fix(ci): publish the pre-built tarball instead of re-packing

The release workflow built the tarball twice — once via pnpm pack in
artifacts:check (leaving it at dist/artifacts/npm/) and again inside
@semantic-release/npm's prepare step, which then tried to fs-extra
move npm pack's output into the same directory and crashed with
"dest already exists". On top of being a publish blocker, that meant
the published tarball was different from the one smoke-tested in
artifacts:check.

Drop @semantic-release/npm and publish the exact tarball that
artifacts:check verified via an exec publishCmd:

    npm publish dist/artifacts/npm/kaelio-ktx-<v>.tgz \
      --tag <next|latest> --access public --provenance

Auth uses OIDC trusted publishing — the workflow already grants
id-token: write and setup-node configures the registry, and
release-workflow.test.mjs asserts NODE_AUTH_TOKEN is not set.
This commit is contained in:
Andrey Avtomonov 2026-05-20 00:44:40 +02:00
parent 6738defb81
commit 77c91c87b8
2 changed files with 16 additions and 21 deletions

View file

@ -166,19 +166,10 @@ function createReleaseConfig(env = process.env) {
'pnpm run artifacts:check',
'pnpm run release:readiness',
].join(' && '),
},
],
[
'@semantic-release/npm',
{
pkgRoot: 'dist/public-npm-package',
tarballDir: 'dist/artifacts/npm',
},
],
[
'@semantic-release/exec',
{
publishCmd: 'pnpm run release:published-smoke',
publishCmd: [
`npm publish dist/artifacts/npm/kaelio-ktx-\${nextRelease.version}.tgz --tag ${tag} --access public --provenance`,
'pnpm run release:published-smoke',
].join(' && '),
},
],
...releaseGitPlugins(kind),