chore: add auto-release script #2086
Conversation
This change introduces an auto release script for actions, the same as we run for chat-js. This allows us to release automatically when new versions are tagged, including with provenance which provides guarantees as to the authenticity of the package.
Rather than having to manually invoke the CDN deploy, we can do it automatically after the release is created.
WalkthroughThe CDN workflow now triggers on release publication and passes tag info via github.ref_name. A new release workflow publishes npm packages on release. CONTRIBUTING.md updates the release process to reflect automated publishing and verification via GitHub Actions. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor Maintainer
participant GitHub as GitHub Releases
participant ReleaseWF as Release Workflow (npm)
participant CDNWF as CDN Workflow
participant npm as npm Registry
participant CDN as CDN Provider
Maintainer->>GitHub: Publish Release (tagged)
Note right of GitHub: Event: release (published)
GitHub-->>ReleaseWF: Trigger
GitHub-->>CDNWF: Trigger
rect rgba(205, 232, 255, 0.3)
note over ReleaseWF: Uses github.ref / ref_name
ReleaseWF->>ReleaseWF: Checkout, setup Node, npm ci, build
ReleaseWF->>npm: npm publish (provenance, public)
npm-->>ReleaseWF: Publish result
end
rect rgba(217, 255, 205, 0.3)
note over CDNWF: Uses github.ref_name as tag
CDNWF->>CDN: Deploy assets for tag
CDN-->>CDNWF: Deployment result
end
ReleaseWF-->>GitHub: Status (success/failure)
CDNWF-->>GitHub: Status (success/failure)
GitHub-->>Maintainer: Check workflow completions
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (6)
.github/workflows/publish-cdn.yml (2)
3-4: Guard against pre-releases and avoid duplicate runs.CDN deploys on pre-releases are usually undesirable. Also add a concurrency group to prevent multiple runs for the same tag.
on: release: types: [published] + +jobs: + publish: + if: ${{ !github.event.release.prerelease }} + concurrency: + group: cdn-${{ github.ref_name }} + cancel-in-progress: false
14-26: Upgrade Actions to v4 and pin Node to match release workflow.Use maintained majors and enable npm cache. Align Node to 20.10.0 for reproducibility.
- - uses: actions/checkout@v2 + - uses: actions/checkout@v4 with: ref: ${{ github.ref }} - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: us-east-1 role-to-assume: arn:aws:iam::${{ secrets.ABLY_AWS_ACCOUNT_ID_SDK }}:role/prod-ably-sdk-cdn role-session-name: '${{ github.run_id }}-${{ github.run_number }}' - - name: Use Node.js 20.x - uses: actions/setup-node@v1 + - name: Use Node.js 20.10.0 + uses: actions/setup-node@v4 with: - node-version: 20.x + node-version: '20.10.0' + cache: 'npm'.github/workflows/release.yml (3)
10-12: Least privilege: contents should be read, not write.This job doesn’t modify the repo; drop write to reduce blast radius.
permissions: - contents: 'write' + contents: 'read' id-token: 'write'
17-21: Upgrade to setup-node v4 and enable npm cache.Also v3 is deprecated; v4 is the maintained major.
- - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: node-version: '20.10.0' registry-url: 'https://registry.npmjs.org' + cache: 'npm'
7-9: Skip pre-releases and add concurrency guard.Avoid publishing pre-releases to npm and ensure single run per tag.
jobs: release: + if: ${{ !github.event.release.prerelease }} + concurrency: + group: npm-release-${{ github.ref_name }} + cancel-in-progress: falseCONTRIBUTING.md (1)
22-25: Clarify tag naming and trigger behavior.Document that only publishing a GitHub Release (not just a Git tag) triggers npm/CDN. Specify tag format and pre-release behavior.
