From d36b9821f8668081d97534177466562a2c234f02 Mon Sep 17 00:00:00 2001
From: Andrey Kopylov <programmer.andrey@gmail.com>
Date: Thu, 7 May 2026 16:40:23 +0500
Subject: [PATCH 1/3] [publish] add yml

---
 .github/workflows/cli-publish.yml | 56 +++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 .github/workflows/cli-publish.yml

diff --git a/.github/workflows/cli-publish.yml b/.github/workflows/cli-publish.yml
new file mode 100644
index 0000000..4ef422e
--- /dev/null
+++ b/.github/workflows/cli-publish.yml
@@ -0,0 +1,56 @@
+name: Publish CLI to npm
+
+on:
+  push:
+    tags:
+      - 'cli-[0-9]+.[0-9]+.[0-9]+'
+
+permissions: {}
+
+jobs:
+  publish:
+    name: Publish @stakewise/create-vault-interface
+    runs-on: ubuntu-latest
+    environment:
+      name: npm-publish-cli
+      url: https://www.npmjs.com/package/@stakewise/create-vault-interface
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
+        with:
+          persist-credentials: false
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1
+        with:
+          version: 10.25.0
+
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
+        with:
+          cache: pnpm
+          node-version: '24.12.0'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Verify tag matches cli/package.json version
+        run: |
+          TAG_VERSION="${GITHUB_REF_NAME#cli-}"
+          PKG_VERSION=$(node -p "require('./cli/package.json').version")
+          if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
+            echo "::error::Tag $GITHUB_REF_NAME (parsed as $TAG_VERSION) does not match cli/package.json version $PKG_VERSION"
+            exit 1
+          fi
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile --ignore-scripts
+
+      - name: Build CLI
+        working-directory: cli
+        run: pnpm build
+
+      - name: Publish to npm with provenance
+        working-directory: cli
+        run: npm publish --provenance --access public --ignore-scripts

From 952e735987445672f19bfdc7ae57bd27ada89f79 Mon Sep 17 00:00:00 2001
From: Andrey Kopylov <programmer.andrey@gmail.com>
Date: Fri, 8 May 2026 15:26:24 +0500
Subject: [PATCH 2/3] add main check

---
 .github/workflows/cli-publish.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/cli-publish.yml b/.github/workflows/cli-publish.yml
index 4ef422e..e2d759a 100644
--- a/.github/workflows/cli-publish.yml
+++ b/.github/workflows/cli-publish.yml
@@ -44,6 +44,14 @@ jobs:
             exit 1
           fi
 
+      - name: Verify tag is on main
+        run: |
+          git fetch origin main --depth=1
+          if ! git merge-base --is-ancestor "$GITHUB_SHA" origin/main; then
+            echo "::error::Tag $GITHUB_REF_NAME points to commit $GITHUB_SHA which is not on main branch"
+            exit 1
+          fi
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile --ignore-scripts
 

From dd39565e27e48eccc01dd2f6bc2e6debc8f3a48e Mon Sep 17 00:00:00 2001
From: Andrey Kopylov <programmer.andrey@gmail.com>
Date: Fri, 8 May 2026 17:07:55 +0500
Subject: [PATCH 3/3] [publish] up version

---
 cli/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cli/package.json b/cli/package.json
index 8c3dbc7..807d950 100644
--- a/cli/package.json
+++ b/cli/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@stakewise/create-vault-interface",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "CLI for creating a StakeWise Vault Interface application",
   "type": "module",
   "scripts": {