Skip to content

fix(ci): repair Publish workflow — native Pages deploy + automated npm publish#22

Merged
smartlabsAT merged 1 commit into
mainfrom
fix/ci-publish-pipeline
May 22, 2026
Merged

fix(ci): repair Publish workflow — native Pages deploy + automated npm publish#22
smartlabsAT merged 1 commit into
mainfrom
fix/ci-publish-pipeline

Conversation

@smartlabsAT

@smartlabsAT smartlabsAT commented May 22, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

Fixes both problems that surfaced while shipping v0.2.6:

  1. GitHub Pages Storybook deploy was failingbitovi/github-actions-storybook-to-github-pages@v1.0.2 internally pulls actions/upload-artifact@v3, which GitHub disabled. The v0.2.6 publish run failed at setup (log) and the GH Pages Storybook is stuck on the pre-v0.2.6 build.
  2. npm publish was not automated — the npm-publish block in publish.yml was commented out and full of placeholders. v0.2.6 had to be published manually.

Changes

.github/workflows/publish.yml rewritten as two independent jobs:

storybook-pages

  • Builds Storybook
  • Deploys to GitHub Pages using native actions only:
    • actions/configure-pages@v5
    • actions/upload-pages-artifact@v3
    • actions/deploy-pages@v4
  • Concurrency group pages with cancel-in-progress: false so an in-flight deploy can finish before the next one starts

npm-publish

  • Builds the package
  • Runs npm publish --provenance --access public
  • Gated on github.event_name == 'release' so manual workflow_dispatch runs (e.g. just to re-deploy Pages) won't try to re-publish the same version
  • Uses repo secret NPM_TOKEN
  • Declares id-token: write at the job level so npm provenance attestations can be signed via GitHub OIDC

Required before next release: add NPM_TOKEN secret

The npm-publish job depends on a repo secret called NPM_TOKEN. Without it the job will fail authentication. Steps for the repo owner:

  1. On https://www.npmjs.com → Profile → Access TokensGenerate New TokenGranular Access Token
  2. Scope: only react-resize-detector-context, permission: Read and write, expiry: 1 year is reasonable
  3. Copy the token (starts with npm_…)
  4. GitHub: repo Settings → Secrets and variables → Actions → New repository secret named exactly NPM_TOKEN
  5. Paste, save

Once that's set, the next release: published event will trigger the workflow end-to-end.

Test plan

After merging:

  • Manually trigger Publish workflow via workflow_dispatch (Actions tab → Publish → Run workflow → main) to verify the storybook-pages job runs green and Pages updates to current Storybook 10 build. npm-publish will be skipped (no release event).
  • On the next real release, observe both jobs succeed and the new version appears on npm with a provenance badge.

Notes

Closes #21

@smartlabsAT
fix(ci): repair Publish workflow — native Pages deploy + automated np…
579fae2 
…m publish

The previous Publish workflow had two unrelated issues that both
broke for the v0.2.6 release:

1. Storybook-to-Pages step depended on
   bitovi/github-actions-storybook-to-github-pages@v1.0.2, which
   internally pulls actions/upload-artifact@v3 — disabled by GitHub.
   The v0.2.6 publish run failed immediately at setup, leaving the
   GitHub Pages Storybook on the prior build.

2. The npm publish block was commented out and full of placeholders
   (your-scope, YOUR_NPM_AUTH_TOKEN), so npm releases had to be
   done manually.

This rewrite splits the workflow into two independent jobs:

- storybook-pages: builds Storybook and deploys to GitHub Pages using
  native actions (actions/configure-pages@v5, actions/upload-pages-
  artifact@v3, actions/deploy-pages@v4). No third-party action. The
  pages concurrency group prevents parallel deploys stepping on each
  other while still letting an in-flight deploy finish.

- npm-publish: builds and runs `npm publish --provenance --access
  public`, gated on github.event_name == 'release' so manual
  workflow_dispatch runs (e.g. to re-deploy Pages) don't try to
  re-publish the same version. Uses the NPM_TOKEN secret; provenance
  is enabled to link the published tarball back to the GitHub release
  via OIDC. The job declares id-token: write at the job level for
  provenance signing.

NPM_TOKEN secret must be added to the repo by the owner before the
next release — instructions in the PR description.

Closes #21
@smartlabsAT smartlabsAT merged commit 8214c7f into main May 22, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(ci): repair Publish workflow — native GitHub Pages deploy + automated npm publish

1 participant

@smartlabsAT