fix(ci): sync platform package versions + force local-path publish

[27Bslash6]

Summary

Two latent bugs in `build-native.yml`'s publish job, caught during the local 0.1.2 bootstrap publish. Neither would have allowed a successful release-please-driven publish even with a working `NPM_TOKEN` — the publish job has never actually run end-to-end.

Bug 1: missing `napi version` (platform packages stuck at scaffolded version)

napi-rs scaffolds `npm//package.json` files at the version present when `napi build` first ran (here: 0.1.0). They don't update on subsequent version bumps unless explicitly synced.

Without this step, every release would have published the platform packages at `0.1.0` forever, even as the parent package bumped to 0.1.2, 0.1.3, etc. The main `@cachekit-io/cachekit-core-ts` package would then fail to install because its `optionalDependencies` request a matching version that wouldn't exist.

Fix: `npx napi version` between `napi artifacts` and the publish loop. It reads the parent package's version and writes it into each `npm//package.json`.

Bug 2: `find ... npm publish {}` interpreted as GitHub shorthand

`npm publish npm/darwin-arm64` is interpreted as the GitHub shorthand `/`, not a local directory. npm tries `ssh://git@github.com/npm/darwin-arm64.git`, fails with `Permission denied (publickey)` because GHA runners have no SSH key for github.com.

Visible in run 25986564957 which fired on the `cachekit-core-ts-v0.1.2` tag push.

Fix: prefix `{}` with `./` to force local-directory interpretation.

Why now

Surfaced during the local-publish bootstrap script (`/tmp/publish-cachekit-0.1.2.sh`). Both bugs reproduced locally; both fixes were validated in the script. The same fixes here mean future CI-driven releases work as intended.

Interaction with #50

#50 (OIDC trusted publishing, draft) also touches the publish steps in this workflow — replacing `NODE_AUTH_TOKEN` with OIDC. When #50 is ready to come out of draft, it'll rebase onto this fix and keep both improvements.

Test plan

• `actionlint` clean
• Both fixes validated locally during the 0.1.2 publish script run (the napi version step bumped all 5 platform jsons to 0.1.2; the `./` prefix avoided the GitHub shorthand interpretation)
• Next `cachekit-core-ts-v*` tag push exercises the full publish job end-to-end (requires ci: switch npm publish to OIDC trusted publishing (removes NPM_TOKEN) #50 + trusted publishers to land before `NPM_TOKEN` can be retired, but this PR's fixes work with either auth model)

Summary by CodeRabbit

• Chores
  • Improved automated publishing workflow to sync per-platform package versions with the main package before publishing.
  • Switched to publishing platform packages via explicit local package paths for more reliable releases.
  • Adjusted preparation and publish steps and clarified flags/behavior to reduce release inconsistencies and better document expected outcomes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cb3a6ffd-2920-4b98-816a-77240d525140

📥 Commits

Reviewing files that changed from the base of the PR and between e34c508 and fd6c815.

📒 Files selected for processing (1)

• .github/workflows/build-native.yml

---

📝 Walkthrough

Walkthrough

The publish job now runs npx napi version to sync per-platform npm/*/package.json versions, publishes each platform package using npm publish ./<dir> (local-path), and changes the main prepublish invocation to npx napi prepublish -t npm --no-gh-release.

Changes

Platform Package Publishing

Layer / File(s)	Summary
Version sync and platform package publishing .github/workflows/build-native.yml	Adds a step to run npx napi version to sync per-platform package versions and updates the publish loop to list npm/*/ and run npm publish ./{} to force local-directory interpretation; preserves --access public and --provenance and uses NODE_AUTH_TOKEN.
Main package prepublish invocation .github/workflows/build-native.yml	Replaces npx napi prepublish -t npm --skip-gh-release with npx napi prepublish -t npm --no-gh-release and documents the CLI flag behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• cachekit-io/cachekit-ts#51: Similar edits to build-native.yml adjusting npx napi CLI flag usage and publish behavior.

Poem

🐰 I hopped through YAML, nose a-twitch,
Bumped platform versions without a hitch,
Local paths now lead each package's way,
Prepublish says "no GH release" today,
Tiny paws pushed publish — hip hooray!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and concisely summarizes the two main bug fixes: syncing platform package versions and forcing local-path publish interpretation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-native.yml:
- Around line 196-198: The CI step changed the napi prepublish invocation and
unintentionally enables GitHub releases; update the run command that calls "npx
napi prepublish -t npm" to explicitly disable releases by adding the
"--no-gh-release" flag (or, if releases are intended, update the comment to
state that "--gh-release" defaults to true); specifically modify the "npx napi
prepublish -t npm" invocation to "npx napi prepublish -t npm --no-gh-release"
(and remove or correct references to the removed "--skip-gh-release" flag) so
behavior matches the comment.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 88c8aee3-84a1-480e-90ea-0e6ae048916e

📥 Commits

Reviewing files that changed from the base of the PR and between 9f9205b and e34c508.

📒 Files selected for processing (1)

• .github/workflows/build-native.yml