fix(ci): replace inline shell commands with dedicated validation script

CI workflows incorrectly passed shell operators (&&) as literal script
arguments, causing them to be interpreted as test file filters rather than
separate commands.

Solution:
- Add scripts/ci-validate.mjs to orchestrate test/check/build steps
- Add ci:validate script to package.json
- Update workflows to use ci:validate instead of inline shell commands
- Update provenance workflow SHA for smart script name detection
- Change publish:ci from --skip-checks to --skip-git flag
- Add build artifact validation when skipping build step

Follows Socket project pattern: setup-script calls package.json script that
invokes .mjs file, avoiding shell operators in YAML. The ci: prefix prevents
conflicts with npm lifecycle hooks.

Author: jdalton

.github/workflows/ci.yml

@@ -23,7 +23,7 @@ jobs:
       lint-script: 'pnpm run lint --all'
       node-versions: '["24.10.0"]'
       os-versions: '["ubuntu-latest", "windows-latest"]'
-      test-script: 'pnpm run test --all'
+      test-script: 'pnpm run test --all --skip-build'
       test-setup-script: 'pnpm run build'
-      type-check-script: 'pnpm run check'
+      type-check-script: 'pnpm run type'
       type-check-setup-script: 'pnpm run build'

.github/workflows/provenance.yml

@@ -23,11 +23,11 @@ permissions:
 
 jobs:
   publish:
-    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@4709a2443e5a036bb0cd94e5d1559f138f05994c # main
+    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@0f9229dbc545a2de7b06024756e41fa5e0debc8b # main
     with:
       debug: ${{ inputs.debug }}
       dist-tag: ${{ inputs.dist-tag }}
       package-name: '@socketsecurity/sdk'
       publish-script: 'publish:ci'
-      setup-script: 'pnpm run build'
+      setup-script: 'ci:validate'
       use-trusted-publishing: true

package.json

@@ -46,9 +46,10 @@
     "lint": "node scripts/lint.mjs",
     "precommit": "pnpm run check --lint --staged",
     "prepare": "husky",
+    "ci:validate": "node scripts/ci-validate.mjs",
     "prepublishOnly": "echo 'ERROR: Use GitHub Actions workflow for publishing' && exit 1",
     "publish": "node scripts/publish.mjs",
-    "publish:ci": "node scripts/publish.mjs --skip-checks --skip-build --tag ${DIST_TAG:-latest}",
+    "publish:ci": "node scripts/publish.mjs --skip-git --skip-build --tag ${DIST_TAG:-latest}",
     "claude": "node scripts/claude.mjs",
     "test": "node scripts/test.mjs",
     "type": "tsgo --noEmit -p .config/tsconfig.check.json",

scripts/ci-validate.mjs

@@ -0,0 +1,78 @@
+/**
+ * @fileoverview CI validation script for publishing workflow.
+ * Runs test, check, and build steps in sequence.
+ */
+
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+import { getDefaultLogger } from '@socketsecurity/lib/logger'
+import { spawn } from '@socketsecurity/lib/spawn'
+import { printHeader } from '@socketsecurity/lib/stdio/header'
+
+const logger = getDefaultLogger()
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url))
+const rootPath = path.resolve(__dirname, '..')
+
+async function runCommand(command, args = []) {
+  return new Promise((resolve, reject) => {
+    const spawnPromise = spawn(command, args, {
+      cwd: rootPath,
+      stdio: 'inherit',
+    })
+
+    const child = spawnPromise.process
+
+    child.on('exit', code => {
+      resolve(code || 0)
+    })
+
+    child.on('error', error => {
+      reject(error)
+    })
+  })
+}
+
+async function main() {
+  try {
+    printHeader('CI Validation')
+
+    // Run tests
+    logger.step('Running tests')
+    let exitCode = await runCommand('pnpm', ['test', '--all'])
+    if (exitCode !== 0) {
+      logger.error('Tests failed')
+      process.exitCode = exitCode
+      return
+    }
+    logger.success('Tests passed')
+
+    // Run checks
+    logger.step('Running checks')
+    exitCode = await runCommand('pnpm', ['check', '--all'])
+    if (exitCode !== 0) {
+      logger.error('Checks failed')
+      process.exitCode = exitCode
+      return
+    }
+    logger.success('Checks passed')
+
+    // Run build
+    logger.step('Building project')
+    exitCode = await runCommand('pnpm', ['build'])
+    if (exitCode !== 0) {
+      logger.error('Build failed')
+      process.exitCode = exitCode
+      return
+    }
+    logger.success('Build completed')
+
+    logger.success('CI validation completed successfully!')
+  } catch (error) {
+    logger.error(`CI validation failed: ${error.message}`)
+    process.exitCode = 1
+  }
+}
+
+main()

scripts/publish.mjs

@@ -18,7 +18,6 @@ const logger = getDefaultLogger()
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
 const rootPath = path.join(__dirname, '..')
 const WIN32 = process.platform === 'win32'
-const CI = !!process.env.CI
 
 // Simple inline logger.
 const log = {
@@ -236,6 +235,37 @@ async function runPrePublishChecks(options = {}) {
   return true
 }
 
+/**
+ * Validate that build artifacts exist.
+ */
+async function validateBuildArtifacts() {
+  log.step('Validating build artifacts')
+
+  // Check for main entry point.
+  const distIndex = path.join(rootPath, 'dist', 'index.js')
+  if (!existsSync(distIndex)) {
+    log.error('Missing dist/index.js')
+    return false
+  }
+
+  // Check for type definitions.
+  const distIndexDts = path.join(rootPath, 'dist', 'index.d.ts')
+  if (!existsSync(distIndexDts)) {
+    log.error('Missing dist/index.d.ts')
+    return false
+  }
+
+  // Check for types directory.
+  const typesDir = path.join(rootPath, 'types')
+  if (!existsSync(typesDir)) {
+    log.error('Missing types/ directory')
+    return false
+  }
+
+  log.success('Build artifacts validated')
+  return true
+}
+
 /**
  * Build the project.
  */
@@ -464,7 +494,7 @@ async function main() {
       logger.log('  --dry-run      Perform a dry-run without publishing')
       logger.log('  --force        Force publish even with warnings')
       logger.log('  --skip-checks  Skip pre-publish checks')
-      logger.log('  --skip-build   Skip build step (not allowed in CI)')
+      logger.log('  --skip-build   Skip build step (validates artifacts exist)')
       logger.log('  --skip-git     Skip git status checks')
       logger.log('  --skip-tag     Skip git tag push')
       logger.log('  --complex      Use complex multi-package flow')
@@ -480,13 +510,6 @@ async function main() {
       return
     }
 
-    // Check CI restrictions.
-    if (CI && values['skip-build']) {
-      log.error('--skip-build is not allowed in CI')
-      process.exitCode = 1
-      return
-    }
-
     printHeader('Publish Runner')
 
     // Get current version.
@@ -515,6 +538,14 @@ async function main() {
         process.exitCode = 1
         return
       }
+    } else {
+      // Validate that build artifacts exist when skipping build.
+      const artifactsExist = await validateBuildArtifacts()
+      if (!artifactsExist && !values.force) {
+        log.error('Build artifacts missing - run pnpm build first')
+        process.exitCode = 1
+        return
+      }
     }
 
     // Publish.