Skip to content

ci(release): gate canaryOnly packages so lab publishes to @canary only#3325

Open
cixzhang wants to merge 1 commit into
mainfrom
navi/feat/lab-canary-publish-plumbing
Open

ci(release): gate canaryOnly packages so lab publishes to @canary only#3325
cixzhang wants to merge 1 commit into
mainfrom
navi/feat/lab-canary-publish-plumbing

Conversation

@cixzhang

@cixzhang cixzhang commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Follow-up to #3235 (now landed). That PR gave @astryxdesign/lab a real build and the astryx.canaryOnly marker, but explicitly deferred the matching .github/workflows/release.yml change because the bot token lacked workflow scope. This PR applies that deferred change, plus the matching update to the trusted-publishing setup script, so lab can actually publish to @canary — and only @canary.

What's in this change

.github/workflows/release.yml — three coordinated gate edits:

  1. Stable job now also skips astryx.canaryOnly packages. Even if a canaryOnly package's private: true were ever accidentally flipped, it still could not leak onto the latest dist-tag.
  2. Canary stamp step treats canaryOnly packages as publishable and strips private in the ephemeral CI checkout only — never in git.
  3. Canary publish loop filter includes canaryOnly so the package is actually published under @canary.

scripts/npm/setup-trusted-publishing.mjs:

  • publishablePackages() now includes canaryOnly packages. npm trusted publishing can only be configured on a name that already exists on the registry, and the canary job publishes via OIDC with no token — so lab's name must be bootstrapped and trusted just like any other published package, even though it stays private: true in git.

Guarantee preserved

canaryOnly packages stay private: true in committed source (npm's hard refusal to publish a private package remains the primary guard). This change only teaches the canary path to opt them in, in-memory, at publish time.

Gate matrix after this change:

package private canaryOnly stable (latest) canary
core, cli, build, themes false false
lab true true
vega true false

Verification

  • release.yml parses as valid YAML; both publish and canary jobs and their triggers intact.
  • Simulated both job filters against every workspace package — matrix above matches intent exactly (lab canary-only; vega stays fully private; everything else unchanged).
  • node --check passes on the setup script; a --dry-run now lists @astryxdesign/lab as a name to bootstrap (previously excluded).

Remaining manual step (post-merge, maintainer with an npm session)

Once this lands, claim lab's npm name and register its trusted publisher, pointed at release.yml:

node scripts/npm/setup-trusted-publishing.mjs --bootstrap --setup-trust --workflow release.yml

After that, the next push to main publishes @astryxdesign/lab@canary automatically.

Apply the release.yml follow-up for the lab canary-only distribution
(#3235). Three coordinated gate edits plus the matching bootstrap-script
change so a canaryOnly package (lab) can be name-claimed, trusted, and
published to @canary while never reaching the stable `latest` tag.

- release.yml stable job: also skip `astryx.canaryOnly` packages, so even
  an accidental `private: false` cannot leak them onto `latest`.
- release.yml canary job: treat canaryOnly packages as publishable and
  strip `private` in the ephemeral CI checkout only (never in git), so
  they publish under the @canary dist-tag.
- scripts/npm/setup-trusted-publishing.mjs: include canaryOnly packages in
  the publishable set so their npm name gets bootstrapped and trusted;
  they publish to @canary from CI even though they stay private in git.
@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Meta Open Source bot. label Jul 1, 2026
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
astryx Ready Ready Preview, Comment Jul 1, 2026 10:08pm

Request Review

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

PR Analysis Report

📚 Storybook Preview

View Storybook for this PR
GitHub Pages may take up to a minute to hydrate after deploy.

🧪 Sandbox Preview

View Sandbox for this PR
GitHub Pages may take up to a minute to hydrate after deploy.

No new or modified components detected.

Bundle Size Summary

Package Size (ESM) Size (CJS) Gzipped
@astryxdesign/core N/A 4.6KB 0B

Accessibility Audit

Status: No accessibility violations detected.


Generated by PR Enrichment workflow | Storybook | Sandbox | View full report

github-actions Bot added a commit that referenced this pull request Jul 1, 2026
@cixzhang cixzhang enabled auto-merge (squash) July 1, 2026 23:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CLA Signed This label is managed by the Meta Open Source bot.

1 participant