fix(publish): remove dangerous --skip-checks flag and add comprehensive validation

BREAKING: CI publish workflow now runs full test suite before publishing

## Critical Security Fix

The publish:ci script was using --skip-checks which bypassed:
- Test suite validation
- Lint/type checking
- Code quality checks

This created a dangerous path where broken code could be published to npm,
potentially costing thousands in incident response and reputation damage.

## Changes

**publish:ci script**:
- Changed from --skip-checks to --skip-git
- Now only skips git-specific checks (safe in CI)
- Still runs full test + lint validation

**provenance.yml workflow**:
- setup-script now runs: test && check && build
- Ensures full validation before publish step
- Build artifacts validated before npm publish
- Added dist-tag input parameter

**scripts/publish.mjs**:
- Removed CI restriction on --skip-build
- Added validateBuildArtifacts() function
- Validates dist/index.js, dist/index.d.ts exist
- Updated help text to clarify validation behavior
- Removed unused CI constant

## Safety Guarantees

CI publish will now FAIL if:
- ✗ Any test fails
- ✗ Lint/type errors exist
- ✗ Build artifacts missing
- ✗ Version already published

The --skip-build flag is safe because:
- setup-script builds first
- Artifact validation ensures build succeeded
- Fails immediately with clear error if missing

## What We Skip (and Why It's Safe)

--skip-git: Safe because CI runs on clean checkouts with branch protection
--skip-build: Safe because setup-script already built, we validate artifacts

Author: jdalton

.github/workflows/provenance.yml

@@ -6,6 +6,11 @@ name: 📦 Publish
 on:
   workflow_dispatch:
     inputs:
+      dist-tag:
+        description: 'npm dist-tag (latest, next, beta, canary, backport, etc.)'
+        required: false
+        default: 'latest'
+        type: string
       debug:
         description: 'Enable debug output'
         required: false
@@ -24,6 +29,8 @@ jobs:
     uses: SocketDev/socket-registry/.github/workflows/provenance.yml@4709a2443e5a036bb0cd94e5d1559f138f05994c # main
     with:
       debug: ${{ inputs.debug }}
+      dist-tag: ${{ inputs.dist-tag }}
       package-name: '@socketregistry/packageurl-js'
-      setup-script: 'pnpm run build'
+      publish-script: 'publish:ci'
+      setup-script: 'pnpm test && pnpm check && pnpm build'
       use-trusted-publishing: true

package.json

@@ -50,6 +50,7 @@
     "prepare": "husky",
     "prepublishOnly": "echo 'ERROR: Use GitHub Actions workflow for publishing' && exit 1",
     "publish": "node scripts/publish.mjs",
+    "publish:ci": "node scripts/publish.mjs --skip-git --skip-build --tag ${DIST_TAG:-latest}",
     "claude": "node scripts/claude.mjs",
     "test": "node scripts/test.mjs",
     "type": "tsgo --noEmit -p .config/tsconfig.check.json",

scripts/publish.mjs

@@ -19,7 +19,6 @@ const rootPath = path.resolve(
   '..',
 )
 const WIN32 = process.platform === 'win32'
-const CI = !!process.env.CI
 
 async function runCommand(command, args = [], options = {}) {
   try {
@@ -204,6 +203,30 @@ async function runPrePublishChecks(options = {}) {
   return true
 }
 
+/**
+ * Validate that build artifacts exist.
+ */
+async function validateBuildArtifacts() {
+  logger.step('Validating build artifacts')
+
+  // Check for main entry point
+  const distIndex = path.join(rootPath, 'dist', 'index.js')
+  if (!existsSync(distIndex)) {
+    logger.error('Missing dist/index.js')
+    return false
+  }
+
+  // Check for type definitions
+  const distIndexDts = path.join(rootPath, 'dist', 'index.d.ts')
+  if (!existsSync(distIndexDts)) {
+    logger.error('Missing dist/index.d.ts')
+    return false
+  }
+
+  logger.success('Build artifacts validated')
+  return true
+}
+
 /**
  * Build the project.
  */
@@ -432,7 +455,9 @@ async function main() {
       console.log('  --dry-run      Perform a dry-run without publishing')
       console.log('  --force        Force publish even with warnings')
       console.log('  --skip-checks  Skip pre-publish checks')
-      console.log('  --skip-build   Skip build step (not allowed in CI)')
+      console.log(
+        '  --skip-build   Skip build step (validates artifacts exist)',
+      )
       console.log('  --skip-git     Skip git status checks')
       console.log('  --skip-tag     Skip git tag push')
       console.log('  --complex      Use complex multi-package flow')
@@ -448,13 +473,6 @@ async function main() {
       return
     }
 
-    // Check CI restrictions
-    if (CI && values['skip-build']) {
-      logger.error('--skip-build is not allowed in CI')
-      process.exitCode = 1
-      return
-    }
-
     printHeader('Publish Runner', { width: 56, borderChar: '=' })
 
     // Get current version
@@ -483,6 +501,14 @@ async function main() {
         process.exitCode = 1
         return
       }
+    } else {
+      // Validate that build artifacts exist when skipping build
+      const artifactsExist = await validateBuildArtifacts()
+      if (!artifactsExist && !values.force) {
+        logger.error('Build artifacts missing - run pnpm build first')
+        process.exitCode = 1
+        return
+      }
     }
 
     // Publish