ci: verify npm publish access

2026-06-06 06:25:07 +08:00 · 2026-06-06 06:25:07 +08:00 · 74b350b962
commit 74b350b962
parent d3c36d9001
1 changed files with 20 additions and 1 deletions
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -37,6 +37,25 @@ jobs:
      - name: Typecheck
        run: pnpm typecheck

+      - name: Verify npm publish access
+        shell: bash
+        run: |
+          set -euo pipefail
+          name="$(node -p "require('./package.json').name")"
+          version="$(node -p "require('./package.json').version")"
+          user="$(npm whoami 2>/dev/null || true)"
+          if [ -z "${user}" ]; then
+            echo "::error::NPM_TOKEN is not valid for npm publish. Create an npm automation token for an account that can publish ${name}, then save it as the repository secret NPM_TOKEN."
+            exit 1
+          fi
+          if npm view "${name}" name >/dev/null 2>&1; then
+            echo "::notice::Publishing ${name}@${version} as npm user ${user}; package already exists."
+          else
+            echo "::notice::Publishing ${name}@${version} as npm user ${user}; npm will create this public package on first publish."
+          fi
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
      - name: Check published version
        id: published
        shell: bash
@ -53,6 +72,6 @@ jobs:

      - name: Publish
        if: steps.published.outputs.exists != 'true'
-        run: npm publish --provenance
+        run: npm publish --provenance --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}