feat(ui-scripts): allow pr-snapshot to publish at an operator-supplied prerelease version#2556
Draft
balzss wants to merge 1 commit into
Draft
feat(ui-scripts): allow pr-snapshot to publish at an operator-supplied prerelease version#2556balzss wants to merge 1 commit into
balzss wants to merge 1 commit into
Conversation
|
Visual regression report✅ No changes.
Baselines come from the |
balzss
changed the title
…d prerelease version
Adds two optional inputs to the pr-snapshot workflow_dispatch path:
custom_version (e.g. 11.7.3-SECURITY.0) and dist_tag (e.g. security).
When set, they override the auto-computed snapshot version and the
default pr-snapshot dist-tag.
Use case: mirror a previously-published private security release onto
the public registry under a non-latest dist-tag, so open-source
consumers who pinned to a prerelease version from the private registry
can switch their resolution to npmjs without changing package.json.
Workflow plumbing:
- release_to_npm.yml: two new optional inputs forwarded to the
pr-release job
- _pr-release-reusable.yml: accepts the inputs, validates them, and
forwards as --customVersion / --distTag (via env vars to avoid
shell-injection from workflow_dispatch input values)
publish.js:
- new --customVersion / --distTag flags
- publishSnapshotVersion uses customVersion when supplied, else
falls back to calculateNextSnapshotVersion as today
- validateCustomVersionInputs() enforces guards: valid semver,
prerelease only (refuses stable versions so we can never take
over a future stable slot), distTag not 'latest', distTag
required when customVersion is set
Existing pr-snapshot behavior is unchanged when the new inputs are
blank. OIDC auth + --provenance preserved.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds optional
custom_version+dist_taginputs to the existingpr-snapshotrelease path. When set, an operator can publish an exact prerelease (e.g.11.7.3-SECURITY.0) to npmjs under a non-latesttag. Blank inputs → behavior unchanged.Plumbed through
release_to_npm.yml→_pr-release-reusable.yml→publish.jsas--customVersion/--distTag(passed viaenv:, not${{ }}, to avoid shell injection).Why
After a coordinated-disclosure fix ships privately as
x.y.z-SECURITY.N, this mirrors that exact version onto npmjs under thesecuritytag (neverlatest), so OSS consumers can re-resolve from the private registry without editingpackage.json.Safety rails (
validateCustomVersionInputs)custom_versionmust be a valid semver prerelease (no stable slots);dist_tagcan't belatest, is required withcustom_version, and rejected alone; rejected on release commits. OIDC +--provenanceunchanged.Test Plan
Input validation — each should fail fast with the listed error
Run from a non-release commit:
pnpm exec ui-scripts publish --prRelease <flags>--customVersion=not-semver --distTag=security--customVersion=11.7.4 --distTag=security--customVersion=11.7.3-SECURITY.0--distTagrequired--customVersion=11.7.3-SECURITY.0 --distTag=latest--distTagcan't belatest--distTag=security(nocustomVersion)--distTagonly valid with--customVersionEnd-to-end (reviewer sanity check)
release_to_npm→pr-snapshotwithcustom_version=11.7.3-SECURITY.0,dist_tag=securityon a test branch.11.7.3-SECURITY.0under thesecuritytag (npm view @instructure/ui-buttons dist-tags).latestdist-tag is unchanged.🤖 Generated with Claude Code