From 65a0e64fe49610463eb5e60f4ad773375a298d47 Mon Sep 17 00:00:00 2001
From: Alex Gusev <alex.gusev@uploadcare.com>
Date: Tue, 9 Jun 2026 15:30:02 +0600
Subject: [PATCH] ci: migrate npm publish to staged publishing

---
 .github/workflows/shipjs-trigger.yml | 24 +++++++++++++++++++++---
 ship.config.mjs                      |  2 +-
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/shipjs-trigger.yml b/.github/workflows/shipjs-trigger.yml
index 81d8a17..592e20e 100644
--- a/.github/workflows/shipjs-trigger.yml
+++ b/.github/workflows/shipjs-trigger.yml
@@ -9,14 +9,16 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged == true && startsWith(github.head_ref, 'releases/v')
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: master
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v4
         with:
           registry-url: "https://registry.npmjs.org"
-          node-version: '16'
+          node-version: '24'
+      - name: Pin npm with staged publishing support
+        run: npm install -g npm@">=11.15.0"
       - run: |
           git config --global user.email "github-actions[bot]@users.noreply.github.com"
           git config --global user.name "github-actions[bot]"
@@ -27,3 +29,19 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
+      - name: Read package metadata
+        id: pkg
+        run: |
+          {
+            echo "name=$(node -p "require('./package.json').name")"
+            echo "version=$(node -p "require('./package.json').version")"
+          } >> "$GITHUB_OUTPUT"
+      - name: Notify Slack about staged release
+        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+        with:
+          channel-id: ${{ secrets.SLACK_NPM_RELEASE_CHANNEL }}
+          slack-message: |
+            :package: *${{ steps.pkg.outputs.name }}@${{ steps.pkg.outputs.version }}* staged for review
+            Review & approve (2FA required): https://www.npmjs.com/package/${{ steps.pkg.outputs.name }}?activeTab=staged
diff --git a/ship.config.mjs b/ship.config.mjs
index 96ea6e6..0c92572 100644
--- a/ship.config.mjs
+++ b/ship.config.mjs
@@ -1,5 +1,5 @@
 export default {
-  publishCommand: ({ defaultCommand }) => `${defaultCommand} --access public`,
+  publishCommand: ({ tag }) => `npm stage publish --tag ${tag}`,
   mergeStrategy: { toSameBranch: ['master'] },
   pullRequestReviewers: ['nd0ut']
 }