From d358f42dd030de207d86ed29facdcf6ebe40c6d3 Mon Sep 17 00:00:00 2001
From: Bilal Godil <bg2002@gmail.com>
Date: Tue, 26 May 2026 10:25:58 -0700
Subject: [PATCH] ci(hexclave): scope mirror publish to @hexclave/* packages

Filter `pnpm publish -r` to only the rewritten @hexclave/* packages in
the mirror step, removing the reliance on pnpm's skip-existing-versions
behavior for the unchanged @stackframe/* packages still in the workspace
at that point.

Addresses greptile P1 finding on PR #1481.
---
 .github/workflows/npm-publish.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/npm-publish.yaml b/.github/workflows/npm-publish.yaml
index 3a52c2983..7d805f450 100644
--- a/.github/workflows/npm-publish.yaml
+++ b/.github/workflows/npm-publish.yaml
@@ -111,6 +111,11 @@ jobs:
         run: pnpm tsx scripts/rewrite-packages-to-hexclave.ts --version=1.0.0
 
       - name: Publish @hexclave/* mirror packages
-        run: pnpm publish -r --no-git-checks --access public
+        # Filter to @hexclave/* so this step's correctness does not depend on
+        # `pnpm publish -r` silently skipping already-published @stackframe/*
+        # versions — pnpm's skip-existing-versions check has historically
+        # failed open on registry edge cases, and unfiltered re-publish of an
+        # existing version would 403 the whole run.
+        run: pnpm publish -r --filter "@hexclave/*" --no-git-checks --access public
         env:
           NPM_CONFIG_PROVENANCE: true