Skip to content

ci: publish via pnpm when selected#28

Open
gndelia wants to merge 1 commit into
mainfrom
npm-publish-with-pnpm
Open

ci: publish via pnpm when selected#28
gndelia wants to merge 1 commit into
mainfrom
npm-publish-with-pnpm

Conversation

@gndelia
Copy link
Copy Markdown
Contributor

@gndelia gndelia commented May 19, 2026

Summary

Branch the npm-publish reusable workflow's prepublishOnly and publish steps on inputs.package-manager, so callers that opt into pnpm actually invoke pnpm publish instead of npm publish.

This is needed to unlock pnpm-specific publish behavior. Concretely, for a publishConfig like:

"publishConfig": {
  "access": "public",
  "exports": {
    ".": {
      "default": "./_esm/index.js",
      "types": "./_types/index.d.ts"
    },
    "./actions": {
      "default": "./_esm/actions/index.js",
      "types": "./_types/actions/index.d.ts"
    },
    "./package.json": "./package.json"
  },
  "main": "./_esm/index.js",
  "provenance": true,
  "types": "./_types/index.d.ts"
}

npm publish only honors the npm config keys (access, provenance) and ignores the package.json field overrides (main, types, exports) — it ships the raw top-level fields, which would point at source paths and break consumers. pnpm publish reads those overrides and rewrites the published package.json accordingly. I need this for publishing the vetro packages.

Dispatch is implemented via step-level if: guards (one for npm, one for pnpm) rather than interpolating ${{ inputs.package-manager }} into run:, to avoid a GitHub Actions script-injection vector if a caller ever passed an unexpected value.

Related to vetro-protocol/vetro-monorepo#423.

@gndelia
ci: publish via pnpm when selected
51b8df6 
Branch the npm-publish workflow's prepublishOnly and publish
steps on inputs.package-manager so pnpm callers actually run
pnpm publish instead of npm publish.

Dispatch via step-level `if:` rather than interpolating the
input value into the run: script, which would be a GitHub
Actions script-injection vector if a caller passed an
unexpected string.
@gndelia gndelia self-assigned this May 19, 2026
@gndelia gndelia enabled auto-merge (squash) May 19, 2026 16:58
@gndelia gndelia mentioned this pull request May 19, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joshuasing joshuasing joshuasing approved these changes

@jcvernaleo jcvernaleo Awaiting requested review from jcvernaleo

@gabmontes gabmontes Awaiting requested review from gabmontes

At least 2 approving reviews are required to merge this pull request.

Assignees

@gndelia gndelia

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gndelia @joshuasing