refactor(ci): clean up npm workflows (#4786)

This extracst the publish on npm workflow from ci.yaml and adds a new workflow
called `npm-beta.yaml`.

Now we have three workflows that publish to npm.
- `npm-beta.yaml` only runs on pushes and merges into `main`
- `npm-dev.yaml` only runs on PRs into `main` with approval from
  code-server-reviewers team
- `npm-brew.yaml` only runs on releases

This should fix problems we had previously where anyone could open a PR and
publish under the code-server namespace. It also separates out the workflows
based on environment and when they should run.

.github/workflows/ci.yaml

@@ -177,15 +177,6 @@ jobs:
           name: npm-package
           path: ./package.tar.gz
 
-      - name: Publish npm package with PR number and commit SHA
-        run: yarn publish:npm
-        env:
-          ENVIRONMENT: "development"
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NPM_TAG: ${{ github.event.number }}
-          PR_NUMBER_AND_COMMIT_SHA: ${{ github.event.number }}-${{ github.event.pull_request.head.sha }}
-
   # TODO: cache building yarn --production
   # possibly 2m30s of savings(?)
   # this requires refactoring our release scripts

.github/workflows/npm-beta.yaml

@@ -0,0 +1,29 @@
+name: Publish on npm and tag with "beta"
+
+on:
+  # Shows the manual trigger in GitHub UI
+  # helpful as a back-up in case the GitHub Actions Workflow fails
+  workflow_dispatch:
+
+  push:
+    branches:
+      - main
+
+jobs:
+  # NOTE: this job requires curl, jq and yarn
+  # All of them are included in ubuntu-latest.
+  npm:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Publish npm package and tag "beta"
+        run: yarn publish:npm
+        env:
+          ENVIRONMENT: "staging"
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TAG: "beta"
+          # Since this only runs on a merge into main, we can't use github.event.number
+          # so we instead use the word "beta" and the PR merge commit SHA
+          PR_NUMBER_AND_COMMIT_SHA: beta-${{ github.sha }}

.github/workflows/npm-brew.yaml

@@ -16,7 +16,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
 
-      - name: Publish npm package with PR number and commit SHA
+      - name: Publish npm package and tag with "latest"
         run: yarn publish:npm
         env:
           ENVIRONMENT: "production"

.github/workflows/npm-dev.yaml

@@ -1,11 +1,11 @@
-name: Publish on npm and tag with "beta"
+name: Publish on npm and tag with PR number
 
 on:
   # Shows the manual trigger in GitHub UI
   # helpful as a back-up in case the GitHub Actions Workflow fails
   workflow_dispatch:
 
-  push:
+  pull_request:
     branches:
       - main
 
@@ -13,6 +13,9 @@ jobs:
   # NOTE: this job requires curl, jq and yarn
   # All of them are included in ubuntu-latest.
   npm:
+    # This environment "npm" requires someone from
+    # coder/code-server-reviewers to approve the PR before this job runs.
+    environment: npm
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -20,10 +23,8 @@ jobs:
       - name: Run ./ci/steps/publish-npm.sh
         run: yarn publish:npm
         env:
-          ENVIRONMENT: "staging"
+          ENVIRONMENT: "development"
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NPM_TAG: "beta"
-          # Since this only runs on a merge into main, we can't use github.event.number
-          # so we instead use the word "beta" and the PR merge commit SHA
-          PR_NUMBER_AND_COMMIT_SHA: beta-${{ github.sha }}
+          NPM_TAG: ${{ github.event.number }}
+          PR_NUMBER_AND_COMMIT_SHA: ${{ github.event.number }}-${{ github.event.pull_request.head.sha }}