Publish prereleases through trusted publish workflow

The separate rc workflow validated correctly but npm rejected its publish because trusted publishing is scoped to the existing publish workflow. Folding rc routing into publish.yml keeps the special rc path while reusing the workflow identity npm already trusts.

Constraint: RC must publish with dist-tag rc and must not advance latest
Rejected: Keep separate rc-release workflow | npm trusted publishing is workflow-scoped and the new workflow path was not authorized
Rejected: Require local or repo NPM_TOKEN | existing release setup already uses trusted publishing without a token
Confidence: high
Scope-risk: narrow
Tested: npm run check; npm pack --dry-run with package-content verification; YAML parse for CI/publish workflows; prettier --check .github/workflows/*.yml
Not-tested: Successful publish after retag; requires GitHub Actions rerun

Author: xycld

.github/workflows/publish.yml

@@ -4,21 +4,104 @@ on:
   push:
     tags: ["v*"]
 
+concurrency:
+  group: publish-${{ github.ref_name }}
+  cancel-in-progress: false
+
 jobs:
   publish:
-    if: ${{ !contains(github.ref_name, '-') }}
+    name: Validate and publish
     runs-on: ubuntu-latest
     permissions:
       contents: read
       id-token: write
+    env:
+      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
       - uses: actions/setup-node@v4
         with:
           node-version: 22
           cache: npm
           registry-url: https://registry.npmjs.org
       - run: npm ci
-      - run: npm run build
-      - run: npx vitest run
-      - run: npm publish --provenance --access public
+      - name: Verify tag and select npm dist-tag
+        run: |
+          set -euo pipefail
+          NAME=$(node -p "require('./package.json').name")
+          VERSION=$(node -p "require('./package.json').version")
+
+          if [[ "$GITHUB_REF_TYPE" != "tag" ]]; then
+            echo "Publish must run from a git tag, got ref type: $GITHUB_REF_TYPE" >&2
+            exit 1
+          fi
+
+          if [[ "$GITHUB_REF_NAME" != "v$VERSION" ]]; then
+            echo "Tag/version mismatch: tag=$GITHUB_REF_NAME package=v$VERSION" >&2
+            exit 1
+          fi
+
+          if [[ "$VERSION" == *"-rc."* ]]; then
+            DIST_TAG=rc
+          elif [[ "$VERSION" == *"-"* ]]; then
+            DIST_TAG=next
+          else
+            DIST_TAG=latest
+          fi
+
+          echo "PACKAGE_NAME=$NAME" >> "$GITHUB_ENV"
+          echo "PACKAGE_VERSION=$VERSION" >> "$GITHUB_ENV"
+          echo "NPM_DIST_TAG=$DIST_TAG" >> "$GITHUB_ENV"
+          echo "Publishing $NAME@$VERSION with npm dist-tag '$DIST_TAG'"
+      - name: Verify project
+        run: |
+          set -euo pipefail
+          npm run check
+          npm test
+          npm run build
+          npm audit --omit=dev
+          npm audit
+      - name: Verify npm package contents
+        run: |
+          set -euo pipefail
+          PACK_JSON="$RUNNER_TEMP/npm-pack.json"
+          npm pack --dry-run --json > "$PACK_JSON"
+          node - "$PACK_JSON" <<'NODE'
+          const fs = require('node:fs')
+          const [pack] = JSON.parse(fs.readFileSync(process.argv[2], 'utf8'))
+          const paths = pack.files.map((file) => file.path)
+          const required = [
+            'README.md',
+            'LICENSE',
+            'dist/packages/cli/index.js',
+            'docs/migrations/2.0.0.md',
+          ]
+          const forbidden = paths.filter(
+            (path) => /(^|\/)__tests__(\/|$)/.test(path) || /\.test\.(js|d\.ts)$/.test(path),
+          )
+          const missing = required.filter((path) => !paths.includes(path))
+          if (missing.length > 0 || forbidden.length > 0) {
+            if (missing.length > 0) console.error(`Missing package files: ${missing.join(', ')}`)
+            if (forbidden.length > 0) console.error(`Forbidden test files in package: ${forbidden.join(', ')}`)
+            process.exit(1)
+          }
+          console.log(`Pack OK: ${pack.name}@${pack.version}, ${pack.entryCount} files, ${pack.size} bytes`)
+          NODE
+      - name: Publish to npm
+        run: |
+          set -euo pipefail
+          if [[ -n "${NPM_TOKEN:-}" ]]; then
+            export NODE_AUTH_TOKEN="$NPM_TOKEN"
+          else
+            unset NODE_AUTH_TOKEN
+            echo "NPM_TOKEN secret is not set; relying on npm trusted publishing/OIDC." >&2
+          fi
+
+          npm publish --provenance --access public --tag "$NPM_DIST_TAG"
+      - name: Verify published package
+        run: |
+          set -euo pipefail
+          npm view "$PACKAGE_NAME@$PACKAGE_VERSION" version --json
+          npm view "$PACKAGE_NAME" dist-tags --json