feat(ci): add cli-prerelease option to publish workflow#408
Conversation
Add 'cli-prerelease' package option that publishes only the main agent-relay CLI package, skipping Rust binary builds, standalone builds, verification, sub-package publishing, and GitHub releases. Uses the trusted publish.yml workflow (required by npm OIDC) with a lightweight path: build → publish-main only. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
npm trusted publishing only allows a single registered workflow. The cli-prerelease option in publish.yml replaces this. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
The loosened check `needs.verify-binaries.result == 'skipped'` could allow publish-main to proceed without binary verification when building 'all' or 'main' packages (e.g., if build-binaries fails, verify-binaries gets skipped, and publish proceeds with broken binaries). Scope the skipped check so it only applies when package == 'cli-prerelease', which intentionally skips binary builds. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
🟡 verify-publish job runs for cli-prerelease and will fail due to missing binaries
When cli-prerelease is selected, the verify-publish job is not excluded and will run after a successful publish. This job installs the published package and verifies that relay-pty binaries exist and work. However, for cli-prerelease, binaries are intentionally not bundled, and no GitHub release is created (the create-release job is skipped at .github/workflows/publish.yml:907), so the postinstall script's fallback download from GitHub releases will also fail.
Root Cause and Impact
The verify-publish job at .github/workflows/publish.yml:1129-1138 has this condition:
if: |
always() &&
github.event.inputs.dry_run != 'true' &&
needs.publish-main.result == 'success'It does not filter out cli-prerelease, unlike create-release which has github.event.inputs.package != 'cli-prerelease'. The verify-publish.yml workflow tests relay-pty binary existence (verify-publish.yml:268-280), executability (verify-publish.yml:282-292), and functionality (verify-publish.yml:294-307). All of these will fail for a cli-prerelease publish because:
- The
publish-mainjob skips downloading relay-pty binaries forcli-prerelease(.github/workflows/publish.yml:876) - The
create-releasejob is skipped, so no GitHub release with binary assets exists - The postinstall script (
scripts/postinstall.js:308) tries to download fromhttps://github.com/AgentWorkforce/relay/releases/download/v<version>/<binary>which will 404
Impact: Every cli-prerelease publish (non-dry-run) will show a failed verify-publish job, creating noise and potentially causing confusion about whether the publish succeeded. The publish itself is not blocked, but the workflow run will show as partially failed.
(Refers to lines 1132-1135)
Was this helpful? React with 👍 or 👎 to provide feedback.
1 participant
Summary
cli-prereleaseas a package option in the existingpublish.ymlworkflowpublish.ymlworkflow required by npm's OIDC publish restrictions (npm only allows a single registered workflow)How to use
Actions → Publish Package → Run workflow:
cli-prereleaseprereleasebetabetaTest plan
cli-prerelease+dry_run: trueto verify the lightweight path works🤖 Generated with Claude Code