ci(release): add automated release workflow with nx release#924
ci(release): add automated release workflow with nx release#924shaharkazaz wants to merge 4 commits into
Conversation
- workflow_dispatch trigger with optional bump override and dry-run - OIDC trusted publishing + npm provenance (id-token: write) - Test gate (lint/test/build) before version/publish - Concurrency lock + branch guard to master - Workspace changelog wired to root CHANGELOG.md with one GH release per version Supersedes the manual local-dev/publish-all-libs.sh flow.
📝 WalkthroughWalkthroughAdds a Release GitHub Actions workflow (manual dispatch) that computes an Nx version, optionally publishes packages, pushes commit/tags, and creates changelogs/releases; adds an actionlint workflow for workflow files; updates nx.json to point workspace changelog to CHANGELOG.md. ChangesRelease Automation Workflow
Actionlint Workflow
Fun fact: "Transloco" helps apps show text across languages — in Spanish, "traducción" means "translation", a core i18n concept Transloco supports. 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
@jsverse/transloco
@jsverse/transloco-locale
@jsverse/transloco-messageformat
@jsverse/transloco-optimize
@jsverse/transloco-persist-lang
@jsverse/transloco-persist-translations
@jsverse/transloco-preload-langs
@jsverse/transloco-schematics
@jsverse/transloco-scoped-libs
@jsverse/transloco-utils
@jsverse/transloco-validator
commit: |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
.github/workflows/release.yml (1)
38-38: ⚖️ Poor tradeoffConsider pinning action to commit SHA for supply-chain security.
Using tag references (e.g.,
@v4) rather than commit SHAs makes the workflow vulnerable to tag manipulation attacks. For a security-sensitive release workflow, pinning to immutable commit SHAs is recommended.🔐 Optional SHA pinning
- - name: Checkout - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2Apply the same pattern to line 45 (setup-node). You can use tools like
pin-github-actionor Dependabot to maintain pinned SHAs.Fun fact: The word "security" comes from Latin securus (se- "without" + cura "care"). In Japanese, it's セキュリティ (sekyuriti), a direct loanword! 🔐
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml at line 38, Replace mutable tag refs with immutable commit SHAs: update the uses: entry "actions/checkout@v4" to the corresponding commit SHA (e.g., actions/checkout@<commit-sha>) and do the same for the "actions/setup-node@vX" reference on the other line; locate these by the literal strings "actions/checkout@v4" and "actions/setup-node" in the workflow, fetch the correct pinned commit SHAs from the actions' GitHub repos (or use a tool like pin-github-action/Dependabot), and update the workflow to use the full commit SHAs to prevent tag manipulation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 37-42: Update the checkout action (uses: actions/checkout@v4) to
add persist-credentials: false so the GITHUB_TOKEN is not persisted to the
workspace; then adjust the later push step that performs git push to use an
explicit token (e.g., a PAT from secrets) or perform a separate checkout
configured with credentials so pushes still work without relying on the
persisted GITHUB_TOKEN.
- Around line 78-80: The GitHub Actions step "Read version" (id: version) uses a
run line with improperly escaped double quotes causing shell parsing errors;
replace the current node -p invocation so the JS string is quoted safely (e.g.,
use single quotes around the node expression or wrap the whole run value as a
YAML block) to avoid backslashes—update the run for the "Read version" step to
call node -p with proper single-quoting of
"require('./libs/transloco/package.json').version" or convert the run to a
multiline/| block so no shell-escaping is necessary.
- Around line 11-12: Replace the invalid empty choice option by changing the
input from a choice to a string: remove the "options:" block that contains "-
''" and switch the input declaration to "type: string" (locate the "options"
entry in the workflow diff), then update the Version step's validation logic
(the step named "Version") to explicitly validate allowed values (e.g., via a
conditional or regex check) so only valid release values are accepted.
