mcampa mcampa deleted the chore/publish-after-ci branch May 22, 2026 16:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mcampa