Update release workflow to permit shipping from non main branches#2349
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the manual NPM publishing workflow so releases can be cut from long-lived non-main branches while controlling which npm dist-tag is used, reducing risk of accidentally overwriting latest.
Changes:
- Adds
branchandnpm-tagworkflow inputs and uses them in the run name and release steps. - Checks out the requested branch for the build/test/pack job, and publishes with
npm publish --tag. - Adds a guard to block publishing
latestfrom non-mainbranches and enhances Slack notifications with branch/tag context.
Comments suppressed due to low confidence (3)
.github/workflows/releases.yml:3
npm-tagis defined as a workflow_dispatch input with a hyphen, but expressions are referencing it via dot notation (inputs.npm-tag). In GitHub Actions expressions, hyphenated keys must be accessed with bracket syntax (e.g.inputs['npm-tag']) or the input should be renamed (e.g.npm_tag). As written, this will not evaluate to the intended input and can break run-name rendering and subsequent steps.
run-name: Publish NPM - ${{ inputs.package }}@${{ inputs.npm-tag }} from ${{ inputs.branch }}
.github/workflows/releases.yml:97
- The
if:guard condition usesinputs.npm-tag, butnpm-tagcontains a hyphen and can’t be accessed with dot notation in GitHub Actions expressions. Useinputs['npm-tag'](or rename the input) or this guard will not correctly block publishinglatestfrom non-main branches.
- name: guard against publishing latest from non-main branch
if: inputs.branch != 'main' && inputs.npm-tag == 'latest'
run: |
echo "::error::Publishing with the 'latest' dist-tag from a non-main branch ('${{ inputs.branch }}') is not allowed. Use a different npm-tag (e.g. next, beta)."
exit 1
.github/workflows/releases.yml:100
npm publishis using${{ inputs.npm-tag }}butnpm-tagcan’t be referenced with dot notation due to the hyphen. This will cause the publish command to use the wrong value (or fail expression evaluation). Useinputs['npm-tag'](or rename the input) consistently.
- name: publish
run: npm publish --provenance --tag "${{ inputs.npm-tag }}" *.tgz
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
luketomlinson
approved these changes
Mar 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Allow publishing from non-main branches
Fixes: https://github.com/github/actions-persistence/issues/784
The release workflow previously only supported publishing from the default branch (
main). This is too restrictive for our long-lived branches that maintain separate major versions of packages.Changes
New workflow inputs:
branch(string, default:main) — The branch to check out and release from.npm-tag(string, default:latest) — The npm dist-tag to publish under. Uselatestfor main branch releases. For non-main branches, use the package major version (e.g.v5) to avoid overwriting thelatesttag.Safety guard:
latestdist-tag from a non-main branch is blocked to prevent accidentally overwritinglatestfor consumers. The package major version must be used as the tag instead (e.g.v5).Upgraded actions to latest major versions:
actions/checkoutactions/setup-nodeactions/upload-artifactactions/download-artifactOther improvements:
run-namenow shows package and branch:Publish NPM - core from mainBackward compatibility
Running with default inputs (
branch: main,npm-tag: latest) produces identical behavior to the current workflow. The only differences are cosmetic (richer run name and Slack messages).