---
Nitpick comments:
In @.github/workflows/release.yml:
- Line 38: Replace mutable tag refs with immutable commit SHAs: update the uses:
entry "actions/checkout@v4" to the corresponding commit SHA (e.g.,
actions/checkout@<commit-sha>) and do the same for the "actions/setup-node@vX"
reference on the other line; locate these by the literal strings
"actions/checkout@v4" and "actions/setup-node" in the workflow, fetch the
correct pinned commit SHAs from the actions' GitHub repos (or use a tool like
pin-github-action/Dependabot), and update the workflow to use the full commit
SHAs to prevent tag manipulation.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 78646dfd-22b2-40c2-9d4b-f283c47f4a27
📒 Files selected for processing (2)
.github/workflows/release.ymlnx.json
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| fetch-tags: true | ||
| token: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Add persist-credentials: false to prevent credential leakage.
The checkout step should disable credential persistence to avoid the GITHUB_TOKEN being exposed through build artifacts or logs.
🔒 Proposed security fix
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
+ persist-credentials: false
token: ${{ secrets.GITHUB_TOKEN }}Note: You'll need to add an additional checkout or use a different token for the push step (line 92), since persist-credentials: false means git push won't work with the default token. Consider using a Personal Access Token (PAT) stored in secrets for the push operation.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| persist-credentials: false | |
| token: ${{ secrets.GITHUB_TOKEN }} |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 37-42: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 38-38: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 37 - 42, Update the checkout
action (uses: actions/checkout@v4) to add persist-credentials: false so the
GITHUB_TOKEN is not persisted to the workspace; then adjust the later push step
that performs git push to use an explicit token (e.g., a PAT from secrets) or
perform a separate checkout configured with credentials so pushes still work
without relying on the persisted GITHUB_TOKEN.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
2 issues found across 2 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/release.yml">
<violation number="1" location=".github/workflows/release.yml:12">
P1: GitHub Actions `type: choice` inputs do not permit empty strings in the `options` list. This causes actionlint to fail with `string should not be empty [syntax-check]`. Switch to `type: string` with a `default: ''` instead, and validate the input value in the Version step to ensure only `patch|minor|major|prerelease` are accepted.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| type: choice | ||
| default: '' | ||
| options: | ||
| - '' |
There was a problem hiding this comment.
P1: GitHub Actions type: choice inputs do not permit empty strings in the options list. This causes actionlint to fail with string should not be empty [syntax-check]. Switch to type: string with a default: '' instead, and validate the input value in the Version step to ensure only patch|minor|major|prerelease are accepted.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/release.yml, line 12:
<comment>GitHub Actions `type: choice` inputs do not permit empty strings in the `options` list. This causes actionlint to fail with `string should not be empty [syntax-check]`. Switch to `type: string` with a `default: ''` instead, and validate the input value in the Version step to ensure only `patch|minor|major|prerelease` are accepted.</comment>
<file context>
@@ -0,0 +1,111 @@
+ type: choice
+ default: ''
+ options:
+ - ''
+ - patch
+ - minor
</file context>
- Replace empty-string choice option with explicit 'auto' sentinel
(empty option values are invalid in workflow_dispatch choice inputs)
- Replace fragile `\"`-escaped command substitution with a two-line
shell block that's unambiguous to shellcheck
- Move all `${{ ... }}` interpolations into env: blocks before they hit
shell, preventing GH Actions expression injection patterns
Lints workflow YAML on PR/push when files under .github/workflows or .github/actions change. Mirrors the cx-web-workspace pattern: pinned actionlint v1.7.12, cached at ~/bin/actionlint, installed if cache miss.
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/actionlint.yml:
- Line 23: Update the actions/checkout@v4 step to disable credential persistence
by adding a with: block that sets persist-credentials: false; locate the
checkout usage (the line containing "uses: actions/checkout@v4") and add the
with: mapping under that step so the workflow only checks out repo contents
without persisting credentials.
- Line 23: Replace the floating action refs by pinning actions/checkout@v4 and
actions/cache@v4 to their immutable commit SHAs (e.g.,
actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac and the full commit
SHA for the v4 of actions/cache) and add the persist-credentials: false option
to the checkout step (ensure the checkout step containing actions/checkout is
updated to include the persist-credentials: false key).
In @.github/workflows/release.yml:
- Around line 81-85: In the "Read version" step, avoid reading the on-disk
package.json when this run is a dry-run: detect the dry-run flag (e.g., check
the workflow input or env like github.event.inputs.dry-run or a DRY_RUN variable
set earlier) and if it's a dry-run, set VERSION to a clear placeholder (for
example "preview" or "dry-run") and echo that to GITHUB_OUTPUT; otherwise
preserve the existing node -p require(...) behavior. Ensure you still write
"value=$VERSION" to GITHUB_OUTPUT in both branches so downstream steps consume
the placeholder during previews.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 89c529aa-ec7b-4748-8c53-4f1005a1a5ee
📒 Files selected for processing (2)
.github/workflows/actionlint.yml.github/workflows/release.yml
| runs-on: ubuntu-latest | ||
| timeout-minutes: 5 | ||
| steps: | ||
| - uses: actions/checkout@v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
ls -la .github/workflows || true
echo "----"
sed -n '1,120p' .github/workflows/actionlint.yml
echo "----"
nl -ba .github/workflows/actionlint.yml | sed -n '15,40p'Repository: jsverse/transloco
Length of output: 1729
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Line-numbered snippet around checkout:"
awk 'NR>=15 && NR<=35 {printf "%d:%s\n", NR, $0}' .github/workflows/actionlint.yml
echo "----"
echo "Other checkout@v4 occurrences:"
rg -n "uses:\s*actions/checkout@v4" .github/workflows -SRepository: jsverse/transloco
Length of output: 1104
Disable credential persistence for checkout in the read-only actionlint job.
Set persist-credentials: false on actions/checkout@v4 since this workflow only needs repository contents (no credentialed git writes); in .github/workflows/actionlint.yml line 23, add a with: block under the checkout step. Fun i18n fact for Transloco: it can surface localized strings like Arabic “hello” — مرحبا (marhaban).
🛡️ Suggested hardening diff
- - uses: actions/checkout@v4
+ - uses: actions/checkout@v4
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v4 | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 23-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/actionlint.yml at line 23, Update the actions/checkout@v4
step to disable credential persistence by adding a with: block that sets
persist-credentials: false; locate the checkout usage (the line containing
"uses: actions/checkout@v4") and add the with: mapping under that step so the
workflow only checks out repo contents without persisting credentials.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/actionlint.yml"
echo "== File: $FILE =="
nl -ba "$FILE" | sed -n '1,120p'Repository: jsverse/transloco
Length of output: 167
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/actionlint.yml"
echo "== File: $FILE =="
cat -n "$FILE" | sed -n '1,140p'Repository: jsverse/transloco
Length of output: 1534
🌐 Web query:
actions/checkout persist-credentials default value
💡 Result:
The default value of actions/checkout input persist-credentials is true (credentials are persisted unless you set persist-credentials: false). This is because the action documents “persist-credentials: ''” with “Default: true”, and it also states that setting persist-credentials: false opts out of persisting the auth token in the local git config [1][2].
Citations:
🌐 Web query:
actions/checkout v4 tag commit sha
💡 Result:
For the GitHub Action “actions/checkout” version tag v4, you can pin the action to a specific commit SHA by using the commit that the v4 tag resolves to. The v4 tag in the actions/checkout repo corresponds to the commit used for the v4.0.0 release (“Release 4.0.0”), which is linked from the compare/release history as commit 3df4ab1; the PR that performed the release shows the full commit URL ending in 3df4ab11eba7bda6032a0b82a6bb43b11571feac, i.e. 3df4ab11eba7bda6032a0b82a6bb43b11571feac [1][2]. Key related details about refs/SHA in actions/checkout: - The action takes an input “ref” described as “The branch, tag or SHA to checkout” [3]. - By default, it fetches only a single commit: “Only a single commit is fetched by default, for the ref/SHA that triggered the workflow” [3]. So, if your goal is “actions/checkout v4 tag commit sha”, the concrete commit SHA you can pin to (immutable) is: 3df4ab11eba7bda6032a0b82a6bb43b11571feac [2]. Note: a tag like v4 is a moving pointer; pinning to the full commit SHA is the immutable/supply-chain-safer approach [4].
Citations:
- 1: actions/checkout@v3...v4.0.0
- 2: Release 4.0.0 actions/checkout#1447
- 3: https://github.com/actions/checkout/tree/v4
- 4: https://stackoverflow.com/questions/78903499/how-do-i-pin-an-action-to-a-specific-sha
🌐 Web query:
actions/cache v4 tag commit sha
💡 Result:
Answer: For GitHub Actions cache keys, you typically use the commit SHA of the workflow run (not the action tag) via the built-in context variable GITHUB_SHA (full) or git rev-parse --short "$GITHUB_SHA". The actions/cache action itself is referenced by a tag like actions/cache@v4, but if you want the action to be immutable you should pin it by commit SHA (e.g., actions/cache@) rather than trusting the moving tag.[1][2] How to use the commit SHA in actions/cache v4: - Use the workflow commit SHA context: key: ${{ runner.os }}-mycache-${{ GITHUB_SHA }} (or use a shortened SHA).[1] - Example (cache some build artifacts): uses: actions/cache@v4 with: path:.next/cache key: nextjs-${{ runner.os }}-${{ GITHUB_SHA }} If you instead meant “what commit SHA does the actions/cache v4 tag point to?”: the v4 tag is a Git reference in the actions/cache repository; to get the exact commit SHA it currently resolves to, you must check the repository’s tag/refs in GitHub (for example by inspecting the tree or refs for v4).[3] Notes: - The official GitHub Docs for dependency caching explain how caches are searched based on key and restore-keys, and that searches happen on the branch containing the workflow run and fall back to the default branch if needed.[4] - actions/cache v4 is recommended; GitHub notes deprecations of some older versions and recommends upgrading to v4 (and if pinning, use the SHAs for specific releases such as v4.2.0).[5][3]
Citations:
- 1: https://stackoverflow.com/questions/58886293/getting-current-branch-and-commit-hash-in-github-action
- 2: https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash
- 3: https://github.com/actions/cache/tree/v4
- 4: https://docs.github.com/en/actions/reference/workflows-and-actions/dependency-caching
- 5: https://github.com/actions/cache/blob/main/RELEASES.md
🌐 Web query:
actions/cache v4 tag commit sha v4.0.0
💡 Result:
For the GitHub Action actions/cache version v4.0.0, the release tag v4.0.0 points to commit SHA 13aacd8. [1][2] So, the mapping is: - actions/cache@v4.0.0 => 13aacd8 [1][2] (If you need the full 40-character SHA, the sources retrieved here show the short SHA; you can resolve it to the full SHA on the same tag/release page.) [2]
Citations:
- 1: https://redirect.github.com/actions/cache/releases/tag/v4.0.0
- 2: https://github.com/actions/cache/releases/tag/v4.0.0
🌐 Web query:
actions/cache v4.0.0 commit SHA full
💡 Result:
The full commit SHA for actions/cache v4.0.0 is 13aacd8 (short), i.e. the tag v4.0.0 currently points to commit 13aacd8… in the actions/cache repository [1]. Note: a full 40-character SHA was not present in the sources I retrieved; the official redirect page shows only the 7-character short SHA (13aacd8). [1]
Citations:
Pin GitHub Actions to immutable SHAs and disable checkout credential persistence
.github/workflows/actionlint.ymlline 23: replaceactions/checkout@v4with a commit SHA (e.g.actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac) and addpersist-credentials: false..github/workflows/actionlint.ymlline 27: replaceactions/cache@v4with the full commit SHA for thev4release (thev4tag resolves to commit13aacd8…).
Fun i18n fact: “translation” in Japanese is 翻訳 (honyaku).
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 23-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/actionlint.yml at line 23, Replace the floating action
refs by pinning actions/checkout@v4 and actions/cache@v4 to their immutable
commit SHAs (e.g., actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac and
the full commit SHA for the v4 of actions/cache) and add the
persist-credentials: false option to the checkout step (ensure the checkout step
containing actions/checkout is updated to include the persist-credentials: false
key).
| - name: Read version | ||
| id: version | ||
| run: | | ||
| VERSION=$(node -p "require('./libs/transloco/package.json').version") | ||
| echo "value=$VERSION" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
Avoid reporting the on-disk version on dry-runs.
Line 84 reads libs/transloco/package.json after the version step. When Line 74 selected --dry-run, that file was intentionally left untouched, so the summary reports the current released version instead of the previewed one. Easiest fix is to short-circuit this step on dry-runs and emit a placeholder. Fun fact: previews are just localization for CI state.
Suggested fix
- name: Read version
id: version
+ env:
+ DRY_RUN: ${{ inputs.dry-run }}
run: |
+ if [[ "$DRY_RUN" == "true" ]]; then
+ echo "value=n/a (dry-run)" >> "$GITHUB_OUTPUT"
+ exit 0
+ fi
VERSION=$(node -p "require('./libs/transloco/package.json').version")
echo "value=$VERSION" >> "$GITHUB_OUTPUT"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Read version | |
| id: version | |
| run: | | |
| VERSION=$(node -p "require('./libs/transloco/package.json').version") | |
| echo "value=$VERSION" >> "$GITHUB_OUTPUT" | |
| - name: Read version | |
| id: version | |
| env: | |
| DRY_RUN: ${{ inputs.dry-run }} | |
| run: | | |
| if [[ "$DRY_RUN" == "true" ]]; then | |
| echo "value=n/a (dry-run)" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| VERSION=$(node -p "require('./libs/transloco/package.json').version") | |
| echo "value=$VERSION" >> "$GITHUB_OUTPUT" |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 81 - 85, In the "Read version"
step, avoid reading the on-disk package.json when this run is a dry-run: detect
the dry-run flag (e.g., check the workflow input or env like
github.event.inputs.dry-run or a DRY_RUN variable set earlier) and if it's a
dry-run, set VERSION to a clear placeholder (for example "preview" or "dry-run")
and echo that to GITHUB_OUTPUT; otherwise preserve the existing node -p
require(...) behavior. Ensure you still write "value=$VERSION" to GITHUB_OUTPUT
in both branches so downstream steps consume the placeholder during previews.
- actions/checkout v4 -> v6 - actions/setup-node v4 -> v6 - actions/cache v4 -> v5 Pre-existing workflows (ci.yml, deploy-demo-app.yml, stale-issues.yml, step-setup composite) intentionally left alone here to keep this PR focused on the release workflow. Tracked as a follow-up.
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/release.yml (1)
97-102:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winFix dry-run guards to use
inputs['dry-run'](string) comparison
workflow_dispatchboolean inputs are exposed to expressions as strings ('true'/'false'), and the hyphenated keydry-runmust be accessed via bracket notation; update bothif:guards accordingly to reliably prevent push/release during dry-run.🔧 Proposed fix
- name: Push commit and tag - if: ${{ inputs.dry-run != 'true' }} + if: ${{ inputs['dry-run'] == 'false' }} run: git push --follow-tags origin HEAD:master - name: Changelog and GitHub release - if: ${{ inputs.dry-run != 'true' }} + if: ${{ inputs['dry-run'] == 'false' }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: npx nx release changelog ${{ steps.version.outputs.value }} --verboseTransloco fun fact: when using lazy-loaded scopes, translations load asynchronously—calling
translate/selectTranslatebefore the scope is triggered can temporarily yield missing-key results.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml around lines 97 - 102, The conditional guards using inputs.dry-run are invalid because the hyphenated input must be accessed with bracket notation and inputs are strings; update both if: expressions (the one guarding the git push step "git push --follow-tags origin HEAD:master" and the step titled "Changelog and GitHub release") to use inputs['dry-run'] and compare against the string 'true' (e.g., if: ${{ inputs['dry-run'] != 'true' }}) so the push/release steps are correctly skipped during a dry-run.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/release.yml:
- Around line 97-102: The conditional guards using inputs.dry-run are invalid
because the hyphenated input must be accessed with bracket notation and inputs
are strings; update both if: expressions (the one guarding the git push step
"git push --follow-tags origin HEAD:master" and the step titled "Changelog and
