From 981c6a847345e2d3cfcc90e9dc48c4bb6f849f3b Mon Sep 17 00:00:00 2001
From: Stackwright Bot <bot@per-aspera.dev>
Date: Tue, 28 Apr 2026 18:33:47 -0400
Subject: [PATCH] fix(ci): remove duplicate pull_request trigger from release
 workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove pull_request trigger: merging a PR to main always fires a push
  event, so the pull_request: closed trigger was redundant and caused two
  concurrent release runs to race — the loser always got rejected with a
  'fetch first' push error (observed in run 25080842050 / PR #391).

- Tighten the [skip ci] guard: github.event.head_commit.message is only
  populated on push events (it is null on pull_request events), so add an
  explicit github.event_name == 'push' check to make the intent clear and
  future-proof against any accidental trigger re-addition.

- Remove provenance: true from actions/setup-node@v5: provenance is an
  npm publish flag, not a valid setup-node input. It caused a yellow
  warning annotation on every run. Provenance attestation is already
  correctly applied via --provenance in the npm publish command.
---
 .github/workflows/release.yml | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0105b55f..6617efd8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,11 +4,6 @@ on:
   push:
     branches:
       - main
-  pull_request:
-    branches:
-      - main
-    types:
-      - closed
 
 permissions:
   contents: write
@@ -21,7 +16,7 @@ jobs:
     # Squash merges embed individual commit messages in the body, and automated
     # commits (prerelease bumps, etc.) include [skip ci] — which would incorrectly
     # suppress the release workflow if we used contains() on the full body.
-    if: "${{ !startsWith(github.event.head_commit.message, 'chore: version packages for release [skip ci]') }}"
+    if: "${{ github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'chore: version packages for release [skip ci]') }}"
     steps:
       - name: Generate PerAsperaCI token
         id: app-token
@@ -42,7 +37,6 @@ jobs:
           node-version: 22
           registry-url: 'https://registry.npmjs.org'
           cache: 'pnpm'
-          provenance: true
 
       - run: pnpm install --frozen-lockfile