Skip to content

feat: add approval-gated npm release workflows#12

Merged
heimanba merged 4 commits into
mainfrom
codex/npm-release-workflow
Jul 16, 2026
Merged

feat: add approval-gated npm release workflows#12
heimanba merged 4 commits into
mainfrom
codex/npm-release-workflow

Conversation

@heimanba

@heimanba heimanba commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

  • split stable Release PR creation from real npm publishing
  • add isolated beta branch preparation and strict branch/version/channel validation
  • require manual dispatch, PUBLISH confirmation, npm-release Environment approval, OIDC, and NPM_RELEASE_ENABLED
  • create immutable Git tags and GitHub Releases after successful publishing
  • block real local npm publishing and document maintainer/user flows in English and Chinese
  • exit the legacy Changesets prerelease state so the next stable Release PR resolves 0.0.2
  • remove a CodeQL-reported dynamic-regex dataflow from release validation

Verification

  • bun run verify:full
  • bun run verify:release
  • GitHub CI Gate and all matrix jobs pass
  • package compatibility passes on Node 20 and Node 24
  • CodeQL passes and marks the regex-injection instance fixed
  • yy-sensitive-scan passes after the repository became public
  • Changesets status resolves all public packages from 0.0.2-beta.0 to 0.0.2

Repository protections configured

  • npm-release Environment requires approval by heimanba
  • main requires one approval, current Gate, resolved conversations, and linear history
  • force-push and branch deletion are disabled; protections include administrators
  • NPM_RELEASE_ENABLED remains absent, so npm publishing is disabled

Remaining one-time setup

  • create or correct the missing @modelstudioai/openagentpack-maintainers team referenced by CODEOWNERS
  • an organization owner must allow GitHub Actions to create pull requests before the Release PR workflow can operate
  • configure npm Trusted Publisher for sdk, playground, and cli with workflow release.yml and Environment npm-release
  • only then create repository variable NPM_RELEASE_ENABLED=true

No npm package is published by this PR.

Change-Id: Iae0db1a40fac3bbdaa4d1dfc2e0c41b0d05c4dba
@heimanba

Copy link
Copy Markdown
Contributor Author

Verification update: all OpenAgentPack CI jobs passed, including the final Gate and package compatibility on Node 20/24. The only red status is the external yy-sensitive-scan app returning An internal error occurred during scan. The same app-level error is present on earlier PRs #5 and #6, so it is not a finding introduced by this patch.

@heimanba
heimanba marked this pull request as ready for review July 16, 2026 06:18
@heimanba

Copy link
Copy Markdown
Contributor Author

Repository is now public; closing and reopening once to request a fresh run from the external sensitive-scan integration.

@heimanba heimanba closed this Jul 16, 2026
@heimanba heimanba reopened this Jul 16, 2026
Change-Id: I55834659f8cafc4c199e94aa4fadd3e1c4f0de92
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Comment thread scripts/release/channel.ts Fixed
Change-Id: Ia846e22c36e72d433eec8e00c4a2321cce9b731e
@heimanba

Copy link
Copy Markdown
Contributor Author

Public-repository verification update:

  • yy-sensitive-scan: passed after forcing a new head SHA
  • CodeQL identified one high-severity regex-injection dataflow in scripts/release/channel.ts; fixed by replacing the command-line-derived dynamic regex with a constant parser plus string comparison
  • CodeQL now marks the instance as fixed
  • all 15 current checks pass, including Gate, Node 20/24 compatibility, CodeQL, and the external sensitive scan
  • npm-release now requires approval from heimanba
  • main branch protection now requires one approval, the Gate check, resolved conversations, linear history, and blocks force-push/deletion

Remaining governance blockers: the organization currently disallows Actions-created PRs, and the CODEOWNERS team @modelstudioai/openagentpack-maintainers does not exist.

Change-Id: I4d796f9766189138b4356c16d0b504822e8eac1e
@heimanba
heimanba merged commit 415448f into main Jul 16, 2026
15 checks passed
@heimanba
heimanba deleted the codex/npm-release-workflow branch July 16, 2026 06:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants