Update publish workflow

[notaphplover]

Added

• Added bump versions workflow

Changed

• Updated publish workflow to only publish packages.

Summary by CodeRabbit

• Chores
  • Added automated package version bumping workflow
  • Updated npm package publishing workflow configuration

[changeset-bot]

⚠️ No Changeset found

Latest commit: fa0da11

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Introduces a new GitHub Actions workflow to automate package version bumping and changelog updates via changesets, creating a PR on success. Simultaneously restructures the existing publish workflow to enforce environment-based access controls and use GitHub App token authentication instead of input-based tokens.

Changes

Cohort / File(s)	Summary
New Version Bump Workflow .github/workflows/create-bump-pr.yaml	Automates the pnpm changeset version process with conditional logic to detect changes, commit as "chore: bump package versions", and create a PR against master if modifications exist.
Publish Workflow Restructuring .github/workflows/publish.yaml	Replaces token inputs with environment-based access control; adds actor validation; switches to changesets/action@v1.7.0; updates authentication to use GitHub Token and NPM Token secrets; removes prior GitHub App token and conditional release PR creation logic.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Fix publish action #11 — Modifies the same publish workflow file, indicating coordinated changes to the release pipeline authentication and environment handling.

Poem

🐰 Hop! Hop! A workflow anew,
Bumping versions, changesets too,
With GitHub tokens held so tight,
Our releases run just right! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Update publish workflow' is vague and generic, describing the action taken rather than the substantive change; it fails to convey the specific workflow improvements or the addition of the bump versions workflow mentioned in the PR objectives.	Revise the title to be more specific, such as 'Add bump versions workflow and refactor publish workflow' or 'Separate version bumping from publishing workflow', to clearly communicate the main changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/update-publish-workflow

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/create-bump-pr.yaml (1)

51-53: Prefer --force-with-lease on the shared release branch.

This branch name is stable across runs. --force will blindly overwrite a newer tip, while --force-with-lease keeps the refresh behavior but fails safely if something else updated the branch first.

Safer push variant

-        run: git push origin changeset-release/master --force
+        run: git push origin changeset-release/master --force-with-lease

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/create-bump-pr.yaml around lines 51 - 53, In the "Push
branch" step that runs the git push command (the run line invoking "git push
origin changeset-release/master --force"), replace the bare --force with
--force-with-lease so the push becomes safe against concurrent updates to the
shared release branch; update that run command to use --force-with-lease instead
of --force.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/create-bump-pr.yaml:
- Around line 5-6: The workflow currently uses on: workflow_dispatch which will
run against whatever ref the user selects, so add a guard so the job only runs
when the selected ref is master: update the job(s) that create the release
branch (e.g., the create-bump-pr job) to include an if condition like if:
github.ref == 'refs/heads/master' (or add an equivalent condition at the top of
each job that opens changeset-release/master) so the workflow will refuse to run
when dispatched from a non-master ref; apply the same if-guard to the other job
blocks referenced around lines 18-21 and 61-63.

In @.github/workflows/publish.yaml:
- Around line 25-33: The current "Validate environment matches actor" step only
verifies inputs.environment vs github.actor but doesn't prevent publishing from
non-master refs; update that step to also validate the checked-out ref by
comparing github.ref (or inputs.ref if you use the dispatched ref input) to the
canonical master branch ref (e.g. "refs/heads/master") and fail with an error if
it does not match. In practice modify the shell block to test both "${{
inputs.environment }}" == "${{ github.actor }}" and "${{ github.ref }}" ==
"refs/heads/master" (or the equivalent dispatched-ref input), emitting a clear
::error:: and exit 1 when either check fails so only master can publish.

---

Nitpick comments:
In @.github/workflows/create-bump-pr.yaml:
- Around line 51-53: In the "Push branch" step that runs the git push command
(the run line invoking "git push origin changeset-release/master --force"),
replace the bare --force with --force-with-lease so the push becomes safe
against concurrent updates to the shared release branch; update that run command
to use --force-with-lease instead of --force.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bdb3f91f-5a6d-47fa-b376-19972b0e967b

📥 Commits

Reviewing files that changed from the base of the PR and between 20062fd and fa0da11.

📒 Files selected for processing (2)

• .github/workflows/create-bump-pr.yaml
• .github/workflows/publish.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Run this workflow against master only.

workflow_dispatch uses the selected ref, but this job always opens changeset-release/master against master. If someone dispatches it from a feature branch, the generated release branch will contain that branch’s commits and propose them for merge into master.

Suggested hardening

       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          ref: master
           fetch-depth: 0

Also applies to: 18-21, 61-63

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/create-bump-pr.yaml around lines 5 - 6, The workflow
currently uses on: workflow_dispatch which will run against whatever ref the
user selects, so add a guard so the job only runs when the selected ref is
master: update the job(s) that create the release branch (e.g., the
create-bump-pr job) to include an if condition like if: github.ref ==
'refs/heads/master' (or add an equivalent condition at the top of each job that
opens changeset-release/master) so the workflow will refuse to run when
dispatched from a non-master ref; apply the same if-guard to the other job
blocks referenced around lines 18-21 and 61-63.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Block publishes from non-master refs.

This validation only checks the actor. workflow_dispatch still checks out the selected ref, so starting the workflow from any other branch will publish that branch’s packages to npm.

Suggested guard

       - name: Validate environment matches actor
         run: |
           echo "Actor: ${{ github.actor }}"
           echo "Environment: ${{ inputs.environment }}"

           if [ "${{ inputs.environment }}" != "${{ github.actor }}" ]; then
             echo "::error::Environment must match your username"
             exit 1
           fi
+
+          if [ "${{ github.ref_name }}" != "master" ]; then
+            echo "::error::This workflow must be run from master"
+            exit 1
+          fi

Also applies to: 34-37, 41-47

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish.yaml around lines 25 - 33, The current "Validate
environment matches actor" step only verifies inputs.environment vs github.actor
but doesn't prevent publishing from non-master refs; update that step to also
validate the checked-out ref by comparing github.ref (or inputs.ref if you use
the dispatched ref input) to the canonical master branch ref (e.g.
"refs/heads/master") and fail with an error if it does not match. In practice
modify the shell block to test both "${{ inputs.environment }}" == "${{
github.actor }}" and "${{ github.ref }}" == "refs/heads/master" (or the
equivalent dispatched-ref input), emitting a clear ::error:: and exit 1 when
either check fails so only master can publish.