Skip to content

ci(repo): add dispatched release path #8308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nikosdouvlis wants to merge 8 commits into
base: main
Choose a base branch
from
Open

ci(repo): add dispatched release path #8308

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
0e04c89
ci(repo): add dispatched release path
nikosdouvlis Apr 14, 2026
46e097c
ci(repo): validate package names in dispatched release
nikosdouvlis Apr 14, 2026
06477c6
ci(repo): relax engine check on dispatched install
nikosdouvlis Apr 14, 2026
2c6c965
ci(repo): use npm install for dispatched legacy releases
nikosdouvlis Apr 14, 2026
1f50cf1
ci(repo): pin npm to source_ref packageManager for ci install
nikosdouvlis Apr 15, 2026
7eb76a2
ci(repo): document npm ci lockfile requirement on dispatched release
nikosdouvlis Apr 15, 2026
c42c0ab
ci(repo): fall back to npm install if npm ci rejects lockfile
nikosdouvlis Apr 15, 2026
d550fec
ci(repo): derive dist-tag from package name and version in dispatched…
nikosdouvlis Apr 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
ci(repo): validate package names in dispatched release
  • Loading branch information
@nikosdouvlis
nikosdouvlis committed Apr 14, 2026
commit 46e097c3ceeb9ffbf541bf4f9625ffc7c4ea7307
7 changes: 6 additions & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -560,13 +560,18 @@
exit 1
fi

- name: Reject "latest" dist_tag
- name: Validate packages
env:
PACKAGES: ${{ inputs.packages }}
run: |
echo "$PACKAGES" | jq -e 'all(.[]; .dist_tag != "latest")' > /dev/null || {
echo "::error::'latest' dist_tag is not allowed on this path"; exit 1;
}
invalid=$(echo "$PACKAGES" | jq -r '.[] | select(.name | test("^@clerk/[a-z0-9][a-z0-9-]*$") | not) | .name')
if [ -n "$invalid" ]; then
echo "::error::Invalid package name(s). Expected @clerk/<kebab-case>. Got: $invalid"
exit 1
fi

Comment thread
nikosdouvlis marked this conversation as resolved.
- name: Checkout source_ref
uses: actions/checkout@v4
Expand All @@ -592,76 +597,76 @@
echo "manager=npm" >> "$GITHUB_OUTPUT"
fi

- name: Install dependencies
run: |
if [ "${{ steps.pm.outputs.manager }}" = "pnpm" ]; then
pnpm install --frozen-lockfile
else
npm ci
fi

- name: Build

Check failure

Code scanning / CodeQL

Untrusted Checkout TOCTOU Critical

Insufficient protection against execution of untrusted code on a privileged workflow (
issue_comment
Loading
).
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
Comment on lines +606 to +626
run: |
if [ "${{ steps.pm.outputs.manager }}" = "pnpm" ]; then
pnpm build
else
npm run build
fi

- name: Upgrade npm for trusted publishing

Check failure

Code scanning / CodeQL

Untrusted Checkout TOCTOU Critical

Insufficient protection against execution of untrusted code on a privileged workflow (
issue_comment
Loading
).
Comment on lines +626 to +634
run: npx npm@11 install -g npm@11

- name: Publish or dry-run
env:
NPM_CONFIG_PROVENANCE: true
PACKAGES: ${{ inputs.packages }}
DRY_RUN: ${{ inputs.dry_run }}
PACK: ${{ steps.pm.outputs.manager }}
run: |
echo "$PACKAGES" | jq -r '.[] | [.name, .version, .dist_tag] | @tsv' | while IFS=$'\t' read -r name version tag; do
short="${name#@clerk/}"
dir="packages/$short"

if [ ! -d "$dir" ]; then
echo "::error::Package directory not found: $dir"
exit 1
fi

pkg_version=$(jq -r .version "$dir/package.json")
if [ "$pkg_version" != "$version" ]; then
echo "::error::$dir/package.json has version $pkg_version, expected $version"
exit 1
fi

echo "::group::Pack $name@$version"
if [ "$PACK" = "pnpm" ]; then
out=$(cd "$dir" && pnpm pack --json 2>/dev/null || true)
if [ -n "$out" ] && echo "$out" | jq -e . >/dev/null 2>&1; then
tarball=$(echo "$out" | jq -r '.filename')
else
# pnpm pack without --json prints the tarball path on stdout
tarball=$(cd "$dir" && pnpm pack 2>&1 | tail -n1 | xargs -I{} basename "{}")
fi
else
tarball=$(cd "$dir" && npm pack --json | jq -r '.[0].filename')
fi
if [ -z "$tarball" ] || [ ! -f "$dir/$tarball" ]; then
echo "::error::Failed to resolve tarball filename in $dir"
exit 1
fi
echo "packed: $dir/$tarball"
echo "::endgroup::"
Comment thread
nikosdouvlis marked this conversation as resolved.

if [ "$DRY_RUN" = "true" ]; then
echo "::notice::DRY RUN: would publish $name@$version --tag $tag"
else
echo "::group::Publish $name@$version --tag $tag"
(cd "$dir" && npm publish "$tarball" --tag "$tag" --provenance)
echo "::endgroup::"
fi
done
Comment thread
nikosdouvlis marked this conversation as resolved.

- name: Summary

Check failure

Code scanning / CodeQL

Untrusted Checkout TOCTOU Critical

Insufficient protection against execution of untrusted code on a privileged workflow (
issue_comment
Loading
).
Comment on lines +637 to +694
if: always()
env:
SOURCE_REF: ${{ inputs.source_ref }}
Expand Down
Loading