From 442ad629c293201750e008e4fff23465f94d4100 Mon Sep 17 00:00:00 2001
From: root <root@srv1491630.hstgr.cloud>
Date: Mon, 25 May 2026 07:18:30 +0000
Subject: [PATCH] ci: harden Gitea package publish workflow

---
 .gitea/workflows/publish-packages.yml | 35 ++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 6 deletions(-)

diff --git a/.gitea/workflows/publish-packages.yml b/.gitea/workflows/publish-packages.yml
index 839aab81..262b3d17 100644
--- a/.gitea/workflows/publish-packages.yml
+++ b/.gitea/workflows/publish-packages.yml
@@ -2,6 +2,15 @@ name: Publish @bytelyst/* packages
 
 on:
   workflow_dispatch:
+    inputs:
+      package_filter:
+        description: 'Package name to publish, or @bytelyst/* for all packages'
+        required: false
+        default: '@bytelyst/errors'
+      dry_run:
+        description: 'Build, test, and pack queued packages without publishing'
+        required: false
+        default: 'false'
   push:
     branches: [main]
 
@@ -19,6 +28,9 @@ jobs:
     container:
       image: node:20-bookworm@sha256:8f693eaa7e0a8e71560c9a82b55fd54c2ae920a2ba5d2cde28bac7d1c01c9ba5
       options: --network host -v /home/gitea-runner/.gitea_publish_npmrc:/run/secrets/gitea_publish_npmrc:ro
+    env:
+      PACKAGE_FILTER: ${{ github.event.inputs.package_filter }}
+      DRY_RUN: ${{ github.event.inputs.dry_run }}
 
     steps:
       - name: Checkout
@@ -33,6 +45,8 @@ jobs:
           echo "RefName: ${{ github.ref_name }}"
           echo "Commit:  ${{ github.sha }}"
           echo "Runner:  $(hostname)"
+          echo "Package filter: ${PACKAGE_FILTER:-@bytelyst/errors}"
+          echo "Dry run: ${DRY_RUN:-false}"
           grep '^PRETTY_NAME=' /etc/os-release || true
           node --version
           npm --version
@@ -54,10 +68,10 @@ jobs:
         run: HUSKY=0 pnpm install --frozen-lockfile
 
       - name: Discover unpublished packages
-        env:
-          PACKAGE_FILTER: '@bytelyst/errors'
         run: |
           set -euo pipefail
+          PACKAGE_FILTER="${PACKAGE_FILTER:-@bytelyst/errors}"
+          echo "Using package filter: $PACKAGE_FILTER"
           : > /tmp/packages-to-publish.tsv
           for pkg_json in packages/*/package.json; do
             name=$(node -p "require('./$pkg_json').name")
@@ -83,10 +97,14 @@ jobs:
           cat /tmp/packages-to-publish.tsv || true
 
       - name: Build, test, pack, publish, and consumer-verify queued packages
-        env:
-          DRY_RUN: 'false'
         run: |
           set -euo pipefail
+          DRY_RUN="${DRY_RUN:-false}"
+          case "$DRY_RUN" in
+            true|false) ;;
+            *) echo "DRY_RUN must be 'true' or 'false'; got '$DRY_RUN'" >&2; exit 1 ;;
+          esac
+          echo "Dry run mode: $DRY_RUN"
           mkdir -p /tmp/tarballs
           if [ ! -s /tmp/packages-to-publish.tsv ]; then
             echo "No unpublished packages matched the filter; nothing to do."
@@ -95,15 +113,20 @@ jobs:
           while IFS=$'\t' read -r name version dir; do
             echo "=== $name@$version ==="
             pnpm --filter "$name" run build
-            pnpm --filter "$name" test
+            if node -e "const s=require('./$dir/package.json').scripts||{}; process.exit(s.test ? 0 : 1)"; then
+              pnpm --filter "$name" test
+            else
+              echo "SKIP test: $name has no package.json scripts.test"
+            fi
             (cd "$dir" && pnpm pack --pack-destination /tmp/tarballs)
             if [ "$DRY_RUN" = "true" ]; then
               echo "DRY RUN: would publish $name@$version"
             else
               cp /tmp/publish.npmrc "$dir/.npmrc"
-              trap 'rm -f "$dir/.npmrc"' EXIT
+              trap "rm -f '$dir/.npmrc'" EXIT
               (cd "$dir" && pnpm publish --no-git-checks --registry https://gitea.bytelyst.com/api/packages/bytelyst/npm/)
               rm -f "$dir/.npmrc"
+              trap - EXIT
               npm view "$name@$version" version dist.shasum dist.tarball --userconfig /tmp/publish.npmrc --registry https://gitea.bytelyst.com/api/packages/bytelyst/npm/
               consumer_name="consumer-${name//@/}-${version}"
               consumer_name="${consumer_name//\//-}"