Skip to content

ci: fix labeled-PR release path so npm publish actually fires #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
baransu merged 1 commit into from
May 11, 2026
Merged

ci: fix labeled-PR release path so npm publish actually fires #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions .github/workflows/npm-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,14 @@ on:
jobs:
build:
runs-on: ubuntu-latest
# Only run for non-draft versions
# When invoked via `workflow_call`, `github.event_name` reflects the
# ROOT triggering event of the caller (e.g. `pull_request`), NOT
# `workflow_call` — so a `== 'workflow_call'` check never matches.
# Trust the caller's own gating in that case; only re-check
# draft/tag-prefix when fired directly by a `release` event.
if: |
github.event_name == 'workflow_call' ||
(github.event_name == 'release' &&
github.event.release.draft == false &&
github.event_name != 'release' ||
(github.event.release.draft == false &&
startsWith(github.event.release.tag_name, 'v'))
steps:
- name: Checkout
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/publish-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,10 +67,18 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# Use the app token (not the default GITHUB_TOKEN) so the resulting
# `release: [published]` event can trigger downstream workflows
# (e.g. npm-publish.yml directly). Events fired by GITHUB_TOKEN
# do not trigger other workflows — see
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow
# The publish chain here already routes around this via workflow_call,
# but using the app token keeps the release path symmetric and lets a
# human re-cut a release without breaking the npm publish.
- name: Create a GitHub Release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 App token on release creation causes duplicate npm publish (one will always fail)

Switching to the app token for actions/create-release (line 81) means the resulting release: [published] event will now trigger other workflows (unlike GITHUB_TOKEN, which suppresses such triggers). Since npm-publish.yml is triggered by both release: [published] (line 4-5 of that file) and workflow_call (from the publish-package job at .github/workflows/publish-release.yml:90-94), every automated release will now invoke npm publish twice concurrently: once via the release event and once via the workflow_call chain. One invocation will succeed; the other will fail with a 403 (version already exists on npm), producing a noisy, permanently-failed workflow run on every release.

The two trigger paths
  1. publish-release job creates a GitHub Release with the app token → fires release: [published] → triggers npm-publish.yml directly.
  2. publish-package job (needs: publish-release) → calls npm-publish.yml via workflow_call.

Both paths pass the updated if condition in npm-publish.yml and will execute npm publish.

Prompt for agents 
The problem is that switching from GITHUB_TOKEN to the app token for the create-release step means the release: [published] event will now propagate and trigger npm-publish.yml directly, in addition to the existing workflow_call invocation from the publish-package job. This causes a duplicate npm publish.

There are several ways to fix this:

1. Keep the app token for create-release (to support manual re-cuts) but remove the publish-package job (lines 88-94 of publish-release.yml) entirely, relying solely on the release event to trigger npm-publish.yml.

2. Keep both paths but add a concurrency group to npm-publish.yml so only one run proceeds (e.g. concurrency: group: npm-publish-${{ github.ref }}, cancel-in-progress: true). However, this is fragile — the cancelled run still shows as failed.

3. Keep the GITHUB_TOKEN for create-release (reverting this change) and keep the workflow_call path as the sole publish mechanism. If manual re-cut support is needed, address it separately.

Option 1 is the cleanest: remove the redundant publish-package workflow_call job and let the release event (now properly propagated via the app token) be the single trigger for npm-publish.yml.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

with:
tag_name: v${{ steps.bump-version.outputs.new_version }}
release_name: v${{ steps.bump-version.outputs.new_version }}
Expand Down
Loading