feat: preflight new-package check in npm-publish-hardened

[jan-kubica]

Why

Trusted publishing cannot create brand-new packages (npm requires a package to exist before a trusted publisher can be configured). A first-ever publish therefore burns all 5 retries and fails late with an opaque ENEEDAUTH — after sibling packages in the same queue already published. This bit us twice this week: the three *-win32-x64-msvc platform packages, and @stll/anonymize-cli@1.4.9 (stella/anonymize run 27347020154).

What

Before publishing anything, check every package in the queue via npm view <name> name:

• confirmed E404 → fail the run immediately (exit 2) with bootstrap instructions (placeholder publish → trusted publisher config → re-run), before anything is published
• transient view failure → ::warning:: and continue; the publish loop has its own retries
• README section documenting the behavior

Verification

• bash -n clean
• Local smoke test: a tarball for a never-published name fails preflight with the instructive error and exit 2, no publish attempted; existing names pass through

Consumers pick this up at their next SHA pin bump of npm-publish-hardened.

CC on behalf of @jan-kubica

[gemini-code-assist]

Code Review

This pull request introduces a preflight check to the hardened npm publish action, verifying that all packages in the queue already exist on the registry before publishing. This prevents late failures due to OIDC trusted publishing limitations on brand-new packages. The README has also been updated with bootstrap instructions. The review feedback suggests addressing style guide violations regarding the use of em dashes in comments and documentation, and fixing a potential issue where a failure in pkg_name_from_tarball under set -e would cause the script to exit immediately, bypassing custom error handling.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

According to the Stella GitHub Development Guidelines, we should avoid using em dashes and instead prefer parentheses or other punctuation.

Suggested change

	# registry. OIDC trusted publishing cannot create a brand-new package —
	# npm requires a package to exist before a trusted publisher can be
	# configured for it — so a first-ever publish would otherwise burn all
	# registry. OIDC trusted publishing cannot create a brand-new package
	# (npm requires a package to exist before a trusted publisher can be
	# configured for it), so a first-ever publish would otherwise burn all

References

1. Vary punctuation: prefer colons, semicolons, commas, and parentheses over em dashes ^(link)

[gemini-code-assist]

Under set -e, if the command substitution pkg_name_from_tarball fails (e.g., if the tarball is corrupt or package.json is missing), the script will exit immediately. This prevents the custom error message and bootstrap instructions on line 108 from being displayed. Appending || preflight_name="" ensures the failure is caught gracefully and the helpful error message is printed.

Suggested change

	preflight_name=$(pkg_name_from_tarball "${tarball}")
	preflight_name=$(pkg_name_from_tarball "${tarball}") || preflight_name=""

[gemini-code-assist]

According to the Stella GitHub Development Guidelines, we should avoid using em dashes and instead prefer semicolons or other punctuation.

Suggested change

	Transient registry errors during the preflight only warn — the
	publish loop has its own retries.
	Transient registry errors during the preflight only warn; the
	publish loop has its own retries.

References

1. Vary punctuation: prefer colons, semicolons, commas, and parentheses over em dashes ^(link)