From 51b8df6c20081d439b7b0fe5772aa5e3178d71b3 Mon Sep 17 00:00:00 2001
From: Gonzalo D'elia <gonzalo@hemi.xyz>
Date: Tue, 19 May 2026 13:50:23 -0300
Subject: [PATCH] ci: publish via pnpm when selected

Branch the npm-publish workflow's prepublishOnly and publish
steps on inputs.package-manager so pnpm callers actually run
pnpm publish instead of npm publish.

Dispatch via step-level `if:` rather than interpolating the
input value into the run: script, which would be a GitHub
Actions script-injection vector if a caller passed an
unexpected string.
---
 .github/workflows/npm-publish.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 029c62d..ee946c8 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -29,8 +29,13 @@ jobs:
       - uses: hemilabs/actions/setup-node-env@8f87619b7f0122c39e14a32514ab3e4e0d4c3966 # v2.3.0
         with:
           package-manager: ${{ inputs.package-manager }}
-      # The below commands can be run with either npm or pnpm, as both support the same CLI
-      - run: npm run --if-present prepublishOnly
       # Provenance is enabled by default in trusted publishing
       # See https://docs.npmjs.com/trusted-publishers#supported-cicd-providers
-      - run: npm publish --access public
+      - if: inputs.package-manager == 'npm'
+        run: |
+          npm run --if-present prepublishOnly
+          npm publish --access public
+      - if: inputs.package-manager == 'pnpm'
+        run: |
+          pnpm run --if-present prepublishOnly
+          pnpm publish --access public