chore(repo): disable fork package publish authority

[Jesssullivan]

Why

The fork is currently acting like a second release authority for @tummycrypt/scheduling-kit, which is the opposite of the normalization direction.

Current drift is real:

• tinyland-inc/scheduling-kit is 35 commits behind and 8 commits ahead of Jesssullivan/scheduling-kit
• fork package.json is still 0.7.0
• fork MODULE.bazel and BUILD.bazel still declare 0.5.0
• fork publish workflow still used --no-frozen-lockfile and still published to npm and GitHub Packages

What this does

• removes npm and GitHub Packages publish jobs from the fork workflow
• converts the workflow to validation-only
• switches installs to pnpm install --frozen-lockfile
• adds an explicit prepublishOnly blocker so accidental local publish fails loudly
• adds pnpm.onlyBuiltDependencies metadata needed for modern pnpm / rules_js convergence

What this does not do

• it does not make the fork authoritative again
• it does not fully fast-forward the fork to upstream metadata / Bazel parity

That follow-through should happen by syncing from Jesssullivan/scheduling-kit, not by continuing to publish from the fork.

Validation

• pnpm install --frozen-lockfile
• pnpm build
• pnpm exec publint
• node scripts/block-fork-publish.mjs (expected failure with authority message)

[greptile-apps]

Greptile Summary

This PR converts the tinyland-inc/scheduling-kit fork from a dual publish authority to a validation-only mirror by removing the publish-npm and publish-github workflow jobs, switching installs to --frozen-lockfile, and adding a prepublishOnly lifecycle hook that hard-blocks any accidental local publish via scripts/block-fork-publish.mjs. The packageManager field and pnpm.onlyBuiltDependencies additions align the fork's package.json with modern pnpm/Corepack conventions.

Confidence Score: 5/5

Safe to merge — changes are purely subtractive (publish jobs removed) with a solid hard-block on accidental local publish; sole finding is a P2 cleanup of an orphaned dispatch input.

All publish paths are either removed from the workflow or blocked by the prepublishOnly hook. The only finding is the unused dry_run dispatch input, which is a P2 style issue that doesn't affect correctness or safety.

.github/workflows/publish.yml — orphaned dry_run dispatch input is the only item worth a follow-up cleanup.

Important Files Changed

Filename	Overview
.github/workflows/publish.yml	Publish and GitHub Packages jobs removed; workflow converted to validation-only with Corepack-based pnpm setup and frozen lockfile; orphaned dry_run dispatch input remains.
package.json	Adds packageManager field for Corepack pinning, redirects prepublishOnly to the publish-blocking script, and adds pnpm.onlyBuiltDependencies metadata; publishConfig remains but is made inert by the blocker.
scripts/block-fork-publish.mjs	New script that prints an informative error to stderr and exits 1, effectively blocking any npm publish / pnpm publish invocation through the prepublishOnly lifecycle hook.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    trigger([Release / workflow_dispatch]) --> validate

    subgraph validate[validate job]
        A[checkout] --> B[setup-node v6 + Corepack]
        B --> C[pnpm install --frozen-lockfile]
        C --> D[svelte-kit sync]
        D --> E[pnpm test:unit]
        E --> F[pnpm build]
        F --> G[publint]
        G --> H[echo Bazel authority note]
    end

    validate --> done([✅ Validation complete — no publish])

    subgraph removed[REMOVED jobs]
        R1[publish-npm ❌]
        R2[publish-github ❌]
    end

    style removed fill:#fdd,stroke:#d00,color:#900
    style done fill:#dfd,stroke:#0a0

Loading

Comments Outside Diff (1)

1. .github/workflows/publish.yml, line 7-13 (link)

   Orphaned dry_run workflow_dispatch input

   The dry_run input is now dead — all publish jobs that previously consumed github.event.inputs.dry_run have been removed, so triggering this workflow with dry_run: false or dry_run: true produces identical behavior. Leaving it in place could confuse future maintainers who expect it to influence execution. Consider dropping the input entirely, since the workflow is now unconditionally validation-only.

_{Reviews (1): Last reviewed commit: "chore(repo): disable fork package publis..." | Re-trigger Greptile}