From 44707251c901afec4021090c70b7affdc526ea49 Mon Sep 17 00:00:00 2001
From: Luis Mendez <hallo@luis-mendez.de>
Date: Sun, 10 May 2026 23:40:07 +0200
Subject: [PATCH] fix(release): pass --tag next when publishing a pre-release
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The v0.8.0-rc.1 dispatch (run 25640431367, second attempt) failed at the
Publish step with:

  npm error You must specify a tag using --tag when publishing a
  prerelease version.

`npm publish` refuses to default a semver prerelease (`-rc.1`) to the
`latest` dist-tag because that would silently demote stable consumers
who pin `latest`. Without `--tag`, prereleases fail closed.

Parameterise the publish step on `inputs.prerelease`:

- prerelease=true  → `npm publish --provenance --tag next <tarball>`
- prerelease=false → `npm publish --provenance <tarball>` (defaults to
                     `latest`)

This is workflow plumbing — every other step (Layer 1+2 readiness,
build:claude-plugin, tarball provenance attestation, Release create
with asset upload) succeeded on the previous dispatch, so the
Trusted-Publishing config on npmjs.com is reachable end-to-end. This
fix unblocks the last gate before the OIDC publish actually runs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9659cacd2..84d12245d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -386,6 +386,7 @@ jobs:
         if: ${{ ! inputs.dry_run && inputs.publish_package }}
         env:
           INPUT_VERSION: ${{ inputs.version }}
+          INPUT_PRERELEASE: ${{ inputs.prerelease }}
           TARBALL: ${{ steps.pack.outputs.tarball }}
         run: |
           actual="$(node -p "require('./package.json').name + '@' + require('./package.json').version")"
@@ -394,6 +395,15 @@ jobs:
             echo "::error::package.json identity (${actual}) does not match expected (${expected}) — refusing to publish (ADR-0040)" >&2
             exit 1
           fi
+          # Pre-release versions must publish under a non-`latest` dist-tag.
+          # `npm publish` refuses to default a prerelease to `latest` and
+          # exits with "You must specify a tag using --tag when publishing
+          # a prerelease version." `inputs.prerelease == true` → publish
+          # under `next`; stable releases → default `latest` (no `--tag`).
+          publish_args=("--provenance")
+          if [ "${INPUT_PRERELEASE}" = "true" ]; then
+            publish_args+=("--tag" "next")
+          fi
           set +e
           view_output="$(npm view "specorator@${INPUT_VERSION}" version --json 2>&1)"
           view_exit=$?
@@ -405,7 +415,7 @@ jobs:
             # published archive equals the GitHub Release asset uploaded in
             # step 11 (T-V05-013). `--provenance` mints a sigstore provenance
             # statement via the OIDC token (ADR-0044, restoring ADR-0040).
-            npm publish --provenance "${TARBALL}"
+            npm publish "${publish_args[@]}" "${TARBALL}"
           else
             echo "::error::npm view failed with a non-404 error — refusing to publish so EPUBLISHCONFLICT cannot mask a real failure" >&2
             echo "$view_output" >&2