fix(ci): release on shared pipeline changes

[riderx]

Summary (AI generated)

• make scripts/release-scope.ts count shared release/test pipeline files for both Capgo and CLI
• make build_and_deploy.yml count as Capgo-only release scope and publish_cli.yml count as CLI-only release scope
• add a unit test that locks the matcher behavior and reproduces the #1981 skip case

Motivation (AI generated)

The monorepo release split introduced a gap between test path filtering and release scope detection. #1981 changed release infrastructure files, but Bump version skipped both tagging jobs because those files were invisible to scripts/release-scope.ts. That prevented the tag-triggered deploy and npm publish workflows from running.

Business Impact (AI generated)

This restores confidence that release-pipeline changes actually exercise the relevant release paths after merge. It reduces the risk of silent non-releases for Capgo deploys and CLI npm publishes, which directly affects production delivery.

Test Plan (AI generated)

• bunx vitest run tests/release-scope.test.ts
• bun scripts/release-scope.ts capgo 5183a028a0596da4dfef50a20e4e88cb15335501 0fe72c40197b3b458b23ca3fac43f420b22cf51a
• bun scripts/release-scope.ts cli 5183a028a0596da4dfef50a20e4e88cb15335501 0fe72c40197b3b458b23ca3fac43f420b22cf51a
• bunx eslint tests/release-scope.test.ts --max-warnings 0

Generated with AI

Summary by CodeRabbit

• Tests

  • Added tests for component matching and release-scope detection to prevent incorrect release triggers.

• Chores

  • Updated CI change-detection so shared infrastructure changes are handled consistently (may affect which component workflows run).
  • Switched release workflow to use floating action versions and a dedicated token for publishing.
  • Excluded CI/workflow files from static analysis to reduce noise.

• Refactor

  • Release-scope tooling refactored to expose utilities for clearer behavior, safer reuse, and more predictable release decisions.

[coderabbitai]

📝 Walkthrough

Walkthrough

Exports and refactors release-scoping logic in scripts/release-scope.ts, adds resolveReleaseScope, makes CLI execution conditional on direct run, updates CI path-filter to treat scripts/release-scope.ts as shared, adds Vitest tests for component matching, and updates publish_cli.yml action tags and release auth.

Changes

Cohort / File(s)	Summary
CI Workflows ​.github/workflows/tests.yml, ​.github/workflows/publish_cli.yml	tests.yml: treat scripts/release-scope.ts as part of shared in path filters (affects changes job setting run_capgo/run_cli). publish_cli.yml: switch actions to floating version tags and use secrets.PERSONAL_ACCESS_TOKEN for the release step.
Release Scope Module scripts/release-scope.ts	Refactor to export types and helpers: Component, ReleaseAs, componentMatchers, matchesComponent, getSeverity, toReleaseAs; add exported resolveReleaseScope returning shouldRelease and releaseAs; introduce sharedMatchers and reuse across components; prevent auto-run on import (import.meta.main).
Tests tests/release-scope.test.ts	Add Vitest tests validating matchesComponent behavior for shared infra files, component-specific workflow files, component source/runtime files, and unrelated files.
Sonar config .sonarcloud.properties	Exclude GitHub workflows and scripts from Sonar exclusions and CPD lists by adding .github/workflows/** and .github/scripts/** entries.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix(ci): split capgo and cli release workflows #1981: Modifies scripts/release-scope.ts release-scoping logic and related CI/test behavior (strong code-level overlap).
• fix(ci): allow reusable tests workflow PR read scope #1979: Updates reusable tests workflow invocation/permissions; likely interacts with tests.yml path-filter and changes job behavior.
• ci: use readable action version tags #1973: Changes GitHub workflow YAML and SonarCloud config; overlaps with .github/workflows/* and .sonarcloud.properties edits.

