ci: create workflow to publish packages

[sampaiodiego]

[FED-173]

Summary by CodeRabbit

• New Features

  • Automated release workflow that validates release tags against the SDK version, runs quality checks, builds, and publishes the SDK bundle to NPM.

• Chores

  • Updated CI to rely on pull request and push events only.
  • Adjusted bundling script to build before bundling for more reliable artifacts.
  • Improved pipeline performance with caching and streamlined setup.

[coderabbitai]

Walkthrough

Adds a dedicated GitHub Actions release workflow triggered on release.published, validates tag-version consistency with packages/federation-sdk/package.json, runs lint/tests/build/bundle, and publishes to NPM. Removes release trigger from CI workflow. Updates package.json to run build before bundling the SDK.

Changes

Cohort / File(s)	Summary of edits
CI workflow triggers .github/workflows/ci.yml	Removed release trigger block; CI now runs only on pull_request and push. Minor whitespace tweak.
New release workflow .github/workflows/release.yml	Added release pipeline triggered by release.published: checks tag vs federation-sdk version, caches Turbo, sets up Bun, installs deps, runs lint/tests/build, bundles SDK, and publishes federation-bundle to NPM using secret token. Exits on version mismatch.
Build/bundle script change package.json	Updated script bundle:sdk: from bun run bundle.ts to bun run build && bun run bundle.ts to ensure build precedes bundling.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Maintainer
  participant GitHub as GitHub Release
  participant GHA as Release Workflow
  participant Repo as Repo
  participant NPM as NPM Registry

  Maintainer->>GitHub: Publish release (tag vX.Y.Z)
  GitHub-->>GHA: trigger release.published
  GHA->>Repo: actions/checkout
  GHA->>GHA: Setup Turbo cache
  GHA->>GHA: Install Bun
  GHA->>Repo: Install dependencies
  GHA->>Repo: Lint, Test, Build
  GHA->>Repo: bundle:sdk (build && bundle.ts)
  GHA->>Repo: Parse packages/federation-sdk/package.json version
  alt Tag matches package version
    GHA->>NPM: Publish federation-bundle (using NPM token)
    NPM-->>GHA: 200 OK
  else Mismatch
    GHA-->>GHA: Exit with non-zero (fail job)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore: implement bundle script #219 — Introduces bundle.ts and sets bundle:sdk to run it; this PR extends that by inserting a build step before bundling and wiring a release workflow around the bundling/publish process.

Suggested reviewers

• ggazzo

Poem

I thump my paw—release day cheer!
Tags align, the skies are clear.
Lint and tests, a tidy trail,
Build then bundle—never fail.
With Bun we hop to NPM’s sun,
Version matched—the ship is run.
Carrots raised: vX.Y.Z is done! 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly captures that a CI workflow has been created to publish packages, which aligns with the addition of the release workflow for publishing federation bundles and the related script updates.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch publish-package-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.67%. Comparing base (5a69089) to head (45a7055).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #232   +/-   ##
=======================================
  Coverage   81.67%   81.67%           
=======================================
  Files          63       63           
  Lines        4682     4682           
=======================================
  Hits         3824     3824           
  Misses        858      858           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2541e9e and 45a7055.

📒 Files selected for processing (3)

• .github/workflows/ci.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• package.json (1 hunks)

🔇 Additional comments (2)

package.json (1)

53-53: Build-before-bundle guard looks good

Running bun run build ahead of bundle.ts ensures the SDK bundles from fresh artifacts. Looks solid.

.github/workflows/ci.yml (1)

2-11: CI trigger scope is appropriate

Limiting this workflow to PRs and pushes keeps release events on the new dedicated pipeline. No concerns here.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Allow release tags with a leading v.

This comparison will fail for the common convention of tagging releases as vX.Y.Z, since package.json holds X.Y.Z. The workflow would abort even though the versions actually match, blocking every release that keeps the v prefix. Please normalize the tag (and optionally the SDK version) before comparing.

Apply this diff to tolerate the v prefix:

-          TAG_VERSION="${{ github.event.release.tag_name }}"
-          SDK_VERSION=$(jq -r '.version' packages/federation-sdk/package.json)
-          if [ "$TAG_VERSION" != "$SDK_VERSION" ]; then
+          RAW_TAG_VERSION="${{ github.event.release.tag_name }}"
+          TAG_VERSION="${RAW_TAG_VERSION#v}"
+          TAG_VERSION="${TAG_VERSION#V}"
+          SDK_VERSION=$(jq -r '.version' packages/federation-sdk/package.json)
+          if [ "$TAG_VERSION" != "$SDK_VERSION" ]; then
             echo "Tag version ($TAG_VERSION) does not match federation-sdk version ($SDK_VERSION)"
             exit 1
           fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	run: |
	TAG_VERSION="${{ github.event.release.tag_name }}"
	SDK_VERSION=$(jq -r '.version' packages/federation-sdk/package.json)
	if [ "$TAG_VERSION" != "$SDK_VERSION" ]; then
	echo "Tag version ($TAG_VERSION) does not match federation-sdk version ($SDK_VERSION)"
	exit 1
	fi
	run: |
	RAW_TAG_VERSION="${{ github.event.release.tag_name }}"
	TAG_VERSION="${RAW_TAG_VERSION#v}"
	TAG_VERSION="${TAG_VERSION#V}"
	SDK_VERSION=$(jq -r '.version' packages/federation-sdk/package.json)
	if [ "$TAG_VERSION" != "$SDK_VERSION" ]; then
	echo "Tag version ($TAG_VERSION) does not match federation-sdk version ($SDK_VERSION)"
	exit 1
	fi

🤖 Prompt for AI Agents

.github/workflows/release.yml around lines 15 to 21: the workflow fails when
tags are prefixed with "v" because TAG_VERSION is compared directly to
package.json version; normalize the values before comparison by stripping a
leading "v" from the tag (and/or from SDK_VERSION) so "v1.2.3" becomes "1.2.3",
then compare the normalized versions and keep the existing exit-on-mismatch
behavior.