fix(ci): use Node 24 for publish workflow + add workflow_dispatch

[kherembourg]

Summary

• The 5.7.3 publish run failed at the Ensure npm >= 11.5.1 step: npm install -g npm@latest crashed with Cannot find module 'promise-retry' on Node 22.22.2 — a known regression in npm self-upgrade on hosted runners.
• Switch the publish job to Node 24 (ships with npm 11.x by default), removing the broken self-upgrade. Replaced by a fail-fast version guard.
• Add a workflow_dispatch trigger with a tag input so the publish can be retriggered for an existing release tag (e.g. 5.7.3) without recreating the GitHub release.

Test plan

• Merge to main
• Trigger via gh workflow run publish.yml --ref main -f tag=5.7.3
• Confirm CI green, npm version printed >= 11.5.1, all 5 packages published with provenance

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR fixes the publish workflow by switching to Node 24 (which bundles npm 11.x), replacing the broken npm install -g npm@latest step, and adding a workflow_dispatch trigger so a publish can be manually re-run for an existing tag.

• The npm version guard introduced as a replacement safety check is silently broken: process.argv[1] is always an empty string under node -e, so the version comparison evaluates NaN against numeric bounds and always passes — process.argv[2] is the correct index for the argument.

Confidence Score: 3/5

Safe to merge in practice (Node 24 ships with npm 11.x), but the version guard added as a failsafe is non-functional and should be corrected.

One P1 finding: the npm version guard always passes due to reading the wrong argv index, defeating its purpose. The actual Node upgrade (22→24) and workflow_dispatch addition are correct, and the risk of Node 24 shipping with npm <11.5.1 is negligible today — but the guard provides no real protection as written.

.github/workflows/publish.yml — specifically the Verify npm version step

Important Files Changed

Filename	Overview
.github/workflows/publish.yml	Upgrades Node to 24, replaces broken npm self-upgrade with a version guard, and adds workflow_dispatch — but the version guard reads process.argv[1] instead of process.argv[2], making it a no-op.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A([release: published]) --> D
    B([workflow_dispatch\ntag input]) --> C{Checkout}
    C -- tag input --> E[git ref = inputs.tag]
    C -- release event --> F[git ref = github.ref]
    E --> G[Setup Node 24]
    F --> G
    D([ci job]) --> G
    G --> H[Verify npm >= 11.5.1\n⚠️ guard is no-op]
    H --> I[Build all packages\nyarn install + all:prepare]
    I --> J{Verify versions\nmatch TAG}
    J -- mismatch --> K([exit 1])
    J -- match --> L[Publish 5 packages\nwith --provenance]

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
.github/workflows/publish.yml:48-53
**Wrong `process.argv` index — version guard is a no-op**

When Node.js runs `node -e "script" "$NPM_VERSION"`, `process.argv[1]` is set to an empty string (not the argument); the npm version string lands at `process.argv[2]`. As a result `process.argv[1].split('.')` always produces `['']`, `Number('')` is `NaN`, and every comparison (`NaN < 11`, `NaN === 11`) evaluates to `false` — so the guard never fires regardless of the actual npm version.

```suggestion
          node -e "
            const [maj, min, patch] = process.argv[2].split('.').map(Number);
            if (maj < 11 || (maj === 11 && (min < 5 || (min === 5 && patch < 1)))) {
              console.error('npm ' + process.argv[2] + ' is below required 11.5.1');
              process.exit(1);
            }
          " "$NPM_VERSION"
```

_{Reviews (1): Last reviewed commit: "fix(ci): use Node 24 for publish workflo..." | Re-trigger Greptile}

[kherembourg]

Greptile finding addressed in e878cb5.

Technical note on the original report: the claim that process.argv[1] is empty under node -e "script" "$NPM_VERSION" is incorrect for Node 22.x and Node 24/25 — empirically argv is [execPath, "<value>"] (no [eval] placeholder), so argv[1] is the first user arg and the original guard did fire correctly. Verified locally on node v22.22.1 and v25.9.0:

$ node -e "console.log(process.argv)" "11.5.1"
[ '/path/to/node', '11.5.1' ]

That said, the inline node -e was easy to misread. Replaced with a sort -V comparison which is unambiguous and works regardless of any future runtime quirks:

if [ "$(printf '%s\n%s\n' "11.5.1" "$NPM_VERSION" | sort -V | head -n1)" != "11.5.1" ]; then
  echo "::error::npm $NPM_VERSION is below required 11.5.1"
  exit 1
fi

Validated locally against 10.0.0, 11.5.0, 11.5.1, 11.6.0, 12.0.0 — guard fires correctly for everything below 11.5.1.