Skip to content

ci: keep publish dry-runs out of registry environments#15

Open
jaberjaber23 wants to merge 4 commits into
mainfrom
fix/publish-dry-run-no-env-approval
Open

ci: keep publish dry-runs out of registry environments#15
jaberjaber23 wants to merge 4 commits into
mainfrom
fix/publish-dry-run-no-env-approval

Conversation

@jaberjaber23

Copy link
Copy Markdown
Member

Summary

  • split dry-run npm/PyPI verification into read-only jobs without protected registry environments
  • keep real npm/PyPI publish jobs behind environment approval, OIDC, strict promotion gate, exact artifact reuse, leak checks, and registry install checks
  • strengthen workflow-policy tests so job-level dry_run guards and registry upload command drift are caught

Verification

  • node scripts\verify-workflow-policy.mjs
  • pnpm --dir typescript exec tsc -p tsconfig.json --noEmit
  • pnpm --dir typescript test
  • python -m pip install -e python
  • python -m pytest python/tests/ -v

Review

  • second-opinion review found two policy blind spots; both are fixed in this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant