chore: rename trusted publish workflow to release#6
Conversation
Nsttt
changed the title
There was a problem hiding this comment.
Pull request overview
Renames and reorganizes the npm trusted-publishing GitHub Actions workflows so npm can validate against the expected workflow filename (release.yml), and updates docs accordingly.
Changes:
- Moves the trusted publish workflow to
.github/workflows/release.ymland removes the old.github/workflows/publish-on-release.yml. - Adds a separate
.github/workflows/manual-publish.ymlto retain the prior manual publish flow. - Updates README and releasing docs to reference the new workflow name/path.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Updates release flow docs to reference the Release workflow name. |
| docs/RELEASING.md | Updates trusted publishing workflow path references to .github/workflows/release.yml. |
| .github/workflows/release.yml | Becomes the canonical release+publish workflow (release trigger + manual dispatch). |
| .github/workflows/manual-publish.yml | Introduces a legacy/manual publish workflow under a new filename. |
| .github/workflows/publish-on-release.yml | Removes the old trusted publish workflow file. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| id-token: write | ||
|
|
||
| concurrency: | ||
| group: publish-${{ github.workflow }}-${{ github.ref_name || github.run_id }} |
There was a problem hiding this comment.
The concurrency group is based on github.ref_name, which for workflow_dispatch reflects the branch the workflow is run on (UI selection), not necessarily the branch input that is actually checked out and published. If someone dispatches the workflow from main but sets branch to another ref, different publishes can be incorrectly serialized (or collide) under the same concurrency key. Consider keying concurrency off the same source ref you checkout (e.g., github.event.release.tag_name || github.event.inputs.branch || github.ref_name).
| group: publish-${{ github.workflow }}-${{ github.ref_name || github.run_id }} | |
| group: publish-${{ github.workflow }}-${{ github.event.release.tag_name || github.event.inputs.branch || github.ref_name || github.run_id }} |
| if: github.event_name == 'workflow_dispatch' && github.event.inputs.version == 'next' | ||
| run: | | ||
| SAFE_BRANCH=$(echo "${{ github.event.inputs.branch }}" | sed 's/[^a-zA-Z0-9-]/-/g' | tr '[:upper:]' '[:lower:]') | ||
| npx changeset version --snapshot "$SAFE_BRANCH" |
There was a problem hiding this comment.
Generate preview version uses npx changeset ..., which can download and run a different Changesets version than the one pinned in the repo if resolution falls back to the network. Since this repo already uses pnpm + a pinned @changesets/cli, prefer pnpm exec changeset version --snapshot ... (or pnpm changeset ...) to keep the workflow deterministic.
| npx changeset version --snapshot "$SAFE_BRANCH" | |
| pnpm exec changeset version --snapshot "$SAFE_BRANCH" |
What changed
.github/workflows/release.yml.github/workflows/publish-on-release.ymlworkflow.github/workflows/manual-publish.ymlworkflowWhy
npm trusted publishing validates the exact workflow filename, not the workflow
name:value. Releases were failing because npm trust was expected to point atrelease.yml, while the OIDC publish job lived inpublish-on-release.yml.Impact
release.ymlValidation
~/.local/bin/docs-listruby -e 'require "yaml"; YAML.load_file(".github/workflows/release.yml"); puts "workflow yaml ok"'git diff --check