Skip to content

Fix/release script#62

Merged
dcramer merged 2 commits intomainfrom
fix/release-script
Jan 31, 2026
Merged

Fix/release script#62
dcramer merged 2 commits intomainfrom
fix/release-script

Conversation

@dcramer
Copy link
Member

@dcramer dcramer commented Jan 31, 2026

No description provided.

@vercel
Copy link

vercel bot commented Jan 31, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
warden Ready Ready Preview, Comment Jan 31, 2026 6:17pm

Request Review

@dcramer dcramer merged commit f1ea31f into main Jan 31, 2026
14 checks passed
@dcramer dcramer deleted the fix/release-script branch January 31, 2026 18:18
sentry[bot]
sentry bot reviewed Jan 31, 2026
View reviewed changes
.github/workflows/release.yml
Comment on lines +32 to +35
- name: Publish to npm
run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
Copy link

@sentry sentry bot Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The release workflow may publish a different version to npm than what is specified in the git tag, causing a version mismatch between npm and the GitHub release.
Severity: MEDIUM

Suggested Fix

Add a validation step to the workflow before the npm publish command. This step should extract the version from package.json and compare it with the version from the git tag ($GITHUB_REF_NAME). If the versions do not match, the workflow should fail to prevent the inconsistent release.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/release.yml#L32-L35

Potential issue: The release workflow uses two different sources for the version number,
creating a potential mismatch. The `npm publish` step uses the version from
`package.json`, while the GitHub Release creation step uses the version from the git tag
(`GITHUB_REF_NAME`). If a developer pushes a tag that doesn't match the version in
`package.json`, the version published to the npm registry will be different from the one
documented in the GitHub release, causing versioning confusion for consumers of the
package.

Did we get this right? 👍 / 👎 to inform future reviews.

cursor[bot]
cursor bot reviewed Jan 31, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

.github/workflows/release.yml
- name: Publish to npm
run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
Copy link

@cursor cursor bot Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Published npm package will exclude dist/ build output

High Severity

The npm publish step will produce a broken package. The dist/ directory is listed in .gitignore, and since there's no .npmignore file or files field in package.json, npm uses .gitignore rules and will exclude dist/ from the published package. The package.json declares main, types, and bin entries pointing to files in dist/, so the published package would be missing all compiled code.

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dcramer