fix: harden publish workflow against stale main

[khaliqgant]

Summary

• fail publish dispatches that are not running from current main
• serialize publish workflow runs and atomically push the release commit/tag before npm publish
• include package-lock.json in release commits and reconcile repo metadata to the already-published 0.1.26

Validation

• npm ci
• actionlint .github/workflows/publish.yml
• npm test

Note

No npm install was needed; npm version 0.1.26 --no-git-tag-version updated only package metadata, and npm ci verified the lockfile.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 93b8bfea-1707-4ee6-9bd0-12bb8187ebc4

📥 Commits

Reviewing files that changed from the base of the PR and between eb5f110 and adf0ff9.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• .github/workflows/publish.yml
• package.json

---

📝 Walkthrough

Walkthrough

The publish workflow is hardened with concurrency control and branch verification, version metadata is incremented to 0.1.26, release commits now include package-lock.json, tag/push operations are made atomic, and summary output is reformatted for clarity.

Changes

Publish Workflow Safety & Release Atomicity

Layer / File(s)	Summary
Package Version Metadata package.json	Version bumped from 0.1.25 to 0.1.26.
Concurrency & Branch Verification .github/workflows/publish.yml	Workflow adds concurrency grouping (publish-ricky-main) to prevent overlapping runs; new verification step ensures workflow runs from main and HEAD matches origin/main after fetching tags.
Version Commit & Atomic Tag Push .github/workflows/publish.yml	Version bump commit now stages both package.json and package-lock.json. Tag/push logic replaced with separate step that creates version tag and atomically pushes commit and tag via git push --atomic origin HEAD:main refs/tags/....
Publishing Commands .github/workflows/publish.yml	Publish step invocations for dry-run and real paths updated with consistent tag input quoting.
Summary & Reporting .github/workflows/publish.yml	Summary step output reorganized to write published package version, npm tag, and dry-run status to GITHUB_STEP_SUMMARY.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• AgentWorkforce/ricky#53: Both PRs modify package.json version and refresh package-lock.json, indicating related release or dependency management changes.

Poem

🐰 A publish so safe, with atomic precision,
Locks and verifies with careful decision.
No race conditions shall our releases claim,
From main to the tag, all stays the same! 🏷️

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/publish-stale-main

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}