/** * Publish a prerelease to npm (publish-only, no build/test/bump). * * Version bumping is handled by bump-prerelease.ts in the secrets-free CI * build job. Build and test also run there. This script receives pre-built, * correctly-versioned artifacts and only performs the npm publish step. * * Always publishes with the "canary" dist-tag. * * Usage: tsx scripts/release/prerelease.ts --scope [--dry-run] */ import { spawnSync } from "child_process"; import { getPackagesForScope } from "./lib/versions.js"; import { ROOT, loadConfig } from "./lib/config.js"; import type { ReleaseScope } from "./lib/config.js"; import { emitGithubOutputs } from "./lib/github-output.js"; function run(cmd: string, args: string[], opts?: { cwd?: string }) { const result = spawnSync(cmd, args, { cwd: opts?.cwd ?? ROOT, stdio: "inherit", encoding: "utf8", }); if (result.status !== 0) { throw new Error(`Command failed: ${cmd} ${args.join(" ")}`); } return result; } // Valid scopes come from release.config.json — the single source of truth. const VALID_SCOPES = Object.keys(loadConfig().scopes); function main() { const argv = process.argv.slice(2); const dryRun = argv.includes("--dry-run"); const scopeIdx = argv.indexOf("--scope"); const scope = ( scopeIdx !== -1 ? argv[scopeIdx + 1] : null ) as ReleaseScope | null; if (!scope || !VALID_SCOPES.includes(scope)) { console.error( `Usage: prerelease.ts --scope <${VALID_SCOPES.join("|")}> [--dry-run]`, ); process.exit(1); } const config = loadConfig(); const distTag = config.prereleaseTag; // Read the version from package.json — already bumped by bump-prerelease.ts // in the CI build job. const packages = getPackagesForScope(scope); if (packages.length === 0) { console.error( `No packages found for scope "${scope}" — refusing to emit a version for a publish that did nothing.`, ); process.exit(1); } const publishVersion = packages[0].pkg.version; if (!publishVersion) { console.error( `Package ${packages[0].name} has no version field; refusing to publish.`, ); process.exit(1); } console.log(`Scope: ${scope}`); console.log(`Publishing version: ${publishVersion}`); console.log(`Dist tag: ${distTag}`); if (dryRun) { console.log("\n[DRY RUN] Would publish these packages:"); for (const p of packages) { console.log(` ${p.name}@${p.pkg.version}`); } // Emitting in dry-run is safe — the publish workflow gates both the // publish step and the verify guard on `inputs.dry-run != true`, so this // only serves local/e2e verification of the output contract. emitGithubOutputs({ version: publishVersion, scope }); console.log("\n[DRY RUN] Exiting."); return; } // NOTE: Version bumping is handled by bump-prerelease.ts in the CI build // job (no secrets). Build and test also run there. // The publish job receives pre-built artifacts via download-artifact. // We intentionally do NOT rebuild/retest here to keep NPM_TOKEN out // of the build process tree. // Publish each package via pnpm pack + npx npm@11 (OIDC-aware) console.log("\nPublishing packages..."); for (const p of packages) { console.log( ` Publishing ${p.name}@${p.pkg.version} with tag ${distTag}...`, ); run("pnpm", ["pack"], { cwd: p.dir }); const tarball = `${p.name.replace("@", "").replace("/", "-")}-${p.pkg.version}.tgz`; run( "npx", [ "--yes", "npm@11.15.0", "publish", tarball, "--tag", distTag, "--access", "public", ], { cwd: p.dir }, ); } // The workflow's "Verify publish step emitted version" guard and the // prerelease summary read these from steps.publish.outputs. emitGithubOutputs({ version: publishVersion, scope }); console.log(`\nPrerelease published: ${publishVersion} (tag: ${distTag})`); } main();