fix(ci): publish release with npm instead of ut publish

[killagu]

Motivation

The Manual Release run failed at the Publish packages step:

📦 Publishing 79 packages (tag: beta, provenance)
error: unexpected argument '--access' found
Usage: ut publish [OPTIONS]

ut publish does not accept npm-native flags (--access, --provenance), and more importantly it cannot do npm trusted publishing / provenance via OIDC — which is the whole reason the release workflow uses them. So this switches scripts/publish.js back to npm publish.

The catch: npm doesn't replicate everything pnpm publish did

A naive ut → npm swap would publish broken packages, because npm understands neither of two things that pnpm publish handled for us before the utoo migration:

1. workspace: / catalog: protocol specifiers. 79 publishable packages ship workspace:*, catalog: and catalog:path-to-regexp1 in their runtime dependencies (984 such specs). npm publishes them verbatim → uninstallable packages.
2. publishConfig field hoisting. 77/79 packages set a dev-time root exports pointing at ./src/*.ts and a publishConfig.exports pointing at compiled ./dist/*.js. pnpm hoists publishConfig on publish; npm does not. Since files: ["dist"], the source isn't even in the tarball — every consumer's import 'egg' would resolve to a non-existent ./src/index.ts. (npm exits 0 either way, so it fails silently.)

Changes

scripts/publish.js now prepares each manifest right before npm publish and restores it in a finally (crash-safe), mirroring pnpm:

• resolve workspace:* → exact in-repo version, workspace:^/~ → prefixed; catalog: / catalog:<name> → the spec from pnpm-workspace.yaml
• hoist publishConfig overrides (notably exports) onto the top-level manifest

scripts/utils.js gains getWorkspaceVersionMap, getCatalogs, resolveWorkspaceProtocols, and applyPublishConfigOverrides (and a collectWorkspacePackages refactor that keeps getPublishablePackages behavior identical). Also: isPublished() now uses the resolved npm/npm.cmd binary for Windows parity, and a redundant .filter(!private) in sync-cnpm.js is dropped.

Tests / verification

• Across all 79 publishable packages / 984 deps: 0 leftover workspace:/catalog: specifiers after rewrite; every workspace:* → exact version, every catalog: → its table spec.
• Ground-truth match against the last pnpm-published manifests on npm: @eggjs/router (path-to-regexp: ^1.9.0 via the named catalog), @eggjs/security (@eggjs/ip: ^2.1.0, @eggjs/path-matching exact), and @eggjs/core reproduce exactly.
• publishConfig.exports hoisted for all 77 packages that declare it; 0 resolved exports left pointing at src/.
• Real npm pack of @eggjs/core with the full rewrite produces exports["."] = "./dist/index.js"; the manifest is restored afterwards (git clean).
• npm publish --dry-run accepts --access/--tag/--dry-run (the flags ut publish rejected).
• oxfmt --check and oxlint --type-aware clean; pre-commit hook passes.

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Publishing now supports workspace-linked and catalog-based dependency/version resolution for each package.
  • Publish settings are applied automatically during publishing so released metadata stays consistent.

• Bug Fixes

  • Prevents leaving modified manifests behind by restoring package files after publish operations, even on failure.
  • Improved cross-platform publishing behavior (including Windows).

• Behavior Changes

  • Dry-run no longer retries after simulated failures; failures are reported accurately for visibility.
  • Still skips packages already available on the registry and retries failed publishes once (non-dry-run).

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: db56aa7c-1439-4506-8a1e-5bd7e8699e64

📥 Commits

Reviewing files that changed from the base of the PR and between cc188d5 and 63bcebc.

📒 Files selected for processing (1)

• scripts/publish.js

🚧 Files skipped from review as they are similar to previous changes (1)

• scripts/publish.js

---

📝 Walkthrough

Walkthrough

The publish pipeline switches from ut publish to npm-native publishing. Workspace package metadata is centralized in scripts/utils.js, then consumed by scripts/publish.js to rewrite manifests before npm publish and restore them afterward. scripts/sync-cnpm.js now delegates publishable-package filtering.

Changes

npm-native publish with manifest rewriting

Layer / File(s)	Summary
Workspace utilities and protocol resolution scripts/utils.js	Adds workspace config parsing, package collection, version/catalog lookup helpers, protocol resolution for workspace: and catalog: dependencies, and publishConfig override rewriting. getPublishablePackages now uses the shared collector and filters private packages.
npm-native publishOne with manifest rewriting scripts/publish.js	Precomputes workspace version/catalog data, uses a platform-aware npm binary, rewrites each package manifest before npm publish, restores the original manifest in finally, and adjusts dry-run retry handling.
sync-cnpm private filter delegation scripts/sync-cnpm.js	Derives baseDir once and passes it to getPublishablePackages, removing the inline private-package filter.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• eggjs/egg#5810: Changes the monorepo publish flow in scripts/publish.js, including per-package publication and failure handling.
• eggjs/egg#5963: Also modifies the publishing script’s execution path and package publishing behavior.
• eggjs/egg#6013: Applies publishConfig-style manifest rewriting and workspace protocol handling in a closely related publishing flow.

Poem

🐇 Hop, hop, the manifests align,
workspace: paths now publish fine.
npm sings on every land,
and finally restores by hand.
The rabbit smiles, tail so neat—
clean package tracks and zero sneaks.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: switching the release publish flow from ut publish to npm publish in CI.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/keen-cerf-431678

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[cloudflare-workers-and-pages]

Deploying egg with    Cloudflare Pages

Latest commit:	63bcebc
Status:	✅  Deploy successful!
Preview URL:	https://ce2eb24c.egg-cci.pages.dev
Branch Preview URL:	https://claude-keen-cerf-431678.egg-cci.pages.dev

View logs

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.95%. Comparing base (10705cd) to head (63bcebc).

Additional details and impacted files

@@           Coverage Diff           @@
##             next    #6016   +/-   ##
=======================================
  Coverage   81.95%   81.95%           
=======================================
  Files         677      677           
  Lines       20652    20652           
  Branches     4100     4100           
=======================================
  Hits        16925    16925           
  Misses       3214     3214           
  Partials      513      513           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cloudflare-workers-and-pages]

Deploying egg-v3 with    Cloudflare Pages

Latest commit:	63bcebc
Status:	✅  Deploy successful!
Preview URL:	https://e4b716b6.egg-v3.pages.dev
Branch Preview URL:	https://claude-keen-cerf-431678.egg-v3.pages.dev

View logs

[gemini-code-assist]

Code Review

This pull request updates the package publishing scripts to use npm directly instead of ut publish, ensuring support for npm trusted publishing and provenance via OIDC. It introduces manifest rewriting in scripts/publish.js and scripts/utils.js to resolve workspace: and catalog: protocol specifiers and hoist publishConfig overrides before publishing, restoring the original manifest afterwards. Additionally, it simplifies scripts/sync-cnpm.js by removing redundant filtering. I have no feedback to provide as there are no review comments to address.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.