fix: remove duplicate publish workflows (#1883)

* fix: remove duplicate publish workflows

* chore: add publish workflow diagnostics

.github/workflows/publish-latest.yaml

@@ -1,82 +0,0 @@
-name: Publish Latest
-
-on:
-  workflow_dispatch:
-    inputs:
-      bump:
-        description: "Version bump type"
-        required: true
-        default: "patch"
-        type: choice
-        options:
-          - patch
-          - minor
-          - major
-
-concurrency:
-  group: publish-latest
-
-permissions:
-  id-token: write
-  contents: write
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: ".nvmrc"
-          cache: "npm"
-          registry-url: "https://registry.npmjs.org"
-
-      - name: Configure git user
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Run tests
-        run: npm test
-
-      - name: Bump version
-        run: 'npm version ${{ inputs.bump }} -m "chore(release): v%s [skip ci]"'
-
-      - name: Publish to npm
-        run: npm publish --tag latest --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-      - name: Push version commit and tag
-        run: git push origin main --follow-tags
-
-      - name: Create GitHub Release
-        run: |
-          TAG="v$(node -p 'require("./package.json").version')"
-          gh release create "$TAG" --generate-notes
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Notify Discord
-        continue-on-error: true
-        run: |
-          set -o pipefail
-          source .github/scripts/discord-helpers.sh
-          [ -z "$WEBHOOK" ] && exit 0
-
-          VERSION=$(node -p 'require("./package.json").version')
-          RELEASE_URL="${{ github.server_url }}/${{ github.repository }}/releases/tag/v${VERSION}"
-          MSG=$(printf '📦 **[bmad-method v%s released](<%s>)**' "$VERSION" "$RELEASE_URL" | esc)
-
-          jq -n --arg content "$MSG" '{content: $content}' | curl -sf --retry 2 -X POST "$WEBHOOK" -H "Content-Type: application/json" -d @-
-        env:
-          WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }}

.github/workflows/publish-next.yaml

@@ -1,65 +0,0 @@
-name: Publish Next
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - "src/**"
-      - "tools/cli/**"
-      - "package.json"
-
-concurrency:
-  group: publish-next
-  cancel-in-progress: true
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: ".nvmrc"
-          cache: "npm"
-          registry-url: "https://registry.npmjs.org"
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Run tests
-        run: npm test
-
-      - name: Derive next prerelease version
-        run: |
-          NEXT_VER=$(npm view bmad-method@next version 2>/dev/null || echo "")
-          LATEST_VER=$(npm view bmad-method@latest version 2>/dev/null || echo "")
-
-          # Determine the best base version for the next prerelease
-          BASE=$(node -e "
-            const semver = require('semver');
-            const next = process.argv[1] || null;
-            const latest = process.argv[2] || null;
-            if (!next && !latest) process.exit(0);
-            if (!next) { console.log(latest); process.exit(0); }
-            if (!latest) { console.log(next); process.exit(0); }
-            // If latest is newer than next's base, use latest (next prerelease will be based on it)
-            const nextBase = next.replace(/-next\.\d+$/, '');
-            console.log(semver.gt(latest, nextBase) ? latest : next);
-          " "$NEXT_VER" "$LATEST_VER")
-
-          if [ -n "$BASE" ]; then
-            npm version "$BASE" --no-git-tag-version --allow-same-version
-          fi
-          npm version prerelease --preid=next --no-git-tag-version
-
-      - name: Publish to npm
-        run: npm publish --tag next --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/publish.yaml

@@ -45,6 +45,57 @@ jobs:
           cache: "npm"
           registry-url: "https://registry.npmjs.org"
 
+      - name: Debug trusted publishing identity
+        run: |
+          echo "GitHub workflow context:"
+          echo "  repository: ${{ github.repository }}"
+          echo "  repository_owner: ${{ github.repository_owner }}"
+          echo "  ref: ${{ github.ref }}"
+          echo "  event_name: ${{ github.event_name }}"
+          echo "  workflow: ${{ github.workflow }}"
+          echo "  workflow_ref: ${{ github.workflow_ref }}"
+          echo "  actor: ${{ github.actor }}"
+
+          WORKFLOW_FILE=$(node -e "
+            const ref = process.argv[1] || '';
+            const match = ref.match(/\.github\/workflows\/([^@]+)@/);
+            process.stdout.write(match ? match[1] : '');
+          " "${{ github.workflow_ref }}")
+          echo "  workflow_filename_for_npm: ${WORKFLOW_FILE:-unknown}"
+
+          echo "OIDC claims (sanitized):"
+          RESPONSE=$(curl -fsS -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=npm:registry.npmjs.org")
+          ID_TOKEN=$(node -e "
+            const fs = require('fs');
+            const data = JSON.parse(fs.readFileSync(0, 'utf8'));
+            process.stdout.write(data.value || '');
+          " <<<"$RESPONSE")
+
+          node -e "
+            const token = process.argv[1];
+            if (!token) {
+              console.log(JSON.stringify({ error: 'missing_id_token' }, null, 2));
+              process.exit(0);
+            }
+            const payloadPart = token.split('.')[1] || '';
+            const padded = payloadPart.replace(/-/g, '+').replace(/_/g, '/') + '='.repeat((4 - (payloadPart.length % 4)) % 4);
+            const claims = JSON.parse(Buffer.from(padded, 'base64').toString('utf8'));
+            const out = {
+              iss: claims.iss,
+              sub: claims.sub,
+              aud: claims.aud,
+              repository: claims.repository,
+              repository_owner: claims.repository_owner,
+              workflow: claims.workflow,
+              workflow_ref: claims.workflow_ref,
+              job_workflow_ref: claims.job_workflow_ref,
+              ref: claims.ref,
+              environment: claims.environment || null,
+              runner_environment: claims.runner_environment || null,
+            };
+            console.log(JSON.stringify(out, null, 2));
+          " "$ID_TOKEN"
+
       - name: Configure git user
         if: github.event_name == 'workflow_dispatch'
         run: |
@@ -84,6 +135,17 @@ jobs:
         if: github.event_name == 'workflow_dispatch'
         run: 'npm version ${{ inputs.bump }} -m "chore(release): v%s [skip ci]"'
 
+      - name: Debug publish target and registry state
+        run: |
+          echo "Local package target:"
+          node -e "
+            const pkg = require('./package.json');
+            console.log(JSON.stringify({ name: pkg.name, version: pkg.version }, null, 2));
+          "
+
+          echo "Registry package view (bmad-method):"
+          npm view bmad-method name version dist-tags --json || true
+
       - name: Publish prerelease to npm
         if: github.event_name == 'push'
         run: npm publish --tag next --provenance