react
diff --git a/‎.github/actions/build-npm-package/action.yml‎
Lines changed: 18 additions & 7 deletions b/‎.github/actions/build-npm-package/action.yml‎
Lines changed: 18 additions & 7 deletions
diff --git a/‎.github/workflows/nightly.yml‎
Lines changed: 49 additions & 18 deletions b/‎.github/workflows/nightly.yml‎
Lines changed: 49 additions & 18 deletions
diff --git a/‎.github/workflows/publish-bumped-packages.yml‎
Lines changed: 63 additions & 9 deletions b/‎.github/workflows/publish-bumped-packages.yml‎
Lines changed: 63 additions & 9 deletions
diff --git a/‎.github/workflows/publish-npm.yml‎
Lines changed: 39 additions & 117 deletions b/‎.github/workflows/publish-npm.yml‎
Lines changed: 39 additions & 117 deletions
@@ -1,5 +1,5 @@
 name: build-npm-package
-description: This action builds the NPM package and uploads it to Maven
+description: This action builds the NPM package and publishes to Maven. In pack-only mode it produces tarballs for deferred npm publish.
 inputs:
   release-type:
     required: true
@@ -10,6 +10,10 @@ inputs:
     description: When true, skip downloading prebuilt Apple artifacts (use when Apple prebuild jobs were skipped)
     required: false
     default: 'false'
+  pack-only:
+    description: When true, run `npm pack` instead of `npm publish` and output tarballs + manifest.json for deferred publishing via publish-npm.yml.
+    required: false
+    default: 'false'
 
 runs:
   using: composite
@@ -42,7 +46,7 @@ runs:
     - name: Setup node.js
       uses: ./.github/actions/setup-node
       with:
-        registry-url: 'https://registry.npmjs.org'
+        registry-url: ${{ inputs.pack-only != 'true' && 'https://registry.npmjs.org' || '' }}
     - name: Install dependencies
       uses: ./.github/actions/yarn-install
     - name: Build packages
@@ -51,10 +55,7 @@ runs:
     - name: Build types
       shell: bash
       run: yarn build-types --skip-snapshot
-    # `npm publish` below authenticates via npm Trusted Publishing (OIDC).
-    # The caller (the reusable `publish-npm.yml` workflow) MUST grant
-    # `id-token: write`; this composite action runs inside that job.
-    - name: Publish NPM
+    - name: Build and pack/publish NPM
       shell: bash
       run: |
         echo "GRADLE_OPTS = $GRADLE_OPTS"
@@ -65,7 +66,17 @@ runs:
         else
           export ORG_GRADLE_PROJECT_reactNativeArchitectures="armeabi-v7a,arm64-v8a,x86,x86_64"
         fi
-        node ./scripts/releases-ci/publish-npm.js -t ${{ inputs.release-type }}
+        PACK_FLAG=""
+        if [[ "${{ inputs.pack-only }}" == "true" ]]; then
+          PACK_FLAG="--pack-only"
+        fi
+        node ./scripts/releases-ci/publish-npm.js -t ${{ inputs.release-type }} $PACK_FLAG
+    - name: Upload npm tarballs
+      if: ${{ inputs.pack-only == 'true' }}
+      uses: actions/upload-artifact@v6
+      with:
+        name: npm-tarballs
+        path: npm-tarballs
     - name: Upload npm logs
       uses: actions/upload-artifact@v6
       with:
 
@@ -45,8 +45,6 @@ jobs:
       image: reactnativecommunity/react-native-android:latest
       env:
         TERM: "dumb"
-        # Set the encoding to resolve a known character encoding issue with decompressing tar.gz files in containers
-        # via Gradle: https://github.com/gradle/gradle/issues/23391#issuecomment-1878979127
         LC_ALL: C.UTF8
         GRADLE_OPTS: "-Dorg.gradle.daemon=false"
         ORG_GRADLE_PROJECT_SIGNING_PWD: ${{ secrets.ORG_GRADLE_PROJECT_SIGNING_PWD }}
@@ -63,28 +61,61 @@ jobs:
           release-type: ${{ needs.set_release_type.outputs.RELEASE_TYPE }}
           gradle-cache-encryption-key: ${{ secrets.GRADLE_CACHE_ENCRYPTION_KEY }}
 
