refactor: fail publish workflow if pre-built artifacts are missing (#312)

Previously, the NPM and GitHub Packages publish jobs would fall back to
building from source if the pre-built artifacts from the Main workflow
were not found. This created a risk of publishing untested code.

Changes:
- Removed continue-on-error flag from artifact download steps
- Removed fallback logic that would build from source
- Simplified extraction steps to fail fast with clear error messages
- Renamed "Try to download" to "Download" reflecting mandatory nature

This ensures the publish workflow only succeeds when it can use the
exact artifacts that were built, tested, and scanned in the Main
workflow, maintaining supply chain integrity and build reproducibility.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>

Author: sapientpants

.changeset/fail-on-missing-artifact.md

@@ -0,0 +1,7 @@
+---
+'sonarqube-mcp-server': patch
+---
+
+Remove fallback to build from source in publish workflow
+
+The NPM and GitHub Packages publish jobs now fail explicitly if pre-built artifacts are not found, instead of falling back to building from source. This ensures we always publish exactly what was tested and validated in the Main workflow, maintaining supply chain integrity.

.github/workflows/publish.yml

@@ -94,48 +94,42 @@ jobs:
             --prefix "npm-package" \
             --output "$GITHUB_OUTPUT"
 
-      - name: Try to download pre-built NPM package
+      - name: Download pre-built NPM package
         id: download
         # Download the pre-built, pre-scanned NPM package from main workflow
         # This ensures we publish exactly what was tested
-        continue-on-error: true
         uses: actions/download-artifact@v4
         with:
           name: ${{ steps.artifact.outputs.artifact_name }}
           path: ./npm-artifact
           run-id: ${{ steps.artifact.outputs.run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Use pre-built package or build from source
+      - name: Extract pre-built package
         run: |
-          if [ -d ./npm-artifact ]; then
-            # Check if any .tgz files exist
-            TARBALL=$(find ./npm-artifact -name "*.tgz" -type f | head -1)
-            if [ -n "$TARBALL" ]; then
-              echo "✅ Using pre-built NPM package from main workflow"
-              echo "📦 Extracting: $TARBALL"
-              tar -xzf "$TARBALL"
-
-              # The package extracts to a 'package' directory
-              # We need to move its contents to the current directory
-              if [ -d package ]; then
-                cp -r package/* .
-                rm -rf package
-              fi
-
-              echo "📋 Verified package contents from manifest"
-              if [ -f ./npm-artifact/npm-package-manifest.txt ]; then
-                echo "Package contains $(wc -l < ./npm-artifact/npm-package-manifest.txt) files"
-              fi
-            fi
-          else
-            echo "⚠️ Pre-built NPM package not found, building from source"
-            echo "This may happen if the main workflow didn't have ENABLE_NPM_RELEASE set"
+          # Check if any .tgz files exist
+          TARBALL=$(find ./npm-artifact -name "*.tgz" -type f | head -1)
+          if [ -z "$TARBALL" ]; then
+            echo "❌ No .tgz file found in artifact!"
+            echo "Contents of ./npm-artifact:"
+            ls -la ./npm-artifact/
+            exit 1
+          fi
+
+          echo "✅ Using pre-built NPM package from main workflow"
+          echo "📦 Extracting: $TARBALL"
+          tar -xzf "$TARBALL"
+
+          # The package extracts to a 'package' directory
+          # We need to move its contents to the current directory
+          if [ -d package ]; then
+            cp -r package/* .
+            rm -rf package
+          fi
 
-            # Install dependencies and build from source as fallback
-            npm install -g pnpm@${{ env.PNPM_VERSION }}
-            pnpm install --frozen-lockfile
-            pnpm build
+          echo "📋 Verified package contents from manifest"
+          if [ -f ./npm-artifact/npm-package-manifest.txt ]; then
+            echo "Package contains $(wc -l < ./npm-artifact/npm-package-manifest.txt) files"
           fi
 
       - name: Check NPM token
@@ -216,43 +210,38 @@ jobs:
             --prefix "npm-package" \
             --output "$GITHUB_OUTPUT"
 
-      - name: Try to download pre-built NPM package
+      - name: Download pre-built NPM package
         id: download
-        continue-on-error: true
         uses: actions/download-artifact@v4
         with:
           name: ${{ steps.artifact.outputs.artifact_name }}
           path: ./npm-artifact
           run-id: ${{ steps.artifact.outputs.run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Use pre-built package or build from source
+      - name: Extract pre-built package
         run: |
-          if [ -d ./npm-artifact ]; then
-            # Check if any .tgz files exist
-            TARBALL=$(find ./npm-artifact -name "*.tgz" -type f | head -1)
-            if [ -n "$TARBALL" ]; then
-              echo "✅ Using pre-built NPM package from main workflow"
-              echo "📦 Extracting: $TARBALL"
-              tar -xzf "$TARBALL"
-
-              # The package extracts to a 'package' directory
-              if [ -d package ]; then
-                cp -r package/* .
-                rm -rf package
-              fi
-
-              echo "📋 Verified package contents"
-            fi
-          else
-            echo "⚠️ Pre-built NPM package not found, building from source"
+          # Check if any .tgz files exist
+          TARBALL=$(find ./npm-artifact -name "*.tgz" -type f | head -1)
+          if [ -z "$TARBALL" ]; then
+            echo "❌ No .tgz file found in artifact!"
+            echo "Contents of ./npm-artifact:"
+            ls -la ./npm-artifact/
+            exit 1
+          fi
 
-            # Install dependencies and build from source as fallback
-            npm install -g pnpm@${{ env.PNPM_VERSION }}
-            pnpm install --frozen-lockfile
-            pnpm build
+          echo "✅ Using pre-built NPM package from main workflow"
+          echo "📦 Extracting: $TARBALL"
+          tar -xzf "$TARBALL"
+
+          # The package extracts to a 'package' directory
+          if [ -d package ]; then
+            cp -r package/* .
+            rm -rf package
           fi
 
+          echo "📋 Verified package contents"
+
       - name: Publish to GitHub Packages
         run: |
           # Scope package name to organization (required for GitHub Packages)