ci(publish): add manual preview publish flow

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[NathanFlurry]

• fix(pegboard): align drain grace defaults with stop threshold #4958 : 2 dependent PRs (#4960 , #4966 )
• fix(rivetkit): preserve bridge error messages #4959
• fix(rivetkit): fire abort signal on shutdown finalize #4957
• fix(rivetkit): use startup kv preload #4956
• fix(client): flatten skipReadyWait option #4955
• ci(publish): add manual preview publish flow #4954 👈 (View in Graphite)
• fix(depot): add ltx decode diagnostics #4953
• fix(universaldb): preserve plain set values #4952
• fix(universaldb): align versionstamp operand encoding #4951
• fix(rivetkit): export database provider types #4950
• wip: kitchen sink agentic loop finish #4949
• chore(rivetkit): note duplicate admission logic #4948
• test(rivetkit): cover bypass fetch header forwarding #4947
• feat(kitchen-sink): add actor probe controls #4946
• fix(gateway): split actor response wait errors #4945
• fix(guard): handle bypass preflight before query parse #4944
• feat(kitchen-sink): add mock agent event log copy #4943
• fix(kitchen-sink): default mock agent to local endpoint #4942
• test(rivetkit): enable driver lifecycle regressions #4941
• test(rivetkit): verify cached websocket db refs exceed grace #4940
• fix(rivetkit-core): keep sleeping actors reachable during grace #4939
• test(rivetkit): cover async websocket close db access #4938
• fix(rivetkit): keep actors awake until keepAwake work finishes #4937
• fix(rivetkit): persist native onSleep state on errors #4936
• fix(rivetkit-core): allow dispatch during sleep grace #4935
• fix(rivetkit): make duplicate sleep requests idempotent #4934
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR 4954 Review: ci(publish): add manual preview publish flow

Overview

This PR replaces the automatic preview-publish triggers (pull_request + push: main) with a single manual workflow_dispatch path, and generalizes the publish context from PR-number-based (pr-N) to branch-name-based. The justfile gets a convenience preview-publish recipe. Net result: developers explicitly opt in to a preview publish by dispatching the workflow, rather than every PR/push triggering one automatically.

---

Positives

• Security improvement. Removing the pull_request trigger eliminates the fork-privilege-escalation risk entirely. workflow_dispatch can only be triggered by repo contributors, so the is_fork guard is correctly deleted rather than worked around.
• sanitizeBranch is well-implemented. Lowercase, collapse non-alphanumerics to hyphens, trim edges, throw on empty covers the expected edge cases cleanly.
• Clean removal of dead code. pr_number output, Compute is_fork flag step, and the Comment on PR CI step are all properly removed together.
• Semver correctness. 0.0.0-<sanitized-branch>.<sha> (e.g. 0.0.0-feature-my-work.abc1234) is valid semver. The dot separator between branch slug and SHA is intentional and correct.

---

Issues

Minor: No length cap on sanitized branch names

sanitizeBranch applies no maximum length. An npm dist-tag derived from a very long branch name can produce a 70+ character tag. npm has no hard dist-tag length limit, but some tooling and registry UIs truncate or reject long identifiers. Consider capping at 50 characters with a truncation + SHA suffix to keep tags readable and predictable.

Minor: Collision between similarly-named branches

Two branches like feature/my-branch and feature-my-branch sanitize to the same dist-tag (feature-my-branch). One preview publish silently overwrites the other's npm dist-tag. In practice this is rare, but worth a code comment noting the known edge case.

Minor: comment-pr subcommand is now dead code in CI

The automated Comment on PR step was removed from the workflow but comment-pr remains in bin.ts as a still-wired subcommand. It's callable manually, which may be intentional, but nothing in the workflow exercises it anymore. Either document that it is a manual-only tool or remove it to avoid confusion.

Nit: latest input is misleading for branch publishes

latest is still required: true with default: true in the workflow form. For branch dispatches (no version), latest is unconditionally forced to false in code anyway. The form field silently has no effect in that mode. Consider making it required: false or adding a YAML comment noting the field is only used when version is also set.

---

Test Coverage

No tests are added for sanitizeBranch or the updated resolveContext logic. These are pure functions that are straightforward to unit-test. Suggested cases for sanitizeBranch:

• feature/foo-bar -> feature-foo-bar
• UPPER/CASE -> upper-case
• release/1.0.0 -> release-1-0-0
• ---all-hyphens--- -> all-hyphens
• ___ -> throws

---

Summary

The core change is sound and an improvement over the previous automated triggers. The two issues worth addressing before merge are: (1) a length cap on sanitized branch names to avoid edge-case npm/semver tooling issues, and (2) clarifying the latest input scope in the workflow form. The comment-pr dead code and missing tests are worth a follow-up. No blocking concerns.