ci(changesets): disable auto-merging #9918
Conversation
|
WalkthroughConfiguration updates affecting release workflow automation, dependency tracking, and package exports. Changes include disabling specific changeset workflow steps, adding a comment-on-release step, adjusting dependency analysis rules in knip configuration, and updating a TypeScript file export extension. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes
Possibly related PRs
Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
|
View your CI Pipeline Execution ↗ for commit 7c9c517
☁️ Nx Cloud last updated this comment at |
|
Sizes for commit 7c9c517:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (3)
.github/workflows/release.yml (1)
40-50: Commented-out code for temporary disabling is acceptable.Per the PR objectives, this temporarily disables the auto-merge logic. Consider adding a comment explaining why this is disabled and linking to the problematic PRs (#9867, #9916) for future context.
+ # Temporarily disabled due to issues in PRs #9867 and #9916 # - name: Check for Changesets marked as major.github/comment-on-release/README.md (2)
15-22: Add language specifier to fenced code block.Static analysis flagged this code block as missing a language specifier.
-``` +```text 🎉 This PR has been released!
41-46: Usage example shows external path but workflow uses local path.The example shows
uses: tanstack/config/.github/comment-on-release@main, but the actual workflow uses the local pathuses: ./.github/comment-on-release. Consider clarifying that this README can serve both use cases, or update to match the current local usage.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (4)
.github/comment-on-release/README.md(1 hunks).github/comment-on-release/action.yml(1 hunks).github/comment-on-release/comment-on-release.ts(1 hunks).github/workflows/release.yml(2 hunks)
🧰 Additional context used
🪛 LanguageTool
.github/comment-on-release/README.md
[uncategorized] ~26-~26: The official name of this software platform is spelled with a capital “H”.
Context: ...n! ``` ## Usage Add this step to your .github/workflows/release.yml file after the `...
(GITHUB)
🪛 markdownlint-cli2 (0.18.1)
.github/comment-on-release/README.md
15-15: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Test
- GitHub Check: Preview
🔇 Additional comments (4)
.github/comment-on-release/comment-on-release.ts (2)
1-11: Well-structured script with good error handling.The interfaces are clearly defined and the modular function design makes the logic easy to follow.
111-115: The changelog anchor format is correct and matches GitHub's auto-generated anchors.The CHANGELOG files in this repository use the format
## VERSION_NUMBER(e.g.,## 5.0.0). GitHub converts these headings to anchors by removing dots and spaces, producing anchors like#500for version5.0.0. The code's approach usingpkg.version.replaceAll('.', '')correctly generates matching anchor fragments..github/workflows/release.yml (1)
77-81: New PR commenting step looks correct.The step correctly:
- Checks for
published == 'true'before running- Uses the local composite action
- Passes the
publishedPackagesoutput from changesets.github/comment-on-release/README.md (1)
1-83: Documentation is thorough and well-structured.The README covers purpose, example output, usage, requirements, inputs, implementation details, and troubleshooting. This is excellent documentation for a reusable action.
| steps: | ||
| - name: Comment on PRs | ||
| shell: bash | ||
| run: node ${{ github.action_path }}/comment-on-release.ts |
There was a problem hiding this comment.
Node.js cannot execute TypeScript files directly.
Running node comment-on-release.ts will fail because Node.js doesn't natively support TypeScript. The file needs to be either:
- Renamed to
.jsand written in JavaScript/ESM - Executed with
npx tsxinstead ofnode
Apply this diff if using tsx:
- run: node ${{ github.action_path }}/comment-on-release.ts
+ run: npx tsx ${{ github.action_path }}/comment-on-release.tsOr rename the script to .js and convert to JavaScript.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| run: node ${{ github.action_path }}/comment-on-release.ts | |
| run: npx tsx ${{ github.action_path }}/comment-on-release.ts |
🤖 Prompt for AI Agents
.github/comment-on-release/action.yml around line 12: the workflow invokes node
on a TypeScript file which Node cannot execute directly; update the run step to
execute the TypeScript file with a runtime that supports TS (for example change
the command to use npx tsx ${{ github.action_path }}/comment-on-release.ts) or
instead rename/compile the script to comment-on-release.js and update the run
line to node ${{ github.action_path }}/comment-on-release.js so the action runs
a JavaScript file.
| // Check for version header (e.g., "## 0.21.0") | ||
| if (line.startsWith('## ')) { | ||
| const versionMatch = line.match(/^## (\d+\.\d+\.\d+)/) | ||
| if (versionMatch) { | ||
| if (versionMatch[1] === version) { | ||
| inTargetVersion = true | ||
| foundVersion = true | ||
| } else if (inTargetVersion) { | ||
| // We've moved to the next version, stop processing | ||
| break | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Version regex doesn't match prerelease versions.
The regex ^## (\d+\.\d+\.\d+) only matches stable semver versions. Given the workflow triggers on alpha, beta, and rc branches, prerelease versions like 5.0.0-beta.1 won't be matched, causing the script to silently skip those changelogs.
Update the regex to handle prereleases:
- const versionMatch = line.match(/^## (\d+\.\d+\.\d+)/)
+ const versionMatch = line.match(/^## (\d+\.\d+\.\d+(?:-[\w.]+)?)/)📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| // Check for version header (e.g., "## 0.21.0") | |
| if (line.startsWith('## ')) { | |
| const versionMatch = line.match(/^## (\d+\.\d+\.\d+)/) | |
| if (versionMatch) { | |
| if (versionMatch[1] === version) { | |
| inTargetVersion = true | |
| foundVersion = true | |
| } else if (inTargetVersion) { | |
| // We've moved to the next version, stop processing | |
| break | |
| } | |
| } | |
| } | |
| // Check for version header (e.g., "## 0.21.0") | |
| if (line.startsWith('## ')) { | |
| const versionMatch = line.match(/^## (\d+\.\d+\.\d+(?:-[\w.]+)?)/) | |
| if (versionMatch) { | |
| if (versionMatch[1] === version) { | |
| inTargetVersion = true | |
| foundVersion = true | |
| } else if (inTargetVersion) { | |
| // We've moved to the next version, stop processing | |
| break | |
| } | |
| } | |
| } |
🤖 Prompt for AI Agents
In .github/comment-on-release/comment-on-release.ts around lines 35 to 47, the
current regex /^## (\d+\.\d+\.\d+)/ only matches stable semver and misses
prerelease tags like 5.0.0-beta.1; update the version regex to capture optional
prerelease identifiers (for example change it to match /^##
(\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?)/ ) so lines like "## 5.0.0-beta.1" are
detected; keep the rest of the logic the same so foundVersion/inTargetVersion
behavior works for prereleases too.
| try { | ||
| // Use gh CLI to post the comment | ||
| execSync(`gh pr comment ${number} --body '${comment.replace(/'/g, '"')}'`, { | ||
| stdio: 'inherit', | ||
| }) | ||
| console.log(`✓ Commented on PR #${number}`) | ||
| } catch (error) { | ||
| console.error(`✗ Failed to comment on PR #${number}:`, error) | ||
| } |
There was a problem hiding this comment.
Command injection vulnerability via shell interpolation.
The comment content is interpolated directly into the shell command. While single quotes are replaced with double quotes, this doesn't fully protect against injection—characters like $, backticks, or newlines in the changelog could still cause issues.
Use --body-file with a temporary file or stdin to safely pass the comment body:
try {
// Use gh CLI to post the comment
- execSync(`gh pr comment ${number} --body '${comment.replace(/'/g, '"')}'`, {
- stdio: 'inherit',
- })
+ execSync(`gh pr comment ${number} --body-file -`, {
+ input: comment,
+ stdio: ['pipe', 'inherit', 'inherit'],
+ })
console.log(`✓ Commented on PR #${number}`)
} catch (error) {📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| try { | |
| // Use gh CLI to post the comment | |
| execSync(`gh pr comment ${number} --body '${comment.replace(/'/g, '"')}'`, { | |
| stdio: 'inherit', | |
| }) | |
| console.log(`✓ Commented on PR #${number}`) | |
| } catch (error) { | |
| console.error(`✗ Failed to comment on PR #${number}:`, error) | |
| } | |
| try { | |
| // Use gh CLI to post the comment | |
| execSync(`gh pr comment ${number} --body-file -`, { | |
| input: comment, | |
| stdio: ['pipe', 'inherit', 'inherit'], | |
| }) | |
| console.log(`✓ Commented on PR #${number}`) | |
| } catch (error) { | |
| console.error(`✗ Failed to comment on PR #${number}:`, error) | |
| } |
🤖 Prompt for AI Agents
.github/comment-on-release/comment-on-release.ts around lines 119 to 127: the
current code builds a shell command by interpolating the comment body which
allows command injection via characters like $, backticks or newlines; instead
