ci: publish snapshot packages when PR body includes #snapshot (#14)

* ci: add PR #snapshot marker flow to publish tagged snapshot packages

* fix: provide GITHUB_TOKEN for snapshot changeset version step

* fix: configure npm auth before PR snapshot publish

* fix: run #snapshot publish on pull_request_target with package write token

* fix: gate snapshot publish on PR marker and harden release auth

---------

Co-authored-by: Daniel Clayton <dan@Daniels-Mac-mini.local>

Author: danbot315

.github/workflows/ci.yml

@@ -4,6 +4,8 @@ on:
   push:
     branches: [main]
   pull_request:
+  pull_request_target:
+    types: [opened, edited, synchronize, reopened]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -15,6 +17,7 @@ permissions:
 jobs:
   quality:
     name: Quality checks
+    if: github.event_name != 'pull_request_target'
     runs-on: ubuntu-latest
 
     steps:
@@ -40,3 +43,58 @@ jobs:
 
       - name: Core contract tests
         run: bun run test -- packages/core/src/workflow-generator.test.ts packages/core/src/context.test.ts packages/core/src/config.test.ts packages/core/src/plugins/shared-workflow-helper.test.ts
+
+  snapshot-publish:
+    name: Snapshot publish (PR marker)
+    if: github.event_name == 'pull_request_target' && contains(github.event.pull_request.body || '', '#snapshot') && github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout PR head
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: 1.2.22
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Build
+        run: bun run build
+
+      - name: Detect pending changesets
+        id: changesets
+        run: |
+          COUNT=$(find .changeset -maxdepth 1 -name '*.md' ! -name 'README.md' | wc -l | tr -d ' ')
+          echo "count=$COUNT" >> "$GITHUB_OUTPUT"
+          if [ "$COUNT" -eq 0 ]; then
+            echo "No pending changesets found. Skipping snapshot publish."
+          fi
+
+      - name: Version snapshot from changesets
+        if: steps.changesets.outputs.count != '0'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: bunx changeset version --snapshot pr-${{ github.event.pull_request.number }}
+
+      - name: Configure npm auth for GitHub Packages
+        if: steps.changesets.outputs.count != '0'
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "@dotgithub:registry=https://npm.pkg.github.com" >> ~/.npmrc
+          echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc
+
+      - name: Publish snapshot tag
+        if: steps.changesets.outputs.count != '0'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: bunx changeset publish --tag pr-${{ github.event.pull_request.number }} --registry https://npm.pkg.github.com

.github/workflows/release.yml

@@ -43,6 +43,8 @@ jobs:
 
       - name: Version packages from changesets
         if: steps.changesets.outputs.count != '0'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: bun run changeset:version
 
       - name: Commit version updates to main
@@ -54,6 +56,14 @@ jobs:
           git commit -m "chore(release): version packages [skip ci]" || exit 0
           git push
 
+      - name: Configure npm auth for GitHub Packages
+        if: steps.changesets.outputs.count != '0'
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "@dotgithub:registry=https://npm.pkg.github.com" >> ~/.npmrc
+          echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc
+
       - name: Publish packages
         if: steps.changesets.outputs.count != '0'
         env: