From e25d275d8034e5335a80de9d35b2749efa6e5043 Mon Sep 17 00:00:00 2001
From: Tamas Kalman <ktamas77@gmail.com>
Date: Mon, 4 May 2026 04:18:18 -0700
Subject: [PATCH] ci: fix npm upgrade in publish job + add workflow_dispatch
 fallback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`npm install -g npm@latest` is broken on Node 22.22.2's bundled npm
(missing 'promise-retry'), which broke the 0.1.3 publish. Switch to
`npx -y npm@11.5.2 publish` — pinned for Trusted Publisher OIDC, no
broken global install needed.

Also add a workflow_dispatch trigger with a `tag` input so a publish
can be re-run for an existing tag (e.g. v0.1.3) when CI flaked,
without having to bump versions.
---
 .github/workflows/release.yml | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cf8fc67..8a0df91 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,11 @@ name: Release
 on:
   push:
     branches: [main]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Existing release tag to publish (e.g. v0.1.3). Used when a previous publish failed.'
+        required: true
 
 permissions:
   contents: write
@@ -11,6 +16,7 @@ permissions:
 
 jobs:
   release-please:
+    if: ${{ github.event_name == 'push' }}
     runs-on: ubuntu-latest
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
@@ -23,7 +29,7 @@ jobs:
 
   publish:
     needs: release-please
-    if: ${{ needs.release-please.outputs.release_created == 'true' }}
+    if: ${{ always() && (needs.release-please.outputs.release_created == 'true' || github.event_name == 'workflow_dispatch') }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -31,15 +37,18 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ needs.release-please.outputs.tag_name }}
+          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || needs.release-please.outputs.tag_name }}
       - uses: actions/setup-node@v4
         with:
           node-version: '22.x'
           registry-url: 'https://registry.npmjs.org'
           cache: npm
-      - run: npm install -g npm@latest
       - run: npm ci
       - run: npm run lint
       - run: npm run typecheck
       - run: npm run build
-      - run: npm publish --provenance --access public
+      # Trusted Publisher OIDC needs npm >= 11.5.1. Node 22's bundled npm
+      # is 10.x, and `npm install -g npm@latest` is currently broken on
+      # 22.22.2 (missing 'promise-retry'). Use npx to invoke a known-good
+      # npm version just for the publish step.
+      - run: npx -y npm@11.5.2 publish --provenance --access public