create a safe temporary file (or use a secure stdin stream) containing the
comment body, call gh pr comment with the --body-file <tempPath> (or feed body
on stdin if gh supports it), ensure the temp file is created with restrictive
permissions, write the comment content to it without shell interpolation,
execute the execSync call with an array argument or single command referencing
the temp file, and finally remove the temp file in a finally block (or ensure
stream closed) and preserve error handling.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #9918 +/- ##
===========================================
+ Coverage 45.89% 64.17% +18.28%
===========================================
Files 200 4 -196
Lines 8437 67 -8370
Branches 1939 21 -1918
===========================================
- Hits 3872 43 -3829
+ Misses 4116 19 -4097
+ Partials 449 5 -444
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
.github/workflows/release.yml(2 hunks)knip.json(1 hunks)packages/solid-query-devtools/package.json(1 hunks)
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2025-08-19T03:18:18.303Z
Learnt from: oscartbeaumont
Repo: TanStack/query PR: 9564
File: packages/solid-query-devtools/src/production.tsx:2-3
Timestamp: 2025-08-19T03:18:18.303Z
Learning: In the solid-query-devtools package, the codebase uses a pattern of type-only default imports combined with typeof for component type annotations (e.g., `import type SolidQueryDevtoolsComp from './devtools'` followed by `typeof SolidQueryDevtoolsComp`). This pattern is consistently used across index.tsx and production.tsx files, and the maintainers prefer consistency over changing this approach.
Applied to files:
packages/solid-query-devtools/package.jsonknip.json
📚 Learning: 2025-09-02T17:57:33.184Z
Learnt from: TkDodo
Repo: TanStack/query PR: 9612
File: packages/query-async-storage-persister/src/asyncThrottle.ts:0-0
Timestamp: 2025-09-02T17:57:33.184Z
Learning: When importing from tanstack/query-core in other TanStack Query packages like query-async-storage-persister, a workspace dependency "tanstack/query-core": "workspace:*" needs to be added to the package.json.
Applied to files:
packages/solid-query-devtools/package.jsonknip.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Preview
- GitHub Check: Test
🔇 Additional comments (5)
.github/workflows/release.yml (2)
40-50: LGTM on disabling major check.Commenting out the "Check for Changesets marked as major" step aligns with the PR objective to disable auto-merge logic. This step was a prerequisite for the auto-merge decision.
62-70: LGTM on disabling auto-merge.Commenting out the "Auto-merge Changesets PR" step directly addresses the PR objective. The logic that triggered auto-merge of non-major changeset PRs is now disabled, which matches the stated goal of temporarily disabling the auto-merge logic from PRs #9703 and #9710.
packages/solid-query-devtools/package.json (1)
42-42: I'll help you verify this export path change. Let me start by examining the target file and the repository structure to understand if this change is intentional and safe.
<function_calls>
#!/bin/bashVerify the target export file exists and examine directory structure
echo "=== Checking solid-query-devtools/src directory structure ==="
find packages/solid-query-devtools/src -type f ( -name "index.*" -o -name "custom" ) 2>/dev/null | sortecho ""
echo "=== Listing all files in solid-query-devtools/src ==="
find packages/solid-query-devtools/src -type f | head -30echo ""
echo "=== Checking git diff for this specific file ==="
git diff HEAD -- packages/solid-query-devtools/package.json | grep -A2 -B2 "custom-condition" || echo "No changes found in git diff"
</function_calls>knip.json (2)
9-13: I'll verify the removal ofmarkdown-link-extractorfrom theignoreDependenciessection inknip.json. Let me start by searching for any references to this dependency.