-  # Delegate the actual npm publish to the shared reusable workflow so
-  # every `npm publish` in this repo originates from one workflow file —
-  # required because npm Trusted Publishing only accepts one
-  # (org, repo, workflow_filename) per package.
+  # Build all packages and produce tarballs for deferred npm publish.
+  # Maven publishing happens here; npm publishing is deferred to
+  # dispatch_npm_publish below.
   build_npm_package:
+    runs-on: 8-core-ubuntu
     needs:
       [
         set_release_type,
         build_android,
         prebuild_apple_dependencies,
         prebuild_react_native_core,
       ]
-    # The top-level `permissions: contents: read` is the ceiling for
-    # GITHUB_TOKEN in every job here, including reusable-workflow calls.
-    # Re-grant `id-token: write` at the job level so publish-npm.yml's
-    # `publish-react-native` job can mint the OIDC token that npm
-    # Trusted Publishing exchanges for a publish token.
+    container:
+      image: reactnativecommunity/react-native-android:latest
+      env:
+        TERM: "dumb"
+        GRADLE_OPTS: "-Dorg.gradle.daemon=false"
+        LC_ALL: C.UTF8
+        ORG_GRADLE_PROJECT_reactNativeArchitectures: "arm64-v8a"
+        REACT_NATIVE_DOWNLOADS_DIR: /opt/react-native-downloads
+    env:
+      ORG_GRADLE_PROJECT_SIGNING_PWD: ${{ secrets.ORG_GRADLE_PROJECT_SIGNING_PWD }}
+      ORG_GRADLE_PROJECT_SIGNING_KEY: ${{ secrets.ORG_GRADLE_PROJECT_SIGNING_KEY }}
+      ORG_GRADLE_PROJECT_SONATYPE_USERNAME: ${{ secrets.ORG_GRADLE_PROJECT_SONATYPE_USERNAME }}
+      ORG_GRADLE_PROJECT_SONATYPE_PASSWORD: ${{ secrets.ORG_GRADLE_PROJECT_SONATYPE_PASSWORD }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Build and Pack NPM Package
+        uses: ./.github/actions/build-npm-package
+        with:
+          release-type: ${{ needs.set_release_type.outputs.RELEASE_TYPE }}
+          gradle-cache-encryption-key: ${{ secrets.GRADLE_CACHE_ENCRYPTION_KEY }}
+          pack-only: 'true'
+
+  # Dispatch the centralised publish-npm.yml workflow so it runs as the
+  # top-level workflow — making its OIDC `workflow_ref` claim match the
+  # Trusted Publisher entry configured on npmjs.com.
+  dispatch_npm_publish:
+    runs-on: ubuntu-latest
+    needs: [build_npm_package]
     permissions:
-      contents: read
-      id-token: write
-    uses: ./.github/workflows/publish-npm.yml
-    secrets: inherit
-    with:
-      mode: react-native
-      release-type: ${{ needs.set_release_type.outputs.RELEASE_TYPE }}
+      actions: write
+    steps:
+      - name: Dispatch publish-npm.yml
+        uses: actions/github-script@v8
+        with:
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: 'publish-npm.yml',
+              ref: 'main',
+              inputs: {
+                'source-run-id': String(context.runId),
+              },
+            });
+            console.log(`Dispatched publish-npm.yml with source-run-id=${context.runId}`);
@@ -7,13 +7,67 @@ on:
       - "*-stable"
 
