Make publish.yml safer - don't actually deploy to package managers if running on a branch

SteveSandersonMS · SteveSandersonMS · commit 4df7711bbd3c · 2026-02-05T17:38:35.000Z
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -106,6 +106,7 @@ jobs:
           name: nodejs-package
           path: nodejs/*.tgz
       - name: Publish to npm
+        if: github.ref == 'refs/heads/main'
         run: npm publish --tag ${{ github.event.inputs.dist-tag }} --access public --registry https://registry.npmjs.org
 
   publish-dotnet:
@@ -130,6 +131,7 @@ jobs:
           name: dotnet-package
           path: dotnet/artifacts/*.nupkg
       - name: NuGet login (OIDC)
+        if: github.ref == 'refs/heads/main'
         uses: NuGet/login@v1
         id: nuget-login
         with:
@@ -139,6 +141,7 @@ jobs:
           # are associated with individual maintainers' accounts too.
           user: stevesanderson
       - name: Publish to NuGet
+        if: github.ref == 'refs/heads/main'
         run: dotnet nuget push ./artifacts/*.nupkg --api-key ${{ steps.nuget-login.outputs.NUGET_API_KEY }} --source https://api.nuget.org/v3/index.json --skip-duplicate
 
   publish-python:
@@ -171,6 +174,7 @@ jobs:
           name: python-package
           path: python/dist/*
       - name: Publish to PyPI
+        if: github.ref == 'refs/heads/main'
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           packages-dir: python/dist/
