From d9695d5370351683c8836800c35d8acf56327412 Mon Sep 17 00:00:00 2001
From: Ben Williams <git@biwills.com>
Date: Tue, 30 Dec 2025 19:12:44 -0800
Subject: [PATCH 1/3] fix: skip Netlify PR deploy workflow on forks

---
 .github/workflows/pr-netlify.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/pr-netlify.yml b/.github/workflows/pr-netlify.yml
index 355d2f52cd8..390885cd64f 100644
--- a/.github/workflows/pr-netlify.yml
+++ b/.github/workflows/pr-netlify.yml
@@ -14,6 +14,8 @@ jobs:
   deploy:
     name: 'Deploy PR'
     runs-on: ubuntu-latest
+    # Only run on the main repository, not on forks
+    if: github.repository == 'electron-userland/electron-builder'
 
     steps:
       - name: Checkout code repository

From bd52f0552fcfe2a966f4b4a4fefd34a35f0fb493 Mon Sep 17 00:00:00 2001
From: Ben Williams <git@biwills.com>
Date: Tue, 30 Dec 2025 20:06:19 -0800
Subject: [PATCH 2/3] fix: disable implicit publishing by default

Remove automatic publish detection based on CI environment, git tags,
and npm lifecycle events. Publishing must now be explicitly requested
via the --publish CLI flag or configuration.

This is a breaking change that addresses the security and usability
concerns raised in #5463 where unexpected auto-publishing could
accidentally expose secrets or publish unfinished work.

BREAKING CHANGE: Publishing no longer happens automatically in CI.
Use --publish flag explicitly (e.g., --publish always, --publish onTag).

Fixes #5463
---
 .../src/publish/PublishManager.ts                | 16 ----------------
 pages/publish.md                                 |  3 +++
 2 files changed, 3 insertions(+), 16 deletions(-)

diff --git a/packages/app-builder-lib/src/publish/PublishManager.ts b/packages/app-builder-lib/src/publish/PublishManager.ts
index 76e74b00acb..72929a853c2 100644
--- a/packages/app-builder-lib/src/publish/PublishManager.ts
+++ b/packages/app-builder-lib/src/publish/PublishManager.ts
@@ -31,7 +31,6 @@ import {
 } from "electron-publish"
 import { MultiProgress } from "electron-publish/out/multiProgress"
 import { writeFile } from "fs/promises"
-import { isCI } from "ci-info"
 import * as path from "path"
 import { WriteStream as TtyWriteStream } from "tty"
 import * as url from "url"
@@ -84,21 +83,6 @@ export class PublishManager implements PublishContext {
 
     const forcePublishForPr = process.env.PUBLISH_FOR_PULL_REQUEST === "true"
     if (!isPullRequest() || forcePublishForPr) {
-      if (publishOptions.publish === undefined) {
-        if (process.env.npm_lifecycle_event === "release") {
-          publishOptions.publish = "always"
-        } else {
-          const tag = getCiTag()
-          if (tag != null) {
-            log.info({ reason: "tag is defined", tag }, "artifacts will be published")
-            publishOptions.publish = "onTag"
-          } else if (isCI) {
-            log.info({ reason: "CI detected" }, "artifacts will be published if draft release exists")
-            publishOptions.publish = "onTagOrDraft"
-          }
-        }
-      }
-
       const publishPolicy = publishOptions.publish
       this.isPublish = publishPolicy != null && publishOptions.publish !== "never" && (publishPolicy !== "onTag" || getCiTag() != null)
       if (this.isPublish && forcePublishForPr) {
diff --git a/pages/publish.md b/pages/publish.md
index d48327c6348..3103ea65683 100644
--- a/pages/publish.md
+++ b/pages/publish.md
@@ -7,6 +7,9 @@ Note that when using a generic server, you have to upload the built application
 Travis and AppVeyor support publishing artifacts. But it requires additional configuration for each CI and you need to configure what to publish.
 `electron-builder` makes publishing dead simple.
 
+!!! important "Publishing Must Be Explicitly Requested"
+    Publishing is not performed automatically. You must explicitly request publishing using the `--publish` CLI flag (e.g., `--publish always`, `--publish onTag`, `--publish onTagOrDraft`) or by setting the `publish` option in your configuration.
+
 If `GH_TOKEN` or `GITHUB_TOKEN` is defined — defaults to `[{provider: "github"}]`.
 
 If `KEYGEN_TOKEN` is defined and `GH_TOKEN` or `GITHUB_TOKEN` is not — defaults to `[{provider: "keygen"}]`.

From 0710bae3194bd6ae98ab0cda31a025e451b7234c Mon Sep 17 00:00:00 2001
From: Ben Williams <git@biwills.com>
Date: Tue, 30 Dec 2025 20:11:25 -0800
Subject: [PATCH 3/3] chore: add changeset for breaking change

---
 .changeset/disable-implicit-publish.md | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 .changeset/disable-implicit-publish.md

diff --git a/.changeset/disable-implicit-publish.md b/.changeset/disable-implicit-publish.md
new file mode 100644
index 00000000000..ca1cddaf6e7
--- /dev/null
+++ b/.changeset/disable-implicit-publish.md
@@ -0,0 +1,11 @@
+---
+"app-builder-lib": major
+---
+
+fix: disable implicit publishing by default
+
+BREAKING CHANGE: Publishing no longer happens automatically based on CI environment, git tags, or npm lifecycle events. You must now explicitly request publishing using the `--publish` CLI flag (e.g., `--publish always`, `--publish onTag`) or by setting the `publish` option in your configuration.
+
+This addresses security and usability concerns where unexpected auto-publishing could accidentally expose secrets or publish unfinished work.
+
+Fixes electron-userland/electron-builder#5463