prerelease script for staging#395
Conversation
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| > This is a **prerelease** version published under the `${{ github.event.inputs.tag }}` npm dist-tag. | ||
| > It is not installed by default. Use `npm install agent-relay@${{ github.event.inputs.tag }}` to test. |
There was a problem hiding this comment.
🔴 Prerelease versions default to latest npm tag, overwriting stable release for all users
When a user selects a pre-version type (e.g., prerelease, premajor, preminor, prepatch), the npm publish commands at .github/workflows/publish.yml:481 and .github/workflows/publish.yml:889 use --tag ${{ github.event.inputs.tag }}, which defaults to latest. Since the tag input default is latest (line 55), a prerelease publish will tag the prerelease version as latest on npm unless the user manually changes it.
Root Cause and Impact
The tag input defaults to latest (line 55), and there is no validation or automatic override to use a non-latest tag when publishing a prerelease version. The publish steps blindly use the user-provided tag:
# line 481 (publish-packages)
run: npm publish --access public --provenance --tag ${{ github.event.inputs.tag }} --ignore-scripts
# line 889 (publish-main)
run: npm publish --access public --provenance --tag ${{ github.event.inputs.tag }} --ignore-scriptsThis means npm install agent-relay (without a version specifier) would install the prerelease version for all users.
Additionally, the summary step at line 1153 claims:
"Users running
npm install agent-relayorinstall.share NOT affected by this prerelease."
And the prerelease release notes at lines 1082-1083 state:
"It is not installed by default. Use
npm install agent-relay@latestto test."
Both statements are false when tag=latest, making the release notes actively misleading.
Impact: A prerelease version (e.g., 2.2.0-beta.1) could become the default install for all users worldwide, breaking production deployments that rely on npm install agent-relay.
Prompt for agents
Add a validation step early in the workflow (or in the build job before publishing) that fails the workflow if a prerelease version is detected but the tag is set to 'latest'. For example, add a step after the version bump that checks:
if [[ "$NEW_VERSION" == *"-"* ]] && [[ "$TAG" == "latest" ]]; then
echo "ERROR: Cannot publish a prerelease version with tag=latest. Please use a tag like 'beta', 'next', 'alpha', or 'rc'."
exit 1
fi
Alternatively, automatically override the tag to match the preid when a prerelease is detected (e.g., if preid=beta, force tag=beta). This would prevent accidental overwrites of the latest stable release on npm.
Also update the summary step at line 1153 and the prerelease release notes at lines 1082-1083 to not unconditionally claim users are unaffected, or make the claim conditional on the tag not being 'latest'.
Was this helpful? React with 👍 or 👎 to provide feedback.
1 participant
Uh oh!
There was an error while loading. Please reload this page.