Skip to content

Fix/release script #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dcramer merged 2 commits into from
Jan 31, 2026
Merged

Fix/release script #62

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
417c68b
0.1.0
dcramer Jan 31, 2026
a839e2e
Missing publish in release
dcramer Jan 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ on:

permissions:
contents: write
id-token: write

jobs:
release:
Expand All @@ -22,11 +23,17 @@ jobs:
with:
node-version: '20'
cache: 'pnpm'
registry-url: 'https://registry.npmjs.org'

- run: pnpm install --frozen-lockfile
- run: pnpm build
- run: pnpm build:action

- name: Publish to npm
run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
Comment on lines +32 to +35
Copy link

@sentry sentry bot Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The release workflow may publish a different version to npm than what is specified in the git tag, causing a version mismatch between npm and the GitHub release.
Severity: MEDIUM

Suggested Fix

Add a validation step to the workflow before the npm publish command. This step should extract the version from package.json and compare it with the version from the git tag ($GITHUB_REF_NAME). If the versions do not match, the workflow should fail to prevent the inconsistent release.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/release.yml#L32-L35

Potential issue: The release workflow uses two different sources for the version number,
creating a potential mismatch. The `npm publish` step uses the version from
`package.json`, while the GitHub Release creation step uses the version from the git tag
(`GITHUB_REF_NAME`). If a developer pushes a tag that doesn't match the version in
`package.json`, the version published to the npm registry will be different from the one
documented in the GitHub release, causing versioning confusion for consumers of the
package.

Did we get this right? 👍 / 👎 to inform future reviews.

Copy link

@cursor cursor bot Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Published npm package will exclude dist/ build output

High Severity

The npm publish step will produce a broken package. The dist/ directory is listed in .gitignore, and since there's no .npmignore file or files field in package.json, npm uses .gitignore rules and will exclude dist/ from the published package. The package.json declares main, types, and bin entries pointing to files in dist/, so the published package would be missing all compiled code.

Fix in Cursor Fix in Web


- name: Get version info
id: version
run: |
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@sentry/warden",
"version": "0.0.0",
"version": "0.1.0",
"description": "Event-driven agent that reacts to GitHub events and executes skills via Claude Code SDK",
"type": "module",
"main": "dist/index.js",
Expand Down