Poem

🐇 I hopped through lines of code tonight,

Exported types in gentle light,
Shared matchers hum, tests take flight,
No accidental CLI at sight,
I nibble changes — everything's right.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(ci): release on shared pipeline changes' directly addresses the main objective of making shared pipeline files count toward both Capgo and CLI release scopes, which is the primary focus of the changeset.
Description check	✅ Passed	The pull request description includes a comprehensive Summary, Motivation, Business Impact, and Test Plan sections that align with the repository template, though the Checklist and Screenshots sections are not formally included.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-release-scope

---

_{Review rate limit: 1/5 review remaining, refill in 38 minutes and 27 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/fix-release-scope (1dd299b) with main (d8b8f83)}

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

🧹 Nitpick comments (1)

tests/release-scope.test.ts (1)

5-44: Use it.concurrent() across this test suite.

All test cases should use concurrent tests per the repository guideline for tests/**/*.test.ts files to maximize parallelism.

Suggested changes

-  it('treats shared release infrastructure as affecting both components', () => {
+  it.concurrent('treats shared release infrastructure as affecting both components', () => {
@@
-  it('treats capgo deploy workflow changes as capgo-only releases', () => {
+  it.concurrent('treats capgo deploy workflow changes as capgo-only releases', () => {
@@
-  it('treats cli publish workflow changes as cli-only releases', () => {
+  it.concurrent('treats cli publish workflow changes as cli-only releases', () => {
@@
-  it('keeps runtime code scoped to the matching component', () => {
+  it.concurrent('keeps runtime code scoped to the matching component', () => {
@@
-  it('does not release on unrelated changes', () => {
+  it.concurrent('does not release on unrelated changes', () => {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/release-scope.test.ts` around lines 5 - 44, Convert each synchronous
Jest test in this suite to a concurrent test by replacing calls to it(...) with
it.concurrent(...); specifically update all occurrences in this file where the
tests call the matcher function matchesComponent(...) (the tests named like
'treats shared release infrastructure as affecting both components', 'treats
capgo deploy workflow changes as capgo-only releases', etc.) so each it(...)
becomes it.concurrent(...) to enable parallel execution across the suite.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tests/release-scope.test.ts`:
- Around line 5-44: Convert each synchronous Jest test in this suite to a
concurrent test by replacing calls to it(...) with it.concurrent(...);
specifically update all occurrences in this file where the tests call the
matcher function matchesComponent(...) (the tests named like 'treats shared
release infrastructure as affecting both components', 'treats capgo deploy
workflow changes as capgo-only releases', etc.) so each it(...) becomes
it.concurrent(...) to enable parallel execution across the suite.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 700eab04-08ab-4ecb-9ac0-bbf26d41e66e

📥 Commits

Reviewing files that changed from the base of the PR and between 9e1151f and 2221fcb.

📒 Files selected for processing (3)

• .github/workflows/tests.yml
• scripts/release-scope.ts
• tests/release-scope.test.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/publish_cli.yml:
- Line 27: The workflow uses mutable tags for third‑party actions
(actions/checkout@v6, mistricky/ccc@v0.2.6, softprops/action-gh-release@v2)
while passing secrets.PERSONAL_ACCESS_TOKEN; replace each action tag with its
corresponding full immutable commit SHA (pin to the exact commit SHA) in the
publish_cli.yml workflow and verify the PAT is fine‑grained/minimally scoped
before use so the actions cannot be hijacked by retagging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 123196ca-22d5-47ac-82fe-0f824f2f6cbd

📥 Commits

Reviewing files that changed from the base of the PR and between 2221fcb and d1d2727.

📒 Files selected for processing (1)

• .github/workflows/publish_cli.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.sonarcloud.properties:
- Around line 7-8: Update the new .sonarcloud.properties so the exclusion lists
(sonar.exclusions and sonar.cpd.exclusions) match the commit intent: remove or
narrow broad patterns that exclude product code (e.g., delete or restrict
entries like cli/**, scripts/**, src/services/conversion.ts,
src/components/comp_def.ts, supabase/functions/_backend/utils/conversion.ts,
supabase/functions/_backend/utils/pg_lite.ts and src/types/supabase.types.ts)
and keep only CI/automation paths such as .github/workflows/** and
.github/scripts/**; if any listed paths truly need exclusion, add a short inline
comment or commit message explaining why each specific pattern is excluded to
justify the exception.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5cb44d33-ec34-47eb-9953-71b35132030d

📥 Commits

Reviewing files that changed from the base of the PR and between 893090c and 1dd299b.

📒 Files selected for processing (1)

• .sonarcloud.properties

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud