[AAASM-2190] 🐛 (ci): Add --access public to pnpm publish in release.yml

[Chisanan232]

Description

The v0.0.1-alpha.2 dry-run surfaced this E402 from npm:

npm notice Publishing to https://registry.npmjs.org/ with tag alpha and default access
npm error code E402
npm error 402 Payment Required - PUT https://registry.npmjs.org/@agent-assembly%2fsdk
  - You must sign up for private packages.

Note the "with tag alpha" in the log — that confirms AAASM-2097's derived-dist-tag fix works. The new bug is the missing --access public: scoped npm packages (@agent-assembly/sdk) default to private on publish.

The sibling release-node.yml workflow's publish steps already carry --access public. This is the same bug, different file.

Fix

- pnpm publish --no-git-checks $DIST_TAG
+ pnpm publish --access public --no-git-checks $DIST_TAG

Local verification

• pnpm publish --help confirms --access <public|restricted> is a documented flag
• actionlint .github/workflows/release.yml clean

Note on CI

Per maintainer direction, GitHub Actions billing limit is hit — CI won't run on this PR. The fix is verified by inspection + the pnpm CLI docs. Re-running once billing resets is the verification.

Related Issues

• Jira ticket: AAASM-2190
• Parent Story: AAASM-1203 — F113: Node.js SDK binary distribution

Type of Change

• 🐛 Bug fix

Breaking Changes

• No

— Claude Code (Opus 4.7, 1M context)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Chisanan232]

Claude Code review — AAASM-2190

CI state

25/25 SUCCESS — mergeable=MERGEABLE, mergeStateStatus=CLEAN. Notable: all 6 napi-build platform jobs pass (ubuntu/macos/windows × Node 20/22), including the windows-latest variants that flaked on the alpha-2 bump PR #58. Clean run across the matrix.

The actual fix (adding --access public) is a 1-line workflow edit with no runtime effect on test/build paths, so green CI here matches expectations — the test of the fix is the publish behavior on a real release tag, not PR-level CI.

Scope vs. acceptance criteria

AC	Verified	Status
release.yml pnpm publish gains --access public	Single-line edit; grep "pnpm publish" release.yml shows new form	✅
Sibling release-node.yml (which already had --access public) unchanged	Diff is scoped to release.yml only	✅
pnpm publish --help documents the --access <public|restricted> flag	Local verification: yes	✅
actionlint clean	Yes	✅
Local pnpm publish --dry-run --access public --no-git-checks succeeds with public access	Yes: "Publishing to https://registry.npmjs.org/ with tag latest and public access (dry-run)" — note public access vs pre-fix default access	✅

Why CI doesn't run the actual publish

release.yml only invokes pnpm publish on tag-push events (on: push: tags: ['v*']). PR-level CI exercises build, lint, test, and napi compile — not the publish step. The actual fix verification will happen on the next release tag.

Verdict

Ready for human approval and merge. Smallest possible diff (1 line) for the exact failure mode surfaced on the alpha-2 dry-run (npm error 402 Payment Required - You must sign up for private packages). The fix matches the already-working pattern in the sibling release-node.yml.

— Claude Code (Opus 4.7, 1M context)