From a0eb50454c1326da459e8bc69d362dd6835c8a3f Mon Sep 17 00:00:00 2001
From: Aidan Daly <aidandal@amazon.com>
Date: Wed, 29 Apr 2026 17:12:00 -0400
Subject: [PATCH] fix(ci): publish from release branch instead of base branch

The publish jobs were checking out main/preview which could serve a
stale ref without the version bump commit. Now they checkout the
release branch directly (release/v<version>) which is guaranteed to
have the correct version. Added version verification before publish
as a safety check.
---
 .../workflows/release-main-and-preview.yml    | 30 ++++++++++++++++---
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release-main-and-preview.yml b/.github/workflows/release-main-and-preview.yml
index b3cfb5ee2..26003f19d 100644
--- a/.github/workflows/release-main-and-preview.yml
+++ b/.github/workflows/release-main-and-preview.yml
@@ -375,10 +375,10 @@ jobs:
       contents: write
 
     steps:
-      - name: Checkout main
+      - name: Checkout release branch
         uses: actions/checkout@v6
         with:
-          ref: main
+          ref: release/v${{ needs.prepare-main.outputs.version }}
           fetch-depth: 0
 
       - uses: actions/setup-node@v6
@@ -390,6 +390,17 @@ jobs:
       - run: npm ci
       - run: npm run build
 
+      - name: Verify version before publish
+        env:
+          EXPECTED: ${{ needs.prepare-main.outputs.version }}
+        run: |
+          ACTUAL=$(node -p "require('./package.json').version")
+          if [ "$ACTUAL" != "$EXPECTED" ]; then
+            echo "❌ Version mismatch: expected $EXPECTED, got $ACTUAL"
+            exit 1
+          fi
+          echo "✅ Publishing version $ACTUAL"
+
       - name: Publish to npm
         run: npm publish --access public --provenance --tag latest
 
@@ -431,10 +442,10 @@ jobs:
       contents: write
 
     steps:
-      - name: Checkout preview
+      - name: Checkout release branch
         uses: actions/checkout@v6
         with:
-          ref: preview
+          ref: release/v${{ needs.prepare-preview.outputs.version }}
           fetch-depth: 0
 
       - uses: actions/setup-node@v6
@@ -446,6 +457,17 @@ jobs:
       - run: npm ci
       - run: npm run build
 
+      - name: Verify version before publish
+        env:
+          EXPECTED: ${{ needs.prepare-preview.outputs.version }}
+        run: |
+          ACTUAL=$(node -p "require('./package.json').version")
+          if [ "$ACTUAL" != "$EXPECTED" ]; then
+            echo "❌ Version mismatch: expected $EXPECTED, got $ACTUAL"
+            exit 1
+          fi
+          echo "✅ Publishing version $ACTUAL"
+
       - name: Publish to npm
         run: npm publish --access public --provenance --tag preview