-7. Once all tests are passing, land the release branch into `main`. -8. Create a GitHub release with the appropriate tag. For release notes, you generally can just copy the notes you added to the CHANGELOG. -9. Verify that the Release and CDN publish actions have run successfully. +7. Once all tests are passing, land the release branch into `main`. +8. Create a GitHub Release from the merged commit using a tag named `vX.Y.Z` that matches the version in package.json. Note: pushing a tag alone will NOT trigger automation; a GitHub Release is required. +9. Our automation skips pre-releases; only non‑prerelease Releases will publish to npm and the CDN. 10. Update the [Ably Changelog](https://changelog.ably.com/) (via [headwayapp](https://headwayapp.co/)) with these changes (again, you can just copy the notes you added to the CHANGELOG)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Jira integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (3)
.github/workflows/publish-cdn.yml(3 hunks).github/workflows/release.yml(1 hunks)CONTRIBUTING.md(1 hunks)
🧰 Additional context used
🪛 actionlint (1.7.7)
.github/workflows/release.yml
14-14: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
17-17: the runner of "actions/setup-node@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)
- GitHub Check: test-node (20.x)
- GitHub Check: test-node (16.x)
- GitHub Check: test-node (18.x)
- GitHub Check: test-npm-package
- GitHub Check: test-browser (webkit)
- GitHub Check: test-browser (chromium)
- GitHub Check: test-browser (firefox)
🔇 Additional comments (1)
.github/workflows/release.yml (1)
22-27: Monorepo/workspaces check required before publishThe release job runs a single root "npm publish"; if this repo uses npm workspaces that will not publish workspace packages. Verify root package.json (or pnpm/lerna/.yarn workspace config) for "workspaces" and, if present, switch to a workspace-aware publish (e.g., npm publish -ws --if-present or a per-workspace publish loop).
Location: .github/workflows/release.yml — step "Install dependencies and publish" (run block contains
npm publish --provenance --access public).
| node-version: 20.x | ||
| - run: npm ci | ||
| - run: node scripts/cdn_deploy.js --skipCheckout --tag=${{ github.event.inputs.version }} | ||
| - run: node scripts/cdn_deploy.js --skipCheckout --tag=${{ github.ref_name }} |
There was a problem hiding this comment.
🧩 Analysis chain
Confirm expected tag format for cdn_deploy.js.
You’re now passing github.ref_name (e.g., “v1.2.3”). If the script expects “1.2.3” (no “v”), it will mispublish.
🏁 Script executed:
#!/bin/bash
# Check how scripts/cdn_deploy.js parses/uses the tag argument
fd -a 'cdn_deploy.js' | xargs -I{} rg -n -A2 -B2 --pretty --no-heading '\b(tag|version)\b' {}
# Also look for a regex stripping a leading "v"
rg -n --pretty -e '(^|[^a-zA-Z])v?\d+\.\d+\.\d+' -e 'replace\(.*"^v",' -g 'scripts/**'Length of output: 1260
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo " locate cdn_deploy.js files..."
files=$(fd -a cdn_deploy.js || true)
if [ -z "$files" ]; then
echo "cdn_deploy.js not found; will search repo for getVersions and tag-normalizing code"
else
for f in $files; do
echo "=== FILE: $f ==="
echo "---- head (first 240 lines) ----"
nl -ba -w4 -s': ' "$f" | sed -n '1,240p'
echo
done
fi
echo
echo "---- grep repository for getVersions definitions ----"
rg -n --hidden -S "function\\s+getVersions\\b|const\\s+getVersions\\b|getVersions\\s*=\\s*\\(" -g '!**/node_modules/**' -n -C5 || true
echo
echo "---- grep for common leading-'v' stripping / checks ----"
rg -n --hidden -S -g '!**/node_modules/**' -n -C5 \
"\.replace\(\s*/\^v/|\breplace\(\s*['\"]\^v|\.replace\(\s*['\"]v['\"]|startsWith\(\s*['\"]v['\"]|tag\.replace\(|config\.tag\.replace\(" \
|| true
echo
echo "---- grep for usages of config.tag (to see how it's consumed) ----"
rg -n --hidden -S -g '!**/node_modules/**' -n -C5 "config\.tag|\\btag\\b" || trueLength of output: 160
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Searching for scripts/cdn_deploy.js..."
files=$(fd -a cdn_deploy.js || true)
if [ -z "$files" ]; then
echo "No cdn_deploy.js found."
