From 719c8b7030afe2b10cc4dfc49a2b70b6f60f9b6c Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sat, 25 Apr 2026 21:43:52 +0000
Subject: [PATCH] ci: publish on version tag push, not master branch push

The previous workflow ran npm publish on every push to master and
gated it via npm view on a stale scoped package name, which made
the check always think the version was unpublished and 403'd
whenever the registry already had it.

Switch the publish job to fire only on push of a v* tag, verify
the tag matches package.json, and use the standard
NODE_AUTH_TOKEN flow via setup-node's registry-url. Tests still
run on master push and PRs.

Release flow: bump version, commit, push master, then
git tag v<version> && git push origin v<version>.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/ci.yml | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a07d4bd..15d8a0d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,6 +3,7 @@ name: CI
 on:
   push:
     branches: [master]
+    tags: ["v*"]
   pull_request:
     branches: [master]
 
@@ -22,7 +23,7 @@ jobs:
   publish:
     needs: test
     runs-on: ubuntu-latest
-    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     permissions:
       id-token: write
     steps:
@@ -31,20 +32,17 @@ jobs:
         with:
           node-version: "20"
           cache: "npm"
+          registry-url: "https://registry.npmjs.org"
+      - name: Verify tag matches package.json version
+        run: |
+          TAG_VERSION="${GITHUB_REF#refs/tags/v}"
+          PKG_VERSION=$(node -p "require('./package.json').version")
+          if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
+            echo "Tag v$TAG_VERSION does not match package.json version $PKG_VERSION"
+            exit 1
+          fi
       - run: npm ci
       - run: npm run build
-      - name: Check if version already published
-        id: version-check
-        run: |
-          CURRENT_VERSION=$(node -p "require('./package.json').version")
-          PUBLISHED_VERSION=$(npm view @farhoodliquor/paperclip-adapter-opencode-k8s version 2>/dev/null || echo "")
-          echo "Current: $CURRENT_VERSION, Published: $PUBLISHED_VERSION"
-          if [ "$CURRENT_VERSION" = "$PUBLISHED_VERSION" ]; then
-            echo "already_published=true" >> $GITHUB_OUTPUT
-          else
-            echo "already_published=false" >> $GITHUB_OUTPUT
-          fi
-      - run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > .npmrc
-        if: steps.version-check.outputs.already_published == 'false'
       - run: npm publish --access public
-        if: steps.version-check.outputs.already_published == 'false'
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}