Parallelize npm publishing with docs publishing

# that is directly triggered, not reusable workflows called via workflow_call.

# See: https://docs.npmjs.com/trusted-publishers/

#

# The workflow is triggered in two ways:

# 1. workflow_run: Automatically after main.yaml completes (for regular releases)

# 2. workflow_dispatch: Manually triggered (for PR pre-releases)

# This workflow is triggered via workflow_dispatch from:

# 1. main.yaml's publish-npm job (for regular releases)

# 2. publish-pr.yaml (for PR pre-releases)

name: build

on:

  workflow_run:

    workflows: [main]

    types: [completed]

  workflow_dispatch:

    inputs:

      run_id:

jobs:

  npm-publish:

    # For workflow_run: only run if the triggering workflow succeeded and was a push event

    # For workflow_dispatch: always run

    if: >-

      github.event_name == 'workflow_dispatch' ||

      (github.event.workflow_run.conclusion == 'success' &&

       github.event.workflow_run.event == 'push')

    runs-on: ubuntu-latest

    permissions:

      id-token: write

      contents: read

    steps:

    - name: Determine run ID and tag

      id: config

      run: |

        if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then

          echo "run_id=${{ inputs.run_id }}" >> $GITHUB_OUTPUT

          echo "tag=${{ inputs.tag }}" >> $GITHUB_OUTPUT

        else

          echo "run_id=${{ github.event.workflow_run.id }}" >> $GITHUB_OUTPUT

          # Determine tag based on ref type from the triggering workflow

          if [[ "${{ github.event.workflow_run.head_branch }}" == refs/tags/* ]] || \

             [[ -n "$(echo '${{ github.event.workflow_run.head_branch }}' | grep -E '^[0-9]+\.[0-9]+\.[0-9]+')" ]]; then

            echo "tag=latest" >> $GITHUB_OUTPUT

          else

            echo "tag=dev" >> $GITHUB_OUTPUT

          fi

        fi

    - uses: actions/download-artifact@v4

      with:

        name: npm-packages

        run-id: ${{ steps.config.outputs.run_id }}

        run-id: ${{ inputs.run_id }}

        github-token: ${{ secrets.GITHUB_TOKEN }}

    - run: ls -la

    - name: Setup Node.js

    - name: Publish packages

      run: |

        set -ex

        TAG="${{ steps.config.outputs.tag }}"

        TAG="${{ inputs.tag }}"

        for pkg in fedify-*.tgz; do

          if [[ "$TAG" = "latest" ]]; then

            npm publish --logs-dir=. --provenance --access public "$pkg" \

# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json

#

# Main CI workflow for testing, linting, and publishing to JSR.

# npm publishing is handled separately by build.yaml, which is triggered

# automatically via workflow_run after this workflow completes successfully.

# This separation is required for npm's trusted publishing (OIDC) to work

# correctly. See build.yaml for more details.

# Main CI workflow for testing, linting, and publishing to JSR/npm.

# npm publishing is handled by build.yaml, which is triggered via workflow_dispatch

# from the publish-npm job. This allows npm publishing to run in parallel with

# docs publishing, rather than waiting for the entire workflow to complete.

# See build.yaml for details on why this separation is required for npm's

# trusted publishing (OIDC).

name: main

on: [push, pull_request]

    - run: pnpm install

    - run: pnpm publish --recursive --dry-run --no-git-checks

  publish:

  publish-jsr:

    if: github.event_name == 'push'

    needs: [test, test-node, test-bun, test-cfworkers, lint, release-test]

    runs-on: ubuntu-latest

          ((attempt++))

        done

  # NOTE: npm publishing is handled by build.yaml via workflow_run trigger.

  # Do not add npm publish steps here - it will break trusted publishing.

  # Trigger build.yaml via workflow_dispatch to publish to npm.

  # This is required because npm's trusted publishing (OIDC) validates

  # the directly triggered workflow, not reusable workflows called via

  # workflow_call. By triggering build.yaml directly, npm sees build.yaml

  # as the entry point and validates against it.

  publish-npm:

    if: github.event_name == 'push'

    needs: [publish-jsr]

    runs-on: ubuntu-latest

    permissions:

      actions: write

    steps:

    - name: Trigger build.yaml workflow

      uses: actions/github-script@v7

      with:

        script: |

          // Determine tag based on ref type

          let tag;

          if (context.payload.ref && context.payload.ref.startsWith('refs/tags/')) {

            tag = 'latest';

          } else {

            tag = 'dev';

          }

          await github.rest.actions.createWorkflowDispatch({

            owner: context.repo.owner,

            repo: context.repo.repo,

            workflow_id: 'build.yaml',

            ref: context.ref,

            inputs: {

              run_id: '${{ github.run_id }}',

              tag: tag

            }

          });

          console.log(`Triggered build.yaml workflow with run_id=${{ github.run_id }}, tag=${tag}`);

  publish-examples-blog:

    if: github.event_name == 'push'

        root: .

  publish-docs:

    needs: [publish]

    needs: [publish-jsr]

    runs-on: ubuntu-latest

    permissions:

      id-token: write

          pnpm run build

        fi

      env:

        SHORT_VERSION: ${{ needs.publish.outputs.short_version }}

        SHORT_VERSION: ${{ needs.publish-jsr.outputs.short_version }}

        PLAUSIBLE_DOMAIN: ${{ secrets.PLAUSIBLE_DOMAIN }}

        STABLE_DOCS_URL: ${{ vars.STABLE_DOCS_URL }}

        UNSTABLE_DOCS_URL: ${{ vars.UNSTABLE_DOCS_URL }}