fix(repo,versioner): harden npm publish

- Fail if pnpm pack emits != 1 tarball.
- Add --registry option (default: https://registry.npmjs.org/) and log it.
- Release workflow: fetch full git history and publish the triggering SHA.

Author: CharlieHelps

.github/workflows/release.yml

@@ -26,9 +26,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          fetch-depth: 100
+          fetch-depth: 0
           fetch-tags: true
-          ref: master
 
       - name: Setup Node
         uses: actions/setup-node@v4

packages/versioner/src/versioner.ts

@@ -18,6 +18,7 @@ const {
   dry: dryRun,
   publish: doPublish,
   push: doPush,
+  registry: registryOverride,
   shortName: shortNameOverride,
   tag: doTag
 } = argv;
@@ -27,6 +28,7 @@ const parserOptions = {
 };
 const reBreaking = new RegExp(`(${parserOptions.noteKeywords.join(')|(')})`);
 const NPM_CLI_SPEC = 'npm@11.5.1';
+const DEFAULT_NPM_REGISTRY = 'https://registry.npmjs.org/';
 
 type Commit = parser.Commit<string | number | symbol>;
 
@@ -147,23 +149,32 @@ const getRepoUrls = async () => {
   }
 };
 
-const publish = async (cwd: string) => {
+const publish = async (cwd: string, registry: string) => {
   if (dryRun || doPublish === false) {
     log.warn(chalk`{yellow Skipping Publish}`);
     return;
   }
 
   log.info(chalk`\n{cyan Publishing to NPM}`);
+  log.info(chalk`{grey Registry:} ${registry}`);
 
   const packDir = mkdtempSync(join(tmpdir(), 'versioner-pack-'));
   try {
     await execa('pnpm', ['pack', '--pack-destination', packDir], { cwd, stdio: 'inherit' });
 
-    const tarballs = readdirSync(packDir).filter((file) => file.endsWith('.tgz'));
-    const [tarball] = tarballs;
-    if (!tarball) throw new Error(`Could not find packed tarball in: ${packDir}`);
+    const tarballs = readdirSync(packDir)
+      .filter((file) => file.endsWith('.tgz'))
+      .sort();
 
-    const tarballPath = join(packDir, tarball);
+    if (tarballs.length !== 1) {
+      throw new Error(
+        `Expected exactly 1 packed tarball in: ${packDir} (found ${
+          tarballs.length
+        }): ${tarballs.join(', ')}`
+      );
+    }
+
+    const tarballPath = join(packDir, tarballs[0]);
     const hasOidcEnv =
       !!process.env.ACTIONS_ID_TOKEN_REQUEST_URL && !!process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
     const provenanceArgs = hasOidcEnv ? ['--provenance'] : [];
@@ -172,7 +183,15 @@ const publish = async (cwd: string) => {
 
     await execa(
       'pnpm',
-      ['dlx', NPM_CLI_SPEC, 'publish', '--no-git-checks', ...provenanceArgs, tarballPath],
+      [
+        'dlx',
+        NPM_CLI_SPEC,
+        'publish',
+        '--no-git-checks',
+        `--registry=${registry}`,
+        ...provenanceArgs,
+        tarballPath
+      ],
       { cwd, stdio: 'inherit' }
     );
   } finally {
@@ -350,7 +369,7 @@ const updatePackage = async (cwd: string, pkg: RepoPackage, version: string) =>
     await commitChanges(cwd, shortName, newVersion);
     // Note: We want to pull here in case there's an error, so nothing gets published
     await pull();
-    await publish(cwd);
+    await publish(cwd, registryOverride || DEFAULT_NPM_REGISTRY);
     await tag(cwd, shortName, newVersion);
     await push();
   } catch (e) {