ci: split build and upload into distinct jobs

Author: dustinbyrne

.github/workflows/release.yml

@@ -334,17 +334,18 @@ jobs:
                   message: '❌ Failed to release `${{ matrix.package.name }}@v${{ steps.check-package-version.outputs.committed-version }}`! <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|View logs>'
                   emoji_reaction: 'x'
 
-    upload-s3:
-        name: Upload posthog-js dist to S3
+    build-s3-artifacts:
+        name: Build posthog-js dist for S3
         needs: [version-bump, publish, notify-approval-needed]
         runs-on: ubuntu-latest
         # Run as long as the version bump committed — even if some matrix publishes failed,
         # posthog-js might have succeeded and we still want the artifacts in S3.
         if: always() && needs.version-bump.outputs.commit-hash != ''
-        environment: 'S3 Upload' # OIDC role scoped to this environment — must exist in repo settings with required reviewers
         permissions:
             contents: read
-            id-token: write
+        outputs:
+            is-new-version: ${{ steps.check-version.outputs.is-new-version }}
+            committed-version: ${{ steps.check-version.outputs.committed-version }}
         steps:
             - name: Checkout repository
               uses: actions/checkout@v6
@@ -362,32 +363,60 @@ jobs:
               if: steps.check-version.outputs.is-new-version == 'true'
               uses: ./.github/actions/setup
 
+            - name: Upload dist artifact
+              if: steps.check-version.outputs.is-new-version == 'true'
+              uses: actions/upload-artifact@v4
+              with:
+                  name: posthog-js-dist
+                  path: packages/browser/dist/*.js
+                  retention-days: 1
+                  if-no-files-found: error
+
+    upload-s3:
+        name: Upload posthog-js dist to S3
+        needs: [build-s3-artifacts, version-bump, notify-approval-needed]
+        runs-on: ubuntu-latest
+        if: always() && needs.build-s3-artifacts.outputs.is-new-version == 'true'
+        environment: 'S3 Upload' # For OIDC credential scoping only — no required reviewers (single approval at NPM Release)
+        permissions:
+            contents: read
+            id-token: write
+        steps:
+            # Sparse checkout: only the upload script — no pnpm install/build runs here.
+            - name: Checkout upload script
+              uses: actions/checkout@v6
+              with:
+                  ref: ${{ needs.version-bump.outputs.commit-hash }}
+                  sparse-checkout: .github/scripts
+
+            - name: Download dist artifact
+              uses: actions/download-artifact@v4
+              with:
+                  name: posthog-js-dist
+                  path: packages/browser/dist
+
             # Upload to US (us-east-1)
             - name: Configure AWS credentials (US)
-              if: steps.check-version.outputs.is-new-version == 'true'
               uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
               with:
                   role-to-assume: ${{ vars.AWS_S3_UPLOAD_ROLE_ARN_US }}
                   aws-region: us-east-1
 
             - name: Upload dist and update manifest (US)
-              if: steps.check-version.outputs.is-new-version == 'true'
               env:
-                  VERSION: ${{ steps.check-version.outputs.committed-version }}
+                  VERSION: ${{ needs.build-s3-artifacts.outputs.committed-version }}
               run: .github/scripts/upload-posthog-js-s3.sh posthog-js-prod-us
 
             # Upload to EU (eu-central-1)
             - name: Configure AWS credentials (EU)
-              if: steps.check-version.outputs.is-new-version == 'true'
               uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
               with:
                   role-to-assume: ${{ vars.AWS_S3_UPLOAD_ROLE_ARN_EU }}
                   aws-region: eu-central-1
 
             - name: Upload dist and update manifest (EU)
-              if: steps.check-version.outputs.is-new-version == 'true'
               env:
-                  VERSION: ${{ steps.check-version.outputs.committed-version }}
+                  VERSION: ${{ needs.build-s3-artifacts.outputs.committed-version }}
               run: .github/scripts/upload-posthog-js-s3.sh posthog-js-prod-eu
 
             - name: Notify Slack - S3 Upload Failed
@@ -398,14 +427,14 @@ jobs:
                   slack_bot_token: ${{ secrets.SLACK_CLIENT_LIBRARIES_BOT_TOKEN }}
                   slack_channel_id: ${{ vars.SLACK_APPROVALS_CLIENT_LIBRARIES_CHANNEL_ID }}
                   thread_ts: ${{ needs.notify-approval-needed.outputs.slack_ts }}
-                  message: '❌ Failed to upload posthog-js v${{ steps.check-version.outputs.committed-version }} dist to S3! <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|View logs>'
+                  message: '❌ Failed to upload posthog-js v${{ needs.build-s3-artifacts.outputs.committed-version }} dist to S3! <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|View logs>'
                   emoji_reaction: 'x'
 
     notify-released:
         name: Notify Slack - Released
         needs: [notify-approval-needed, publish, upload-s3]
         runs-on: ubuntu-latest
-        if: always() && needs.publish.result == 'success' && needs.notify-approval-needed.outputs.slack_ts != ''
+        if: always() && needs.publish.result == 'success' && needs.upload-s3.result == 'success' && needs.notify-approval-needed.outputs.slack_ts != ''
         steps:
             - name: Checkout repository
               uses: actions/checkout@v6