From 579fae2514a8916df93779940c1145799fe7bafe Mon Sep 17 00:00:00 2001
From: Christopher Schwarz <christopher@neugebauerschwarz.com>
Date: Fri, 22 May 2026 09:15:36 +0200
Subject: [PATCH] =?UTF-8?q?fix(ci):=20repair=20Publish=20workflow=20?=
 =?UTF-8?q?=E2=80=94=20native=20Pages=20deploy=20+=20automated=20npm=20pub?=
 =?UTF-8?q?lish?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous Publish workflow had two unrelated issues that both
broke for the v0.2.6 release:

1. Storybook-to-Pages step depended on
   bitovi/github-actions-storybook-to-github-pages@v1.0.2, which
   internally pulls actions/upload-artifact@v3 — disabled by GitHub.
   The v0.2.6 publish run failed immediately at setup, leaving the
   GitHub Pages Storybook on the prior build.

2. The npm publish block was commented out and full of placeholders
   (your-scope, YOUR_NPM_AUTH_TOKEN), so npm releases had to be
   done manually.

This rewrite splits the workflow into two independent jobs:

- storybook-pages: builds Storybook and deploys to GitHub Pages using
  native actions (actions/configure-pages@v5, actions/upload-pages-
  artifact@v3, actions/deploy-pages@v4). No third-party action. The
  pages concurrency group prevents parallel deploys stepping on each
  other while still letting an in-flight deploy finish.

- npm-publish: builds and runs `npm publish --provenance --access
  public`, gated on github.event_name == 'release' so manual
  workflow_dispatch runs (e.g. to re-deploy Pages) don't try to
  re-publish the same version. Uses the NPM_TOKEN secret; provenance
  is enabled to link the published tarball back to the GitHub release
  via OIDC. The job declares id-token: write at the job level for
  provenance signing.

NPM_TOKEN secret must be added to the repo by the owner before the
next release — instructions in the PR description.

Closes #21
---
 .github/workflows/publish.yml | 92 ++++++++++++++++++++++++-----------
 1 file changed, 63 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 58b0595..4331bab 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,6 +1,3 @@
-# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
-# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
-
 name: Publish
 
 on:
@@ -13,9 +10,19 @@ permissions:
   pages: write
   id-token: write
 
+# Allow only one concurrent Pages deployment, but keep an in-progress
+# deploy from being cancelled by a new run (skip the new one instead).
+concurrency:
+  group: pages
+  cancel-in-progress: false
+
 jobs:
-  publish:
+  storybook-pages:
+    name: Deploy Storybook to GitHub Pages
     runs-on: ubuntu-latest
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -34,33 +41,60 @@ jobs:
           node-version: 22
           cache: 'pnpm'
 
-      - name: Get pnpm store directory
-        shell: bash
-        run: |
-          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
 
-      - uses: actions/cache@v4
-        name: Setup pnpm cache
-        with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
+      - name: Build Storybook
+        run: pnpm storybook:build
+
+      - name: Configure Pages
+        uses: actions/configure-pages@v5
 
-      - name: Deploy Storybook
-        uses: bitovi/github-actions-storybook-to-github-pages@v1.0.2
+      - name: Upload Pages artifact
+        uses: actions/upload-pages-artifact@v3
         with:
-          install_command: pnpm install --frozen-lockfile
-          build_command: pnpm storybook:build
           path: storybook-static
+
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4
+
+  npm-publish:
+    name: Publish package to npm
+    runs-on: ubuntu-latest
+    # Gate on release events so manual workflow_dispatch runs (e.g. to
+    # re-deploy Pages) don't accidentally try to re-publish the same
+    # version to npm.
+    if: github.event_name == 'release'
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+          run_install: false
+
+      - name: Install Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          registry-url: 'https://registry.npmjs.org'
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build package
+        run: pnpm build
+
+      - name: Publish to npm
+        run: npm publish --provenance --access public
         env:
-          GH_TOKEN: ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}
-
-      # - name: Build and publish to npm
-      #   if: github.ref == 'refs/tags/v*' # Only run on version tags
-      #   run: |
-      #     pnpm build
-      #     npm login --registry=https://registry.npmjs.org/ --scope=your-scope
-      #     npm publish
-      #   env:
-      #     NODE_AUTH_TOKEN: ${{ secrets.YOUR_NPM_AUTH_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}