Harden npm publish workflow reruns

cristianrgreco · cristianrgreco · commit 8ff8c1ea25a4 · 2026-05-27T14:42:15.000+01:00
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -1,6 +1,6 @@
 name: Node.js Package
 
-run-name: ${{ github.event_name == 'workflow_dispatch' && format('Dry run publish {0}', inputs.version) || format('Publish {0}', github.event.release.tag_name) }}
+run-name: ${{ github.event_name == 'workflow_dispatch' && (inputs.publish && format('Publish {0}', inputs.version) || format('Dry run publish {0}', inputs.version)) || format('Publish {0}', github.event.release.tag_name) }}
 
 on:
   release:
@@ -11,6 +11,11 @@ on:
         description: "Version to rehearse, with or without v prefix. Example: 12.0.1"
         required: true
         type: string
+      publish:
+        description: "Publish packages to npm instead of dry running"
+        required: true
+        default: false
+        type: boolean
 
 jobs:
   publish:
@@ -47,6 +52,18 @@ jobs:
           echo "tag=v$VERSION" >> "$GITHUB_OUTPUT"
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
+      - name: Verify npm publish token
+        if: ${{ github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && inputs.publish) }}
+        run: |
+          if npm whoami > /dev/null 2>&1; then
+            echo "npm publish token is valid"
+          else
+            echo "::error::npm publish token is invalid, expired, or missing required registry access"
+            exit 1
+          fi
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
+
       - name: Update versions
         env:
           TAG: ${{ steps.version.outputs.tag }}
@@ -69,18 +86,23 @@ jobs:
 
       - name: Git commit
         if: ${{ github.event_name == 'release' }}
-        run: git commit -am "${{ steps.version.outputs.tag }}"
+        run: |
+          if git diff --quiet; then
+            echo "Version bump already committed"
+          else
+            git commit -am "${{ steps.version.outputs.tag }}"
+          fi
 
       - name: Git push
         if: ${{ github.event_name == 'release' }}
         run: git push
 
       - name: Dry run publish
-        if: ${{ github.event_name == 'workflow_dispatch' }}
+        if: ${{ github.event_name == 'workflow_dispatch' && !inputs.publish }}
         run: npm publish --ws --dry-run
 
       - name: Publish packages to NPM
-        if: ${{ github.event_name == 'release' }}
+        if: ${{ github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && inputs.publish) }}
         run: npm publish --ws
         env:
           NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
