Skip to content

Update release workflow to permit shipping from non main branches#2349

Merged
Link- merged 2 commits into
mainfrom
Link-/update-release-workflow
Mar 16, 2026
Merged

Update release workflow to permit shipping from non main branches#2349
Link- merged 2 commits into
mainfrom
Link-/update-release-workflow

Conversation

@Link-

@Link- Link- commented Mar 16, 2026

Copy link
Copy Markdown
Member

Allow publishing from non-main branches

Fixes: https://github.com/github/actions-persistence/issues/784

The release workflow previously only supported publishing from the default branch (main). This is too restrictive for our long-lived branches that maintain separate major versions of packages.

Changes

New workflow inputs:

  • branch (string, default: main) — The branch to check out and release from.
  • npm-tag (string, default: latest) — The npm dist-tag to publish under. Use latest for main branch releases. For non-main branches, use the package major version (e.g. v5) to avoid overwriting the latest tag.

Safety guard:

  • Publishing with the latest dist-tag from a non-main branch is blocked to prevent accidentally overwriting latest for consumers. The package major version must be used as the tag instead (e.g. v5).

Upgraded actions to latest major versions:

Action Before After
actions/checkout v5 v6
actions/setup-node v5 v6
actions/upload-artifact v4 v7
actions/download-artifact v4 v8

Other improvements:

  • run-name now shows package and branch: Publish NPM - core from main
  • Slack notifications include branch and dist-tag for better operational visibility

Backward compatibility

Running with default inputs (branch: main, npm-tag: latest) produces identical behavior to the current workflow. The only differences are cosmetic (richer run name and Slack messages).

@Link-
Link- requested a review from a team as a code owner March 16, 2026 13:07
Copilot AI review requested due to automatic review settings March 16, 2026 13:07
@Link- Link- self-assigned this Mar 16, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the manual NPM publishing workflow so releases can be cut from long-lived non-main branches while controlling which npm dist-tag is used, reducing risk of accidentally overwriting latest.

Changes:

  • Adds branch and npm-tag workflow inputs and uses them in the run name and release steps.
  • Checks out the requested branch for the build/test/pack job, and publishes with npm publish --tag.
  • Adds a guard to block publishing latest from non-main branches and enhances Slack notifications with branch/tag context.
Comments suppressed due to low confidence (3)

.github/workflows/releases.yml:3

  • npm-tag is defined as a workflow_dispatch input with a hyphen, but expressions are referencing it via dot notation (inputs.npm-tag). In GitHub Actions expressions, hyphenated keys must be accessed with bracket syntax (e.g. inputs['npm-tag']) or the input should be renamed (e.g. npm_tag). As written, this will not evaluate to the intended input and can break run-name rendering and subsequent steps.
run-name: Publish NPM - ${{ inputs.package }}@${{ inputs.npm-tag }} from ${{ inputs.branch }}

.github/workflows/releases.yml:97

  • The if: guard condition uses inputs.npm-tag, but npm-tag contains a hyphen and can’t be accessed with dot notation in GitHub Actions expressions. Use inputs['npm-tag'] (or rename the input) or this guard will not correctly block publishing latest from non-main branches.
      - name: guard against publishing latest from non-main branch
        if: inputs.branch != 'main' && inputs.npm-tag == 'latest'
        run: |
          echo "::error::Publishing with the 'latest' dist-tag from a non-main branch ('${{ inputs.branch }}') is not allowed. Use a different npm-tag (e.g. next, beta)."
          exit 1

.github/workflows/releases.yml:100

  • npm publish is using ${{ inputs.npm-tag }} but npm-tag can’t be referenced with dot notation due to the hyphen. This will cause the publish command to use the wrong value (or fail expression evaluation). Use inputs['npm-tag'] (or rename the input) consistently.
      - name: publish
        run: npm publish --provenance --tag "${{ inputs.npm-tag }}" *.tgz

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/releases.yml
Comment thread .github/workflows/releases.yml
@Link-
Link- merged commit 6211ca9 into main Mar 16, 2026
20 of 21 checks passed
@Link-
Link- deleted the Link-/update-release-workflow branch March 16, 2026 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants