From a5deb68a0ab6cb92b077c5e95766ca2eb6760a71 Mon Sep 17 00:00:00 2001 From: Daniel Clayton Date: Sun, 1 Mar 2026 22:25:03 -0700 Subject: [PATCH 1/6] ci: add PR #snapshot marker flow to publish tagged snapshot packages --- .github/workflows/ci.yml | 46 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ca92150..d1ef336 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,3 +40,49 @@ jobs: - name: Core contract tests run: bun run test -- packages/core/src/workflow-generator.test.ts packages/core/src/context.test.ts packages/core/src/config.test.ts packages/core/src/plugins/shared-workflow-helper.test.ts + + snapshot-publish: + name: Snapshot publish (PR marker) + if: github.event_name == 'pull_request' && contains(github.event.pull_request.body || '', '#snapshot') && github.event.pull_request.head.repo.full_name == github.repository + runs-on: ubuntu-latest + needs: quality + permissions: + contents: read + packages: write + + steps: + - name: Checkout PR head + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Setup Bun + uses: oven-sh/setup-bun@v2 + with: + bun-version: 1.2.22 + + - name: Install dependencies + run: bun install --frozen-lockfile + + - name: Build + run: bun run build + + - name: Detect pending changesets + id: changesets + run: | + COUNT=$(find .changeset -maxdepth 1 -name '*.md' ! -name 'README.md' | wc -l | tr -d ' ') + echo "count=$COUNT" >> "$GITHUB_OUTPUT" + if [ "$COUNT" -eq 0 ]; then + echo "No pending changesets found. Skipping snapshot publish." + fi + + - name: Version snapshot from changesets + if: steps.changesets.outputs.count != '0' + run: bunx changeset version --snapshot pr-${{ github.event.pull_request.number }} + + - name: Publish snapshot tag + if: steps.changesets.outputs.count != '0' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: bunx changeset publish --tag pr-${{ github.event.pull_request.number }} --registry https://npm.pkg.github.com From 817f6a5412a0ee01fcc3ab1997b2e85a6c94c70f Mon Sep 17 00:00:00 2001 From: Daniel Clayton Date: Sun, 1 Mar 2026 22:26:13 -0700 Subject: [PATCH 2/6] fix: provide GITHUB_TOKEN for snapshot changeset version step --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d1ef336..632200d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -78,6 +78,8 @@ jobs: - name: Version snapshot from changesets if: steps.changesets.outputs.count != '0' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: bunx changeset version --snapshot pr-${{ github.event.pull_request.number }} - name: Publish snapshot tag From 3c845a53c53667aac7870e12c1d3f4602c32345e Mon Sep 17 00:00:00 2001 From: Daniel Clayton Date: Sun, 1 Mar 2026 22:27:24 -0700 Subject: [PATCH 3/6] fix: configure npm auth before PR snapshot publish --- .github/workflows/ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 632200d..4c1e2ce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -82,6 +82,14 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: bunx changeset version --snapshot pr-${{ github.event.pull_request.number }} + - name: Configure npm auth for GitHub Packages + if: steps.changesets.outputs.count != '0' + env: + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "@dotgithub:registry=https://npm.pkg.github.com" >> ~/.npmrc + echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc + - name: Publish snapshot tag if: steps.changesets.outputs.count != '0' env: From 0e4db437f3a12f2454bfcaf5de6507082e266902 Mon Sep 17 00:00:00 2001 From: Daniel Clayton Date: Sun, 1 Mar 2026 22:28:55 -0700 Subject: [PATCH 4/6] fix: run #snapshot publish on pull_request_target with package write token --- .github/workflows/ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4c1e2ce..8fb944d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,8 @@ on: push: branches: [main] pull_request: + pull_request_target: + types: [opened, edited, synchronize, reopened] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -15,6 +17,7 @@ permissions: jobs: quality: name: Quality checks + if: github.event_name != 'pull_request_target' runs-on: ubuntu-latest steps: @@ -43,9 +46,8 @@ jobs: snapshot-publish: name: Snapshot publish (PR marker) - if: github.event_name == 'pull_request' && contains(github.event.pull_request.body || '', '#snapshot') && github.event.pull_request.head.repo.full_name == github.repository + if: github.event_name == 'pull_request_target' && contains(github.event.pull_request.body || '', '#snapshot') && github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest - needs: quality permissions: contents: read packages: write From 5cb05d462d84d009ae6d3dfcf6fed9b1879e6982 Mon Sep 17 00:00:00 2001 From: Daniel Clayton Date: Sun, 1 Mar 2026 22:30:11 -0700 Subject: [PATCH 5/6] fix: gate snapshot publish on PR marker and harden release auth --- .github/workflows/release.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 911a26e..873de65 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,6 +43,8 @@ jobs: - name: Version packages from changesets if: steps.changesets.outputs.count != '0' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: bun run changeset:version - name: Commit version updates to main @@ -54,6 +56,14 @@ jobs: git commit -m "chore(release): version packages [skip ci]" || exit 0 git push + - name: Configure npm auth for GitHub Packages + if: steps.changesets.outputs.count != '0' + env: + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "@dotgithub:registry=https://npm.pkg.github.com" >> ~/.npmrc + echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc + - name: Publish packages if: steps.changesets.outputs.count != '0' env: From 0bfac35b02a7a996f9590fd07394c844d34399bb Mon Sep 17 00:00:00 2001 From: Daniel Clayton Date: Sun, 1 Mar 2026 22:32:16 -0700 Subject: [PATCH 6/6] ci: support GH_PACKAGES_TOKEN for release and snapshot publishing --- .github/workflows/ci.yml | 8 ++++---- .github/workflows/release.yml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8fb944d..a613539 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -81,13 +81,13 @@ jobs: - name: Version snapshot from changesets if: steps.changesets.outputs.count != '0' env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN || secrets.GITHUB_TOKEN }} run: bunx changeset version --snapshot pr-${{ github.event.pull_request.number }} - name: Configure npm auth for GitHub Packages if: steps.changesets.outputs.count != '0' env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NODE_AUTH_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN || secrets.GITHUB_TOKEN }} run: | echo "@dotgithub:registry=https://npm.pkg.github.com" >> ~/.npmrc echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc @@ -95,6 +95,6 @@ jobs: - name: Publish snapshot tag if: steps.changesets.outputs.count != '0' env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN || secrets.GITHUB_TOKEN }} + NODE_AUTH_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN || secrets.GITHUB_TOKEN }} run: bunx changeset publish --tag pr-${{ github.event.pull_request.number }} --registry https://npm.pkg.github.com diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 873de65..c1e351b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -44,7 +44,7 @@ jobs: - name: Version packages from changesets if: steps.changesets.outputs.count != '0' env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN || secrets.GITHUB_TOKEN }} run: bun run changeset:version - name: Commit version updates to main @@ -59,7 +59,7 @@ jobs: - name: Configure npm auth for GitHub Packages if: steps.changesets.outputs.count != '0' env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NODE_AUTH_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN || secrets.GITHUB_TOKEN }} run: | echo "@dotgithub:registry=https://npm.pkg.github.com" >> ~/.npmrc echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc @@ -67,6 +67,6 @@ jobs: - name: Publish packages if: steps.changesets.outputs.count != '0' env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN || secrets.GITHUB_TOKEN }} + NODE_AUTH_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN || secrets.GITHUB_TOKEN }} run: bun run changeset:publish