Parallelize npm publishing with docs publishing

Previously, npm publishing only started after the entire main.yaml workflow
completed (including docs publishing) due to using workflow_run trigger.

Now, publish-npm job triggers build.yaml via workflow_dispatch immediately
after publish-jsr completes, allowing npm and docs publishing to run in
parallel.

Changes:

- Rename publish job to publish-jsr for clarity
- Add publish-npm job that triggers build.yaml via workflow_dispatch
- Remove workflow_run trigger from build.yaml (now solely workflow_dispatch)
- Update publish-docs dependency to publish-jsr

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: dahlia

.github/workflows/build.yaml

@@ -9,15 +9,12 @@
 # that is directly triggered, not reusable workflows called via workflow_call.
 # See: https://docs.npmjs.com/trusted-publishers/
 #
-# The workflow is triggered in two ways:
-# 1. workflow_run: Automatically after main.yaml completes (for regular releases)
-# 2. workflow_dispatch: Manually triggered (for PR pre-releases)
+# This workflow is triggered via workflow_dispatch from:
+# 1. main.yaml's publish-npm job (for regular releases)
+# 2. publish-pr.yaml (for PR pre-releases)
 name: build
 
 on:
-  workflow_run:
-    workflows: [main]
-    types: [completed]
   workflow_dispatch:
     inputs:
       run_id:
@@ -31,37 +28,15 @@ on:
 
 jobs:
   npm-publish:
-    # For workflow_run: only run if the triggering workflow succeeded and was a push event
-    # For workflow_dispatch: always run
-    if: >-
-      github.event_name == 'workflow_dispatch' ||
-      (github.event.workflow_run.conclusion == 'success' &&
-       github.event.workflow_run.event == 'push')
     runs-on: ubuntu-latest
     permissions:
       id-token: write
       contents: read
     steps:
-    - name: Determine run ID and tag
-      id: config
-      run: |
-        if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-          echo "run_id=${{ inputs.run_id }}" >> $GITHUB_OUTPUT
-          echo "tag=${{ inputs.tag }}" >> $GITHUB_OUTPUT
-        else
-          echo "run_id=${{ github.event.workflow_run.id }}" >> $GITHUB_OUTPUT
-          # Determine tag based on ref type from the triggering workflow
-          if [[ "${{ github.event.workflow_run.head_branch }}" == refs/tags/* ]] || \
-             [[ -n "$(echo '${{ github.event.workflow_run.head_branch }}' | grep -E '^[0-9]+\.[0-9]+\.[0-9]+')" ]]; then
-            echo "tag=latest" >> $GITHUB_OUTPUT
-          else
-            echo "tag=dev" >> $GITHUB_OUTPUT
-          fi
-        fi
     - uses: actions/download-artifact@v4
       with:
         name: npm-packages
-        run-id: ${{ steps.config.outputs.run_id }}
+        run-id: ${{ inputs.run_id }}
         github-token: ${{ secrets.GITHUB_TOKEN }}
     - run: ls -la
     - name: Setup Node.js
@@ -73,7 +48,7 @@ jobs:
     - name: Publish packages
       run: |
         set -ex
-        TAG="${{ steps.config.outputs.tag }}"
+        TAG="${{ inputs.tag }}"
         for pkg in fedify-*.tgz; do
           if [[ "$TAG" = "latest" ]]; then
             npm publish --logs-dir=. --provenance --access public "$pkg" \

.github/workflows/main.yaml

@@ -1,10 +1,11 @@
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 #
-# Main CI workflow for testing, linting, and publishing to JSR.
-# npm publishing is handled separately by build.yaml, which is triggered
-# automatically via workflow_run after this workflow completes successfully.
-# This separation is required for npm's trusted publishing (OIDC) to work
-# correctly. See build.yaml for more details.
+# Main CI workflow for testing, linting, and publishing to JSR/npm.
+# npm publishing is handled by build.yaml, which is triggered via workflow_dispatch
+# from the publish-npm job. This allows npm publishing to run in parallel with
+# docs publishing, rather than waiting for the entire workflow to complete.
+# See build.yaml for details on why this separation is required for npm's
+# trusted publishing (OIDC).
 name: main
 on: [push, pull_request]
 
@@ -203,7 +204,7 @@ jobs:
     - run: pnpm install
     - run: pnpm publish --recursive --dry-run --no-git-checks
 
-  publish:
+  publish-jsr:
     if: github.event_name == 'push'
     needs: [test, test-node, test-bun, test-cfworkers, lint, release-test]
     runs-on: ubuntu-latest
@@ -302,8 +303,41 @@ jobs:
           ((attempt++))
         done
 
-  # NOTE: npm publishing is handled by build.yaml via workflow_run trigger.
-  # Do not add npm publish steps here - it will break trusted publishing.
+  # Trigger build.yaml via workflow_dispatch to publish to npm.
+  # This is required because npm's trusted publishing (OIDC) validates
+  # the directly triggered workflow, not reusable workflows called via
+  # workflow_call. By triggering build.yaml directly, npm sees build.yaml
+  # as the entry point and validates against it.
+  publish-npm:
+    if: github.event_name == 'push'
+    needs: [publish-jsr]
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+    steps:
+    - name: Trigger build.yaml workflow
+      uses: actions/github-script@v7
+      with:
+        script: |
+          // Determine tag based on ref type
+          let tag;
+          if (context.payload.ref && context.payload.ref.startsWith('refs/tags/')) {
+            tag = 'latest';
+          } else {
+            tag = 'dev';
+          }
+
+          await github.rest.actions.createWorkflowDispatch({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            workflow_id: 'build.yaml',
+            ref: context.ref,
+            inputs: {
+              run_id: '${{ github.run_id }}',
+              tag: tag
+            }
+          });
+          console.log(`Triggered build.yaml workflow with run_id=${{ github.run_id }}, tag=${tag}`);
 
   publish-examples-blog:
     if: github.event_name == 'push'
@@ -324,7 +358,7 @@ jobs:
         root: .
 
   publish-docs:
-    needs: [publish]
+    needs: [publish-jsr]
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -355,7 +389,7 @@ jobs:
           pnpm run build
         fi
       env:
-        SHORT_VERSION: ${{ needs.publish.outputs.short_version }}
+        SHORT_VERSION: ${{ needs.publish-jsr.outputs.short_version }}
         PLAUSIBLE_DOMAIN: ${{ secrets.PLAUSIBLE_DOMAIN }}
         STABLE_DOCS_URL: ${{ vars.STABLE_DOCS_URL }}
         UNSTABLE_DOCS_URL: ${{ vars.UNSTABLE_DOCS_URL }}