ForgeRock · ancheetah · Oct 28, 2025 · Oct 27, 2025
diff --git a/.github/actions/setup-publish/action.yml b/.github/actions/setup-publish/action.yml
@@ -1,6 +1,11 @@
 name: Setup publish
 description: Setup steps for publishing packages
 
+inputs:
+  CODECOV_TOKEN:
+    description: 'Codecov token for uploading coverage reports'
+    required: true
+
 runs:
   using: 'composite'
   steps:
@@ -11,26 +16,28 @@ runs:
 
     - name: Install Node.js
       uses: actions/setup-node@v4
-      id: cache
       with:
-        node-version: '.node-version'
+        node-version-file: '.node-version'
         cache: 'pnpm' # package manager for caching
         registry-url: 'https://registry.npmjs.org'
 
     # Update npm to latest for provenance
     - name: Update npm
       run: npm install -g npm@latest
+      shell: bash
 
     - name: Install dependencies from lockfile
       run: pnpm install --frozen-lockfile
+      shell: bash
 
     # Allocate nx tasks across multiple machines/agents in the cloud
     # The "--stop-agents-after" is optional, but allows idle agents to shut down once the "e2e-ci" targets have been requested
     # https://nx.dev/docs/features/ci-features/distribute-task-execution
     - name: Enable distribution of nx tasks to cloud agents
       run: pnpm dlx nx-cloud start-ci-run --distribute-on="5 linux-medium-js" --stop-agents-after="e2e-ci" --with-env-vars="CODECOV_TOKEN"
+      shell: bash
       env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        CODECOV_TOKEN: ${{ inputs.CODECOV_TOKEN }}
 
     # https://github.com/microsoft/playwright/issues/7249#issuecomment-1256878540
     - name: Cache Playwright browsers
@@ -43,6 +50,7 @@ runs:
 
     - name: Install Playwright browsers
       run: pnpm exec playwright install
+      shell: bash
 
     - name: Derive SHAs for `nx affected`
       uses: nrwl/nx-set-shas@v4
@@ -51,16 +59,19 @@ runs:
 
     - name: Run build, lint, test, and e2e for projects changed
       run: pnpm exec nx affected -t build lint test e2e-ci --agents
+      shell: bash
 
     - name: Save Playwright test results
       uses: actions/upload-artifact@v4
       if: ${{ !cancelled() }}
       with:
         name: playwright-report
         path: |
+          ./**/.playwright/**
           ./dist/.playwright/**
           ./dist/**
         retention-days: 30
 
     - name: Ensure builds for all packages before publishing
       run: pnpm exec nx run-many -t build --no-agents # --no-agents to run in CI without distributing to agents
+      shell: bash
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -27,6 +27,10 @@ on:
 env:
   NX_CLOUD_ENCRYPTION_KEY: ${{ secrets.NX_CLOUD_ENCRYPTION_KEY }}
   NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+  CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  SLACK_WEBHOOK_URL_BETA: ${{ secrets.SLACK_WEBHOOK_URL_BETA }}
   HUSKY: 0
   CI: true
 
@@ -42,13 +46,19 @@ jobs:
       id-token: write # OIDC for provenance if npm publish happens here
     runs-on: ubuntu-latest
     steps:
+      - name: Branch name
+        run: |
+          echo "Checking out branch: ${{ github.ref_name }}"
+
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Setup publish
         uses: ./.github/actions/setup-publish
+        with:
+          CODECOV_TOKEN: ${{ env.CODECOV_TOKEN }}
 
       # This action creates a release pull request with all of
       # the package versions and changelogs updated. When there
@@ -67,9 +77,8 @@ jobs:
           setupGitUser: true
         env:
           HOME: ${{ github.workspace }} # See https://github.com/changesets/action/issues/147
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
           NPM_CONFIG_PROVENANCE: 'true'
-          NPM_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
 
       - name: Publish previews to Stackblitz on PR
         if: steps.changesets.outputs.published == 'false'
@@ -88,23 +97,23 @@ jobs:
           git rebase master
           git push -f
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
 
       - name: Send GitHub Action data to a Slack workflow
         if: steps.changesets.outputs.published == 'true'
         uses: slackapi/slack-github-action@v2.1.1
         with:
           payload-delimiter: '_'
-          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook: ${{ env.SLACK_WEBHOOK_URL }}
           webhook-type: webhook-trigger
           payload: |
-            text: ${{ steps.changesets.outputs.publishedPackages }}
+            publishedPackages: steps.changesets.outputs.publishedPackages
 
       - name: Run code coverage
         uses: codecov/codecov-action@v5
         with:
           files: ./packages/**/coverage/*.xml
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ env.CODECOV_TOKEN }}
 
   snapshot:
     # On manual trigger of GH action, publish a snapshot release to npm
@@ -115,6 +124,10 @@ jobs:
       id-token: write # OIDC for provenance when npm publish happens
     runs-on: ubuntu-latest
     steps:
+      - name: Branch name
+        run: |
+          echo "Checking out branch: ${{ github.ref_name }}"
+
       # Checkout the branch selected when triggering the workflow
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -123,21 +136,25 @@ jobs:
 
       - name: Setup publish
         uses: ./.github/actions/setup-publish
+        with:
+          CODECOV_TOKEN: ${{ env.CODECOV_TOKEN }}
 
       - name: Version packages for snapshot
         run: pnpm changeset version --snapshot ${{ inputs.snapshot_tag }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
 
       - name: Publish packages snapshot with npm_tag
+        id: npmpublish
         run: pnpm publish -r --tag ${{ inputs.npm_tag }} --no-git-checks --access ${{ inputs.npm_access }}
 
       - name: Send GitHub Action data to a Slack workflow
-        if: steps.changesets.outputs.published == 'true'
+        if: steps.npmpublish.outcome == 'success'
         uses: slackapi/slack-github-action@v2.1.1
         with:
           payload-delimiter: '_'
-          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook: ${{ env.SLACK_WEBHOOK_URL_BETA }}
           webhook-type: webhook-trigger
           payload: |
-            text: ${{ steps.changesets.outputs.publishedPackages }}
+            npmTag: "${{ inputs.npm_tag }}"
+            publishedPackages: ""