ci(release): gate canaryOnly packages so lab publishes to @canary only#3325
Open
cixzhang wants to merge 1 commit into
Open
ci(release): gate canaryOnly packages so lab publishes to @canary only#3325cixzhang wants to merge 1 commit into
cixzhang wants to merge 1 commit into
Conversation
Apply the release.yml follow-up for the lab canary-only distribution (#3235). Three coordinated gate edits plus the matching bootstrap-script change so a canaryOnly package (lab) can be name-claimed, trusted, and published to @canary while never reaching the stable `latest` tag. - release.yml stable job: also skip `astryx.canaryOnly` packages, so even an accidental `private: false` cannot leak them onto `latest`. - release.yml canary job: treat canaryOnly packages as publishable and strip `private` in the ephemeral CI checkout only (never in git), so they publish under the @canary dist-tag. - scripts/npm/setup-trusted-publishing.mjs: include canaryOnly packages in the publishable set so their npm name gets bootstrapped and trusted; they publish to @canary from CI even though they stay private in git.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
PR Analysis Report📚 Storybook PreviewView Storybook for this PR 🧪 Sandbox PreviewView Sandbox for this PR No new or modified components detected. Bundle Size Summary
Accessibility AuditStatus: No accessibility violations detected. Generated by PR Enrichment workflow | Storybook | Sandbox | View full report |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #3235 (now landed). That PR gave
@astryxdesign/laba real build and theastryx.canaryOnlymarker, but explicitly deferred the matching.github/workflows/release.ymlchange because the bot token lackedworkflowscope. This PR applies that deferred change, plus the matching update to the trusted-publishing setup script, so lab can actually publish to@canary— and only@canary.What's in this change
.github/workflows/release.yml— three coordinated gate edits:astryx.canaryOnlypackages. Even if acanaryOnlypackage'sprivate: truewere ever accidentally flipped, it still could not leak onto thelatestdist-tag.canaryOnlypackages as publishable and stripsprivatein the ephemeral CI checkout only — never in git.canaryOnlyso the package is actually published under@canary.scripts/npm/setup-trusted-publishing.mjs:publishablePackages()now includescanaryOnlypackages. npm trusted publishing can only be configured on a name that already exists on the registry, and the canary job publishes via OIDC with no token — so lab's name must be bootstrapped and trusted just like any other published package, even though it staysprivate: truein git.Guarantee preserved
canaryOnlypackages stayprivate: truein committed source (npm's hard refusal to publish a private package remains the primary guard). This change only teaches the canary path to opt them in, in-memory, at publish time.Gate matrix after this change:
latest)Verification
release.ymlparses as valid YAML; bothpublishandcanaryjobs and their triggers intact.node --checkpasses on the setup script; a--dry-runnow lists@astryxdesign/labas a name to bootstrap (previously excluded).Remaining manual step (post-merge, maintainer with an npm session)
Once this lands, claim lab's npm name and register its trusted publisher, pointed at
release.yml:After that, the next push to
mainpublishes@astryxdesign/lab@canaryautomatically.