 jobs:
-  # Delegate to the shared reusable workflow so every `npm publish` in
-  # this repo originates from one workflow file — required because npm
-  # Trusted Publishing only accepts one (org, repo, workflow_filename)
-  # per package.
-  publish_bumped_packages:
+  build_bumped_packages:
+    runs-on: ubuntu-latest
     if: github.repository == 'react/react-native'
-    uses: ./.github/workflows/publish-npm.yml
-    secrets: inherit
-    with:
-      mode: monorepo-packages
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Setup node.js
+        uses: ./.github/actions/setup-node
+      - name: Run Yarn Install
+        uses: ./.github/actions/yarn-install
+      - name: Build packages
+        run: yarn build
+      - name: Build types
+        run: yarn build-types --skip-snapshot
+      - name: Pack bumped packages
+        run: node ./scripts/releases-ci/publish-updated-packages.js --pack-only
+      - name: Upload tarballs
+        # Only upload if the pack step produced tarballs (i.e. the commit
+        # message contained #publish-packages-to-npm and bumped packages
+        # were found).
+        if: ${{ hashFiles('npm-tarballs/manifest.json') != '' }}
+        uses: actions/upload-artifact@v6
+        with:
+          name: npm-tarballs
+          path: npm-tarballs
+
+  # Dispatch the centralised publish-npm.yml workflow so it runs as the
+  # top-level workflow — making its OIDC `workflow_ref` claim match the
+  # Trusted Publisher entry configured on npmjs.com.
+  dispatch_npm_publish:
+    runs-on: ubuntu-latest
+    needs: [build_bumped_packages]
+    # Only dispatch if tarballs were produced
+    if: ${{ needs.build_bumped_packages.result == 'success' }}
+    permissions:
+      actions: write
+    steps:
+      - name: Check for tarballs artifact
+        id: check
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: context.runId,
+            });
+            const found = artifacts.data.artifacts.some(a => a.name === 'npm-tarballs');
+            core.setOutput('has-tarballs', String(found));
+      - name: Dispatch publish-npm.yml
+        if: steps.check.outputs.has-tarballs == 'true'
+        uses: actions/github-script@v8
+        with:
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: 'publish-npm.yml',
+              ref: 'main',
+              inputs: {
+                'source-run-id': String(context.runId),
+              },
+            });
+            console.log(`Dispatched publish-npm.yml with source-run-id=${context.runId}`);
@@ -1,136 +1,58 @@
-# Reusable workflow that performs every `npm publish` in this repo.
+# Centralised workflow that performs every `npm publish` in this repo.
 #
 # Why this exists: npmjs.com Trusted Publishing accepts only ONE
-# (org, repo, workflow_filename, environment) tuple per package. If
-# `react-native` were published from `publish-release.yml` AND
-# `nightly.yml` directly, we'd need two Trusted Publisher entries per
-# package — npm rejects that. By moving every `npm publish` into this
-# single reusable workflow file, the OIDC `job_workflow_ref` claim
-# always resolves to `publish-npm.yml` regardless of which top-level
-# workflow triggered the run, so each package needs exactly one
-# Trusted Publisher entry pointing here.
+# (org, repo, workflow_filename, environment) tuple per package.
+# npm matches the `workflow_ref` OIDC claim — which is always the
+# TOP-LEVEL workflow, not a reusable child. Using `workflow_dispatch`
+# makes this file the top-level workflow, so the OIDC claim is always
+# `publish-npm.yml` regardless of which workflow dispatched the run.
+#
+# Callers (publish-release.yml, nightly.yml, publish-bumped-packages.yml)
+# build and `npm pack` their packages, upload the tarballs as a
+# `npm-tarballs` artifact, then dispatch this workflow to publish them.
 #
 # See https://docs.npmjs.com/trusted-publishers and
-# https://docs.github.com/en/actions/sharing-automations/reusing-workflows .
-name: Publish to npm (reusable)
+# https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect .
+name: Publish to npm
 
 on:
-  workflow_call:
+  workflow_dispatch:
     inputs:
-      mode:
-        description: |
-          'react-native' runs the full Android/iOS-prebuilt + JS build
-          and publishes via scripts/releases-ci/publish-npm.js (which
-          publishes `react-native` and, in nightly mode, every
-          @react-native/* package). 'monorepo-packages' runs only the
-          JS build and publishes via
-          scripts/releases-ci/publish-updated-packages.js (delta-based,
-          gated on a #publish-packages-to-npm commit message).
-        type: string
+      source-run-id:
+        description: "Workflow run ID that produced the npm-tarballs artifact."
         required: true
-      release-type:
-        description: "For mode=react-native: release | nightly | dry-run."
         type: string
-        required: false
-        default: "dry-run"
-      skip-apple-prebuilts:
-        description: "For mode=react-native: skip downloading prebuilt Apple artifacts."
-        type: boolean
-        required: false
-        default: false
 
