From 37ba51addb5059070e48438e2b7e50fb008c3a72 Mon Sep 17 00:00:00 2001
From: naorpeled <me@naor.dev>
Date: Mon, 1 Jun 2026 21:12:19 +0300
Subject: [PATCH] ci: set release version at publish time and allow manual
 publish

Build on the release workflow merged in #317:

- Replace the hardcoded package.json version with a 0.0.0-development
  placeholder (kept in sync in package-lock.json so npm ci passes); the
  real version is applied at publish time via `npm pkg set version`.
- Add a workflow_dispatch trigger with a required version input so a
  release can be published manually. The version step prefers the
  manual input and falls back to the release tag, stripping a leading
  "v" (e.g. v1.2.0 -> 1.2.0).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 28 ++++++++++++++++++++--------
 package-lock.json             |  4 ++--
 package.json                  |  2 +-
 3 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2d1f4bf..aef5202 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,12 @@ name: 'Release'
 on:
   release:
     types: [published]
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version to publish (e.g. 1.2.0 or v1.2.0)'
+        required: true
+        type: string
 
 # Least-privilege by default; the publish job opts into id-token below.
 permissions:
@@ -48,16 +54,22 @@ jobs:
       - name: Ensure npm supports trusted publishing
         # Trusted publishing requires npm >= 11.5.1.
         run: npm install -g npm@latest
-      - name: Verify release tag matches package.json version
-        run: |
-          PKG_VERSION="v$(node -p "require('./package.json').version")"
-          TAG="${{ github.event.release.tag_name }}"
-          if [ "$PKG_VERSION" != "$TAG" ]; then
-            echo "::error::Release tag '$TAG' does not match package.json version '$PKG_VERSION'"
-            exit 1
-          fi
       - name: Install dependencies
         run: npm ci
+      - name: Set version to publish
+        # package.json ships a 0.0.0-development placeholder; the real version
+        # comes from the manual input (workflow_dispatch) or the release tag,
+        # with any leading "v" stripped (e.g. v1.2.0 -> 1.2.0).
+        run: |
+          VERSION="${INPUT_VERSION:-$TAG}"
+          if [ -z "$VERSION" ]; then
+            echo "::error::No version provided" && exit 1
+          fi
+          npm pkg set version="${VERSION#v}"
+          echo "Publishing version ${VERSION#v}"
+        env:
+          INPUT_VERSION: ${{ github.event.inputs.version }}
+          TAG: ${{ github.event.release.tag_name }}
       - name: Publish to npm
         # No NODE_AUTH_TOKEN: auth happens via OIDC, provenance is automatic.
         run: npm publish
diff --git a/package-lock.json b/package-lock.json
index b7afbaf..c261aa3 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "lambda-api",
-  "version": "1.2.0",
+  "version": "0.0.0-development",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "lambda-api",
-      "version": "1.2.0",
+      "version": "0.0.0-development",
       "license": "MIT",
       "devDependencies": {
         "@aws-sdk/client-s3": "3.470.0",
diff --git a/package.json b/package.json
index 136f409..79e9539 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "lambda-api",
-  "version": "1.2.0",
+  "version": "0.0.0-development",
   "description": "Lightweight web framework for your serverless applications",
   "main": "index.js",
   "types": "index.d.ts",