Shopify · westeezy · May 15, 2026 · May 15, 2026
@@ -18,6 +18,10 @@ inputs:
     description: Working directory in which to run pnpm install
     required: false
     default: .
+  ignore-scripts:
+    description: Pass --ignore-scripts to pnpm install. Set to "true" in privileged contexts (e.g. publish workflows) to prevent dependency postinstall scripts from running with elevated permissions.
+    required: false
+    default: "false"
 
 runs:
   using: composite
@@ -38,4 +42,11 @@ runs:
     - name: Install dependencies
       working-directory: ${{ inputs.working-directory }}
       shell: bash
-      run: pnpm install --frozen-lockfile
+      env:
+        IGNORE_SCRIPTS: ${{ inputs.ignore-scripts }}
+      run: |
+        if [ "$IGNORE_SCRIPTS" = "true" ]; then
+          pnpm install --frozen-lockfile --ignore-scripts
+        else
+          pnpm install --frozen-lockfile
+        fi
@@ -11,9 +11,11 @@ permissions:
 
 jobs:
   cocoapods:
-    # Only run for Swift releases. Android releases are tagged `android/X.Y.Z`;
-    # Swift releases use bare semver (`X.Y.Z`).
-    if: ${{ github.event_name == 'workflow_dispatch' || !startsWith(github.event.release.tag_name, 'android/') }}
+    # Only run for Swift releases. Swift owns the bare-semver tag namespace
+    # (`X.Y.Z`); other platforms use a slash-prefixed namespace
+    # (`android/X.Y.Z`, `web/X.Y.Z`, etc.). Filtering on "no slash" means this
+    # workflow doesn't need updating each time a new platform namespace lands.
+    if: ${{ github.event_name == 'workflow_dispatch' || !contains(github.event.release.tag_name, '/') }}
     runs-on: ${{ vars.MACOS_RUNNER }}
     env:
       BUNDLE_GEMFILE: ${{ github.workspace }}/platforms/swift/Gemfile

@@ -0,0 +1,134 @@
+name: Web — Publish to npm
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Override dist-tag (latest, next, beta, etc.). Leave blank to auto-infer ('next' for prereleases, 'latest' for stable versions)."
+        required: false
+        type: string
+      dry-run:
+        description: "Run the full pipeline + pack but skip the actual publish."
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+  id-token: write
+
+concurrency:
+  group: web-publish
+  cancel-in-progress: false
+
+jobs:
+  publish:
+    name: Publish @shopify/checkout-kit to npm
+    # Only run for web releases. Web tags are `web/X.Y.Z` to disambiguate from
+    # Swift's bare semver and Android's `android/X.Y.Z`.
+    if: |
+      github.event_name == 'workflow_dispatch'
+      || startsWith(github.event.release.tag_name, 'web/')
+    environment:
+      name: npm-web
+      url: https://www.npmjs.com/package/@shopify/checkout-kit
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    defaults:
+      run:
+        working-directory: platforms/web
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # `ignore-scripts` prevents dep postinstall scripts from running in this
+      # privileged job — primary mitigation against credential exfiltration
+      # from a compromised transitive dependency.
+      - name: Setup Node.js, pnpm, and install dependencies
+        uses: ./.github/actions/setup
+        with:
+          node-version-file: platforms/web/package.json
+          cache-dependency-path: platforms/web/pnpm-lock.yaml
+          package-json-file: platforms/web/package.json
+          working-directory: platforms/web
+          ignore-scripts: "true"
+
+      - name: Validate tag matches package.json version
+        if: github.event_name == 'release'
+        env:
+          TAG_NAME: ${{ github.event.release.tag_name }}
+        run: |
+          set -euo pipefail
+          VERSION_FROM_TAG="${TAG_NAME#web/}"
+          VERSION_FROM_PKG=$(node -p "require('./package.json').version")
+          if [ "$VERSION_FROM_TAG" != "$VERSION_FROM_PKG" ]; then
+            echo "::error::Tag '$TAG_NAME' implies version '$VERSION_FROM_TAG', but package.json has '$VERSION_FROM_PKG'."
+            echo "::error::Bump the version in a PR before tagging the release."
+            exit 1
+          fi
+          echo "✓ Tag '$TAG_NAME' matches package.json version '$VERSION_FROM_PKG'."
+
+      - name: Lint (typecheck + oxlint + format)
+        run: pnpm lint
+
+      - name: Test
+        run: pnpm test
+
+      - name: Build
+        run: pnpm build
+
+      - name: Verify package (publint)
+        run: pnpm verify
+
+      - name: Check license headers
+        run: ./scripts/check_license_headers.rb
+
+      - name: Pack and inspect contents
+        run: |
+          pnpm pack --pack-destination /tmp/web-publish
+          echo "Tarball contents:"
+          tar -tzf /tmp/web-publish/*.tgz | sort
+
+      - name: Compute dist-tag
+        id: tag
+        env:
+          OVERRIDE: ${{ inputs.tag }}
+          PRERELEASE: ${{ github.event.release.prerelease }}
+        run: |
+          set -euo pipefail
+          VERSION=$(node -p "require('./package.json').version")
+          if [ -n "${OVERRIDE:-}" ]; then
+            TAG="$OVERRIDE"
+            echo "Using workflow_dispatch override dist-tag: $TAG"
+          elif [ "${PRERELEASE:-}" = "true" ]; then
+            TAG="next"
+            echo "GitHub Release marked as pre-release — publishing version '$VERSION' under 'next'."
+          elif node -e "process.exit(require('./package.json').version.includes('-') ? 0 : 1)"; then
+            TAG="next"
+            echo "Version '$VERSION' is a semver prerelease (contains '-') — publishing under 'next'."
+            echo "  (Use the 'tag' workflow_dispatch input to override if you really want this on 'latest'.)"
+          else
+            TAG="latest"
+            echo "Stable version '$VERSION' — publishing under 'latest'."
+          fi
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+
+      # `DIST_TAG` is passed via `env:` (not direct ${{ }} interpolation) so
+      # that a workflow_dispatch input like `latest$(whoami)` is treated as a
+      # literal string by bash rather than command substitution.
+      - name: Publish to npm
+        if: ${{ !inputs.dry-run }}
+        run: pnpm publish --no-git-checks --tag "$DIST_TAG" --access public --provenance
+        env:
+          DIST_TAG: ${{ steps.tag.outputs.tag }}
+          NPM_CONFIG_PROVENANCE: "true"
+
+      - name: Dry-run summary
+        if: ${{ inputs.dry-run }}
+        env:
+          DIST_TAG: ${{ steps.tag.outputs.tag }}
+        run: |
+          echo "::notice::Dry-run requested — skipped npm publish."
+          echo "Would have published with: --tag $DIST_TAG --access public --provenance"
@@ -326,6 +326,11 @@ field to try `open()` / `close()` / `focus()` and see the live event stream.
 We welcome code contributions, feature requests, and reporting of issues.
 Please see [guidelines and instructions](../../.github/CONTRIBUTING.md).
 
+## Releasing
+
+See [RELEASING.md](./RELEASING.md) for the day-to-day publish flow, tag
+conventions, and one-time setup notes.
+
 ## License
 
 Shopify's Checkout Kit is provided under an [MIT License](LICENSE).