feat(ui-scripts): allow pr-snapshot to publish at an operator-supplied prerelease version#2556
Draft
balzss wants to merge 1 commit into
Draft
feat(ui-scripts): allow pr-snapshot to publish at an operator-supplied prerelease version#2556balzss wants to merge 1 commit into
balzss wants to merge 1 commit into
Conversation
|
Visual regression report✅ No changes.
Baselines come from the |
balzss
changed the title
…d prerelease version
Adds two optional inputs to the pr-snapshot workflow_dispatch path:
custom_version (e.g. 11.7.3-SECURITY.0) and dist_tag (e.g. security).
When set, they override the auto-computed snapshot version and the
default pr-snapshot dist-tag.
Use case: mirror a previously-published private security release onto
the public registry under a non-latest dist-tag, so open-source
consumers who pinned to a prerelease version from the private registry
can switch their resolution to npmjs without changing package.json.
Workflow plumbing:
- release_to_npm.yml: two new optional inputs forwarded to the
pr-release job
- _pr-release-reusable.yml: accepts the inputs, validates them, and
forwards as --customVersion / --distTag (via env vars to avoid
shell-injection from workflow_dispatch input values)
publish.js:
- new --customVersion / --distTag flags
- publishSnapshotVersion uses customVersion when supplied, else
falls back to calculateNextSnapshotVersion as today
- validateCustomVersionInputs() enforces guards: valid semver,
prerelease only (refuses stable versions so we can never take
over a future stable slot), distTag not 'latest', distTag
required when customVersion is set
Existing pr-snapshot behavior is unchanged when the new inputs are
blank. OIDC auth + --provenance preserved.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two optional inputs —
custom_versionanddist_tag— to the existingpr-snapshotpath of the release workflow. When set, they override the auto-computed snapshot version and the defaultpr-snapshotdist-tag, letting an operator publish an exact prerelease (e.g.11.7.3-SECURITY.0) to npmjs under a non-latesttag.release_to_npm.yml: two new optionalworkflow_dispatchinputs, passed through to the pr-release job._pr-release-reusable.yml: accepts the inputs, validates them, and forwards as--customVersion/--distTagto the publish script.publish.js: new--customVersion/--distTagflags; the snapshot publish path uses the supplied values when present; a singlevalidateCustomVersionInputs()helper enforces the guards.No new workflow file, no new release_type choice, no new function in
publish.js. The existing pr-snapshot behavior is unchanged when the new inputs are blank.Why
The companion piece to coordinated-disclosure: a security fix is first published to a private registry under a prerelease version like
11.7.3-SECURITY.0(see #2555 draft, and the bump-script work in #2554). After embargo, the fix lands publicly as a regular patch (e.g.11.7.4). Some consumers — OSS projects that don't use our private registry — should still be able to install the exact prerelease they originally pinned to.This change lets us mirror that exact version onto npmjs under the
securitydist-tag without touchinglatest. Same source, same version string, different registry — affected consumers can switch their resolution from the private registry to npmjs without modifyingpackage.json.Why the pr-snapshot path (and not a new workflow)
Initially I implemented this as a separate
tagged-releasechoice with its own reusable workflow. On a second look, the pr-snapshot path already does ~90% of what's needed: bumps to a non-stable version, publishes under a non-latesttag, no git tag pushed for non-chore(release)commits. Bolting onto pr-snapshot as optional overrides means ~50 fewer lines and one fewer workflow file, with no meaningful UX loss — the operator pickspr-snapshotand fills in the two inputs.Safety rails
dist_tagcannot belatestvalidateCustomVersionInputscustom_versionmust be valid semvervalidateCustomVersionInputscustom_versionmust be a prerelease (refuses11.7.4etc. so we can never accidentally take over a stable version slot)validateCustomVersionInputsdist_tagrequired whencustom_versionis set (prevents publishing a custom version under the defaultpr-snapshottag by mistake)validateCustomVersionInputsenv:not${{ }}interpolation inrun:(prevents command injection from workflow_dispatch input values)_pr-release-reusable.yml--provenancepreservedCoordination
x.y.z-SECURITY.Nversions which are then published privately first, then re-typed into this workflow's input for the public mirror.Test Plan
pnpm exec ui-scripts publish --helpshows the new flags.--customVersion=notasemver→ rejected (invalid semver).--customVersion=11.7.4(stable) → rejected (must be prerelease).--customVersion=11.7.3-SECURITY.0 --distTag=latest→ rejected.--customVersion=11.7.3-SECURITY.0(no--distTag) → rejected.--distTag=latestalone → rejected.latestresolution on npmjs is unaffected after a tagged publish runs.Status
Draft. Two commits on the branch (initial separate-workflow implementation + the refactor that collapses it onto pr-snapshot); since this repo squash-merges, only the final state matters at merge time. Keep draft until end-to-end smoke test and #2554 landing.
🤖 Generated with Claude Code