Add branch guard to CI publish job

- Verify tagged commit is on main before publishing
- Requires fetch-depth: 0 for full history

Author: j-256

.github/workflows/ci.yml

@@ -28,6 +28,14 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Verify tag is on main
+        run: |
+          if ! git branch -r --contains "$GITHUB_SHA" | grep -q 'origin/main'; then
+            echo "Error: tag $GITHUB_REF_NAME is not on the main branch"
+            exit 1
+          fi
       - uses: actions/setup-node@v6
         with:
           node-version: 22

CONTRIBUTING.md

@@ -91,11 +91,11 @@ This force-moves the tag to the current commit and pushes it, re-triggering CI.
 ### Branches
 
 - **main** -- releases happen here; `npm version` enforces this via a branch guard
-- **dev** -- CI runs tests only (no publish); merge to main when ready
+- **dev** -- CI runs tests only; publish job verifies the tag is on main before proceeding
 
 ## CI
 
 GitHub Actions (`.github/workflows/ci.yml`):
 
 - **test** job runs on every push to `main`/`dev` and on PRs to `main`
-- **publish** job runs only on `v*` tags, after tests pass
+- **publish** job runs only on `v*` tags on `main`, after tests pass