-jobs:
-  publish-react-native:
-    if: inputs.mode == 'react-native'
-    runs-on: ubuntu-latest
-    environment: npm-publish
-    # `id-token: write` is required so the npm CLI can mint the OIDC
-    # token that npm Trusted Publishing exchanges for a publish token.
-    permissions:
-      contents: read
-      id-token: write
-    container:
-      image: reactnativecommunity/react-native-android:latest
-      env:
-        TERM: "dumb"
-        # Set the encoding to resolve a known character encoding issue with decompressing tar.gz files in containers
-        # via Gradle: https://github.com/gradle/gradle/issues/23391#issuecomment-1878979127
-        LC_ALL: C.UTF8
-        GRADLE_OPTS: "-Dorg.gradle.daemon=false"
-        # By default we only build ARM64 to save time/resources. For release/nightlies, we override this value to build all archs.
-        ORG_GRADLE_PROJECT_reactNativeArchitectures: "arm64-v8a"
-        REACT_NATIVE_DOWNLOADS_DIR: /opt/react-native-downloads
-    env:
-      ORG_GRADLE_PROJECT_SIGNING_PWD: ${{ secrets.ORG_GRADLE_PROJECT_SIGNING_PWD }}
-      ORG_GRADLE_PROJECT_SIGNING_KEY: ${{ secrets.ORG_GRADLE_PROJECT_SIGNING_KEY }}
-      ORG_GRADLE_PROJECT_SONATYPE_USERNAME: ${{ secrets.ORG_GRADLE_PROJECT_SONATYPE_USERNAME }}
-      ORG_GRADLE_PROJECT_SONATYPE_PASSWORD: ${{ secrets.ORG_GRADLE_PROJECT_SONATYPE_PASSWORD }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-          fetch-tags: true
-      # TEMPORARY DEBUG: print the OIDC token claims npm Trusted Publishing
-      # matches against. A 404 from the OIDC exchange means these claims don't
-      # match the Trusted Publisher entry configured on npmjs.com (org/repo/
-      # workflow filename / environment). Prints only the decoded claims, never
-      # the raw token. Remove once the 404 is resolved.
-      - name: Debug OIDC token claims
-        shell: bash
-        run: |
-          # ACTIONS_ID_TOKEN_REQUEST_TOKEN/_URL are auto-injected when the job
-          # has `id-token: write` - they are NOT secrets, don't map them in env.
-          OIDC_TOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=npm:registry.npmjs.org" | jq -r '.value')
-          # Decode the JWT payload (middle segment); convert base64url -> base64
-          # and pad so `base64 -d` accepts it. Prints claims only, not the token.
-          payload=$(echo "$OIDC_TOKEN" | cut -d'.' -f2 | tr '_-' '/+')
-          case $(( ${#payload} % 4 )) in 2) payload+='==';; 3) payload+='=';; esac
-          echo "$payload" | base64 -d 2>/dev/null | jq .
-      - name: Build and Publish NPM Package
-        uses: ./.github/actions/build-npm-package
-        with:
-          release-type: ${{ inputs.release-type }}
-          gradle-cache-encryption-key: ${{ secrets.GRADLE_CACHE_ENCRYPTION_KEY }}
-          skip-apple-prebuilts: ${{ inputs.skip-apple-prebuilts && 'true' || 'false' }}
+permissions:
+  id-token: write # OIDC token for npm Trusted Publishing
+  contents: read
+  actions: read # download artifacts from the source workflow run
 
-  publish-monorepo-packages:
-    if: inputs.mode == 'monorepo-packages'
+jobs:
+  publish:
     runs-on: ubuntu-latest
+    if: github.repository == 'react/react-native'
     environment: npm-publish
-    permissions:
-      contents: read
-      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v6
       - name: Setup node.js
-        uses: ./.github/actions/setup-node
+        uses: actions/setup-node@v6
         with:
+          node-version: "22.14.0"
           registry-url: "https://registry.npmjs.org"
-      # TEMPORARY DEBUG: print the OIDC token claims npm Trusted Publishing
-      # matches against. A 404 from the OIDC exchange means these claims don't
-      # match the Trusted Publisher entry configured on npmjs.com (org/repo/
-      # workflow filename / environment). Prints only the decoded claims, never
-      # the raw token. Remove once the 404 is resolved.
-      - name: Debug OIDC token claims
-        shell: bash
-        run: |
-          # ACTIONS_ID_TOKEN_REQUEST_TOKEN/_URL are auto-injected when the job
-          # has `id-token: write` - they are NOT secrets, don't map them in env.
-          OIDC_TOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=npm:registry.npmjs.org" | jq -r '.value')
-          # Decode the JWT payload (middle segment); convert base64url -> base64
-          # and pad so `base64 -d` accepts it. Prints claims only, not the token.
-          payload=$(echo "$OIDC_TOKEN" | cut -d'.' -f2 | tr '_-' '/+')
-          case $(( ${#payload} % 4 )) in 2) payload+='==';; 3) payload+='=';; esac
-          echo "$payload" | base64 -d 2>/dev/null | jq .
-      - name: Run Yarn Install
-        uses: ./.github/actions/yarn-install
-      - name: Build packages
-        run: yarn build
-      - name: Build types
-        run: yarn build-types --skip-snapshot
-      - name: Find and publish all bumped packages
-        run: node ./scripts/releases-ci/publish-updated-packages.js
+      - name: Download tarballs from source run
+        uses: actions/download-artifact@v4
+        with:
+          name: npm-tarballs
+          path: ./npm-tarballs
+          run-id: ${{ inputs.source-run-id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Publish packages
+        run: node ./scripts/releases-ci/publish-from-tarballs.js ./npm-tarballs
+      - name: Upload npm logs
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: npm-publish-logs
+          path: ~/.npm/_logs