NPM publish action runs on any branch (not limited to main)

[ShrimpCryptid]

Description

Any tag that is formatted as a version (v*) pushed to any branch will trigger an NPM build and publish for that tagged commit, even if it is not on main.

name: NPM Package
env:
  NODE_VERSION: "20"
on:
  push:
    # Sequence of patterns matched against refs/tags
    tags:
      - "v*" # Push events to matching v*, i.e. v1.0, v20.15.10

^Note how no branch is specified.

Expected Behavior

Possible solutions:

1. NPM publish action should only be triggered on main.
2. The NPM publish action should be manually dispatched only.
3. The NPM publish step should be part of an action that can specify a version bump (patch, minor, major) that is manually dispatched.
4. Tag protection rules should be implemented on each repo: https://docs.github.com/en/[email protected]/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rules
5. Manually creating a GitHub release should trigger the publish action.

Reproduction

A minimal example that exhibits the behavior.

Notes

I tried to fix this and it led me down a rabbit-hole.

• Specifying a on>push>branches argument does not work because specifying multiple filters in push works as an OR instead of an AND. (Meaning that adding branches as an argument will cause the action to be triggered on both branches and tags.)
• Trying to check the branch name based on a ref does not always work. Here's me checking lots of different GitHub environment variables for an npm version patch, none of which were the branch name:

github.event.base_ref ''
github.event.ref 'refs/tags/v1.1.5'
github.ref 'refs/tags/v1.1.5'
github.head_ref ''
github.ref_name 'v1.1.5'

• NPM publish creates annotated tags (git tag -a), which have different properties from lightweight tags (git tag). GH actions treats them differently and some posted solutions do not take into account both.
  • The first search result seems to only work on lightweight tags: https://stackoverflow.com/questions/59874409/trigger-github-workflow-only-if-pushed-to-specific-branch-and-tag-exists
  • This person added a postversion script to their package.json to convert annotated tags to lightweight tags, which seems intrusive: https://github.com/orgs/community/discussions/13226#discussioncomment-11958813

[ShrimpCryptid]

I tried adding a custom step but it seemed to stop working somewhere along the line:

  check-current-branch-is-main:
    runs-on: ubuntu-latest
    outputs:
      branch: ${{ steps.check_step.outputs.branch }}
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Get current branch
        id: check_step
        # 1. Get the list of branches ref where this tag exists
        # 2. Remove 'origin/' from that result
        # 3. Fail if 'main' is not in the list
        run: |
          raw=$(git branch -r --contains ${{ github.ref }})
          branch="$(echo ${raw//origin\//} | tr -d '\n')"
          echo "Branches where this tag exists : $branch"
          if [[ ! " $branch " =~ " main " ]]; then
            echo "Branch does not include main. Failing the step."
            exit 1
          fi

I was previously able to get it to output a list of branch names with this run method instead:

        run: |
          raw=$(git branch -r --contains ${{ github.ref }})
          branch="$(echo ${raw//origin\//} | tr -d '\n')"
          echo "{name}=branch" >> $GITHUB_OUTPUT
          echo "Branches where this tag exists : $branch"