fix(repo,versioner): harden npm publish

CharlieHelps · CharlieHelps · commit 85a068937e53 · 2026-01-11T20:27:17.000Z
- Fail if pnpm pack emits != 1 tarball. - Add --registry option (default: https://registry.npmjs.org/) and log it. - Release workflow: fetch full git history and publish the triggering SHA.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -26,9 +26,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          fetch-depth: 100
+          fetch-depth: 0
           fetch-tags: true
-          ref: master
 
       - name: Setup Node
         uses: actions/setup-node@v4
diff --git a/packages/versioner/src/versioner.ts b/packages/versioner/src/versioner.ts
@@ -171,11 +171,19 @@ const publish = async (cwd: string) => {
   try {
     await execa('pnpm', ['pack', '--pack-destination', packDir], { cwd, stdio: 'inherit' });
 
-    const tarballs = readdirSync(packDir).filter((file) => file.endsWith('.tgz'));
-    const [tarball] = tarballs;
-    if (!tarball) throw new Error(`Could not find packed tarball in: ${packDir}`);
+    const tarballs = readdirSync(packDir)
+      .filter((file) => file.endsWith('.tgz'))
+      .sort();
+
+    if (tarballs.length !== 1) {
+      throw new Error(
+        `Expected exactly 1 packed tarball in: ${packDir} for cwd=${cwd} (found ${
+          tarballs.length
+        }): ${tarballs.join(', ')}`
+      );
+    }
 
-    const tarballPath = join(packDir, tarball);
+    const tarballPath = join(packDir, tarballs[0]);
     const hasOidcEnv =
       !!process.env.ACTIONS_ID_TOKEN_REQUEST_URL && !!process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
     const provenanceArgs = hasOidcEnv ? ['--provenance'] : [];