else
for f in $files; do
echo
echo "=== FILE: $f ==="
awk '{printf "%04d: %s\n", NR, $0}' "$f" | sed -n '1,400p'
echo "---- end $f ----"
done
fi
echo
echo "---- Searching for getVersions definition(s) across repo ----"
rg -n --hidden -S "function\\s+getVersions\\b|const\\s+getVersions\\b|getVersions\\s*=\\s*\\(" -g '!**/node_modules/**' || true
echo
echo "---- If any getVersions definitions found, show their files (first 300 lines) ----"
rg -n --hidden -S "function\\s+getVersions\\b|const\\s+getVersions\\b|getVersions\\s*=\\s*\\(" -g '!**/node_modules/**' | cut -d: -f1 | sort -u | while read -r gf; do
echo
echo "=== getVersions file: $gf ==="
awk '{printf "%04d: %s\n", NR, $0}' "$gf" | sed -n '1,300p'
echo "---- end $gf ----"
done
echo
echo "---- Search scripts/ for tag-normalizing patterns (replace /^v/, startsWith('v'), slice(1), substring(1)) ----"
rg -n --hidden -S -g 'scripts/**' "replace\\(.*\\^v|replace\\(.*['\"]\\^v|/\\^v/|startsWith\\(\\s*['\"]v['\"]|slice\\(1\\)|substring\\(1\\)" || true
echo
echo "---- Search for usages of config.tag and tag-related git checks ----"
rg -n --hidden -S -g '!**/node_modules/**' "config\\.tag|\\btag --points-at HEAD\\b|checkout tags/|getVersions\\(|\\btag\\b" -n -C3 || trueLength of output: 5580
Confirm expected tag format for cdn_deploy.js.
cdn_deploy.js uses config.tag verbatim — getVersions(fullVersion) does not strip a leading "v" and will produce versions like "v1", "v1.2", "v1.2.3". Passing ${{ github.ref_name }} (e.g. "v1.2.3") will embed the leading "v" in uploaded filenames.
Either pass the tag without the leading "v" from the workflow or normalize/remove a leading "v" in scripts/cdn_deploy.js before calling getVersions.
Locations: scripts/cdn_deploy.js — getVersions (lines 118–121) and invocation at line 58; .github/workflows/publish-cdn.yml — line 28.
🤖 Prompt for AI Agents
.github/workflows/publish-cdn.yml line 28 and scripts/cdn_deploy.js around
invocation at line 58 and getVersions at lines 118–121: the workflow passes
github.ref_name (e.g. "v1.2.3") which leaves a leading "v" into config.tag and
causes getVersions to generate filenames with a leading "v"; fix by normalizing
the tag to strip a leading "v" either in the workflow or in the script —
easiest: update scripts/cdn_deploy.js to sanitize config.tag at start (e.g., if
it starts with "v" remove that character) before calling getVersions so all
generated version strings and filenames never include the leading "v".
| - uses: actions/checkout@v3 | ||
| with: | ||
| submodules: true | ||
| - uses: actions/setup-node@v3 |
There was a problem hiding this comment.
Pin checkout to the release tag.
On release events, explicitly checking out the tag avoids any mismatch with default-branch HEAD.
- - uses: actions/checkout@v3
- with:
- submodules: true
+ - uses: actions/checkout@v4
+ with:
+ submodules: true
+ ref: ${{ github.event.release.tag_name }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v3 | |
| with: | |
| submodules: true | |
| - uses: actions/setup-node@v3 | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| ref: ${{ github.event.release.tag_name }} | |
| - uses: actions/setup-node@v3 |
🧰 Tools
🪛 actionlint (1.7.7)
14-14: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
17-17: the runner of "actions/setup-node@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
🤖 Prompt for AI Agents
In .github/workflows/release.yml around lines 14 to 17, the checkout step is not
pinned to the release tag which can cause the workflow to use default-branch
HEAD; update the actions/checkout step to explicitly check out the release tag
by adding a ref field set to the workflow ref (for release events use ref: ${{
github.ref }}), keeping submodules: true so the build uses the exact tag being
released.
This change introduces an auto release script for actions, the same as we run for chat-js. It runs automatically upon release creation and publishes with provenance to npm. Similarly, the CDN publish script has been updated to invoke automatically.
This allows us to release automatically when new versions are tagged, including with provenance which provides guarantees as to the authenticity of the package.
Summary by CodeRabbit
Chores
Documentation