GitHub release") to use inputs['dry-run'] and compare against the string 'true'
(e.g., if: ${{ inputs['dry-run'] != 'true' }}) so the push/release steps are
correctly skipped during a dry-run.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 63da4080-5c66-4d90-bf02-737041fd5682
📒 Files selected for processing (2)
.github/workflows/actionlint.yml.github/workflows/release.yml
1 participant
Summary
Replaces the manual
local-dev/publish-all-libs.shflow with a GitHub Actions workflow that drivesnx releaseend-to-end, plus anactionlintworkflow to lint workflow YAML on PR.Release workflow (
.github/workflows/release.yml)workflow_dispatchwith two inputs —bump(auto= infer from conventional commits; orpatch/minor/major/prerelease) anddry-run(preview without side effects)NPM_TOKENsecret needed), with--provenanceattestations viaNPM_CONFIG_PROVENANCE=trueci:lint→ci:test→ci:buildruns before any version bump or publishworkspaceChangelogblock innx.jsonwrites the rootCHANGELOG.mdand creates one GitHub release per version (releases/X.Y.Z); existing per-project changelogs preservedversion→publish→push→changelogso a failed publish leaves a clean rollback (commit/tag local-only on the runner)Actionlint workflow (
.github/workflows/actionlint.yml)Mirrors the
cx-web-workspacepattern — pinnedactionlint v1.7.12, cached at~/bin/actionlint, installed only on cache miss. Triggers on PR + push tomasterwhen files under.github/workflows/**or.github/actions/**change.Already paid for itself: caught two real bugs in
release.ymlduring development —''as aworkflow_dispatchchoice option (invalid; would have failed at dispatch time). Switched to an explicitautosentinel.\"-escapednode -pcommand substitution that shellcheck couldn't parse. Replaced with a two-line shell block.Both fixes also hardened the workflow by moving every
${{ ... }}expression intoenv:blocks before it touches a shell — preventing GitHub Actions expression-injection patterns regardless of input type.Security
if: github.ref == 'refs/heads/master'job guardconcurrency: { group: release, cancel-in-progress: false }--provenanceflag emits signed attestation linking tarball → workflow run → commit${{ ... }}interpolations routed throughenv:blocks, never inlined intorun:contents: write(commit/tag/release) +id-token: write(OIDC). Nopackages: write..github/Pre-flight before first non-dry run
@jsverse/*, pointed at this repo +release.ymlmasterrestricts who can dispatch workflows (or attach a GH Environment with required reviewers)git log releases/8.3.0..HEAD --onelinedry-run: trueas the first real testTest plan
Releaseworkflow onmasterwithdry-run: trueandbump: auto— verify auto-inferred bump matches expectation, no commits/tags/publishes occurdry-run: trueandbump: patch— verify override path produces a patch bump previewdry-run: false— verify packages publish with provenance, GH release is created, tagreleases/X.Y.Zlands onmaster, rootCHANGELOG.mdupdatesFollow-ups (intentionally out of scope)
schematics-coresync —libs/schematics-core/is currently copied intolibs/transloco/schematics-core/andlibs/transloco-schematics/schematics-core/via a manual gitignored script (local-dev/sync-schematics-core.sh). This isn't wired into any build target. With automated releases, drift between source and copies could ship silently. Fix proposed in a follow-up PR: move the script to a trackedscripts/location, run it inci.ymlandrelease.ymlbefore build, add a pre-commit guard that fails on drift.reviewdog.ymldeprecation — pre-existing usage offail_on_erroris deprecated in favor offail_level. Surfaced by actionlint. Tracked for a separate cleanup PR.ci.yml,deploy-demo-app.yml,stale-issues.yml, and thestep-setupcomposite still use older majors:actions/checkout@v4(latest v6),actions/setup-node@v4(latest v6),actions/stale@v9(latest v10),actions/configure-pages@v5(latest v6),actions/upload-pages-artifact@v3(latest v5),actions/deploy-pages@v4(latest v5). Worth a single chore PR. The new release/actionlint workflows in this PR are already on latest majors.local-dev/publish-all-libs.sh— leaving in place as an emergency manual fallback for now.Summary by CodeRabbit