chore: oidc npm workflow handling

Author: NathanWalker

.github/scripts/npm-publish-ci.sh

@@ -3,6 +3,29 @@ set -euo pipefail
 
 TAG="${NPM_TAG:-next}"
 
+pkg_name="$(node -p "require('./package.json').name")"
+pkg_version="$(node -p "require('./package.json').version")"
+
+# Skip publishing if this exact version already exists on npm.
+# This keeps CI logs clean and avoids attempting to publish unchanged packages.
+view_log_file="$(mktemp)"
+set +e
+npm view "${pkg_name}@${pkg_version}" version --registry "https://registry.npmjs.org" 2>&1 | tee "$view_log_file" >/dev/null
+view_status=${PIPESTATUS[0]}
+set -e
+
+if [ "$view_status" -eq 0 ]; then
+  echo "Skip publish: ${pkg_name}@${pkg_version} already exists on npm."
+  exit 0
+fi
+
+# If npm view failed because the package/version doesn't exist, continue to publish.
+if ! grep -qiE '(E404|404 Not Found|code E404|is not in this registry)' "$view_log_file"; then
+  echo "npm view failed unexpectedly for ${pkg_name}@${pkg_version}; refusing to publish."
+  cat "$view_log_file" >&2
+  exit "$view_status"
+fi
+
 args=(
   --tag "$TAG"
   --access public

.github/workflows/publish_npm.yml

@@ -37,6 +37,8 @@ jobs:
         run: |
           echo "Publishing templates to npm with tag $NPM_TAG via OIDC trusted publishing..."
           unset NODE_AUTH_TOKEN
+          # Ensure we don't have token-based npm auth config lingering from setup-node
+          rm -f ~/.npmrc
           if [ -n "${NPM_CONFIG_USERCONFIG:-}" ]; then
             rm -f "$NPM_CONFIG_USERCONFIG"
             unset NPM_CONFIG_USERCONFIG