fix(scripts/publish): refuse to publish with a dirty working tree

Mirrors the guard in scripts/bump.mts. Without this, a developer with
uncommitted edits in src/ could run pnpm publish and ship unreviewed
code to npm. Adds a checkGitStatus() helper (same shape as bump.mts's)
and a gate at the top of main() that aborts unless --force is passed.

Author: jdalton

scripts/publish.mts

@@ -341,6 +341,22 @@ async function pushExistingTag(
   return true
 }
 
+/**
+ * Check if the git working tree is clean (no uncommitted changes).
+ */
+async function checkGitStatus(): Promise<boolean> {
+  const result = await runCommandWithOutput('git', ['status', '--porcelain'])
+  const stdout =
+    typeof result.stdout === 'string' ? result.stdout : result.stdout.toString()
+  if (stdout.trim()) {
+    logger.error('Working directory is not clean')
+    logger.info('Uncommitted changes:')
+    console.log(stdout)
+    return false
+  }
+  return true
+}
+
 async function main(): Promise<void> {
   try {
     // Parse arguments.
@@ -401,6 +417,16 @@ async function main(): Promise<void> {
 
     printHeader('Publish Runner', { borderChar: '=', width: 56 })
 
+    // Refuse to publish from a dirty working tree — would ship uncommitted
+    // changes to npm. --force overrides for emergency republishes.
+    const gitClean: boolean = await checkGitStatus()
+    if (!gitClean && !values.force) {
+      logger.error('Refusing to publish with uncommitted changes')
+      logger.info('Commit or stash changes, or pass --force to override.')
+      process.exitCode = 1
+      return
+    }
+
     // Get current version.
     const version: string | undefined = await getCurrentVersion()
     logger.info(`Current version: ${version}`)