<function_calls>
#!/bin/bashSearch for markdown-link-extractor references in the codebase
echo "=== Searching for markdown-link-extractor references ==="
rg 'markdown-link-extractor' -C 2echo ""
echo "=== Checking package.json files for markdown-link-extractor ==="
fd 'package.json' -x grep -l 'markdown-link-extractor' {} 2>/dev/null || echo "No matches found"
</function_calls>Now let me examine the full
knip.jsonfile to understand the configuration context:
<function_calls>
#!/bin/bashRead the full knip.json file
echo "=== Full knip.json content ==="
cat -n knip.json
</function_calls>Let me also check the git history to understand what was removed and the intent behind the change:
<function_calls>
#!/bin/bashCheck git diff for knip.json to see what was changed
echo "=== Git diff for knip.json ==="
git diff HEAD knip.json || echo "Unable to get git diff"echo ""
echo "=== Git log for knip.json (last 5 commits) ==="
git log --oneline -5 -- knip.json || echo "Unable to get git log"
</function_calls>
17-21: Old entry points were not removed after configuration update.The new paths (
src/devtools/production/index.tsandsrc/devtools-panel/production/index.ts) exist and are correctly configured in knip.json. However, the old entry points (src/index.tsandsrc/inject-queries-experimental/index.ts) still exist in the codebase. This incomplete migration creates ambiguity about which files are the canonical entry points. Either:
- Delete the old files if the restructuring is complete, or
- Update knip.json to reference the old paths if they remain the primary entry points
Verify that all references to the old entry points have been migrated to the new locations before removing them.
⛔ Skipped due to learnings
Learnt from: oscartbeaumont Repo: TanStack/query PR: 9564 File: packages/solid-query-devtools/src/production.tsx:2-3 Timestamp: 2025-08-19T03:18:18.303Z Learning: In the solid-query-devtools package, the codebase uses a pattern of type-only default imports combined with typeof for component type annotations (e.g., `import type SolidQueryDevtoolsComp from './devtools'` followed by `typeof SolidQueryDevtoolsComp`). This pattern is consistently used across index.tsx and production.tsx files, and the maintainers prefer consistency over changing this approach.
| - name: Comment on PRs about release | ||
| if: steps.changesets.outputs.published == 'true' | ||
| uses: tanstack/config/.github/comment-on-release@main | ||
| with: | ||
| published-packages: ${{ steps.changesets.outputs.publishedPackages }} |
There was a problem hiding this comment.
🧩 Analysis chain
tanstack/config comment-on-release GitHub action documentation
<web_search_result>
Short answer — TanStack Config doesn't include a built-in "comment-on-release" GitHub Action. Use a community action in your workflow (examples below) and configure it to run on release events.
References and options:
- TanStack Config docs / repo (overview & CI guidance). [1]
- remix-run / release-comment-action — GitHub Action to comment on related PRs/issues when a release is created. Good fit for monorepos (DIRECTORY_TO_CHECK, PACKAGE_VERSION_TO_FOLLOW). [2]
- marocchino / sticky-pull-request-comment — general sticky PR comment action (create or update a comment). Commonly used for deploy/release comments. [3]
Example (conceptual):
- trigger: on: release (types: [created])
- steps: checkout → run any build/publish → run one of the actions above to post the release comment (pass GITHUB_TOKEN and optional inputs like DIRECTORY_TO_CHECK or message header).
If you want, I can: 1) show a ready-to-use workflow YAML using remix-run/release-comment-action for TanStack Config monorepo layout, or 2) search the TanStack/config repo for an exact example workflow and paste it. Which do you prefer?
Sources:
[1] TanStack Config docs/repo.
[2] remix-run / release-comment-action (Marketplace/README).
[3] marocchino / sticky-pull-request-comment (README).
</web_search_result>
Script executed:
#!/bin/bash
# Check the permissions context around line 19 in the release.yml file
cat -n .github/workflows/release.yml | head -30Repository: TanStack/query
<shell_result>
Repository: TanStack/query
Exit code: 0
stdout:
1 name: Release
2
3 on:
4 push:
5 branches: [main, alpha, beta, rc, v4]
6 repository_dispatch:
7 types: [release]
8
9 concurrency:
10 group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
11 cancel-in-progress: true
12
13 env:
14 NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
15
16 permissions:
17 contents: write
18 id-token: write
19 pull-requests: write
20
21 jobs:
22 release:
23 name: Release
24 if: github.repository_owner == 'TanStack'
25 runs-on: ubuntu-latest
26 steps:
27 - name: Checkout
28 uses: actions/checkout@v5.0.0
29 with:
30 fetch-depth: 0
</shell_result>
Script executed:
#!/bin/bash
# Check the GitHub releases or tags to find the tanstack/config repo structure
# Let's search for any GitHub actions in the workflow file and nearby context
cd .github/workflows
grep -n "tanstack\|comment-on-release" release.ymlRepository: TanStack/query
<shell_result>
Repository: TanStack/query
Exit code: 0
stdout:
34: uses: tanstack/config/.github/setup@main
79: uses: tanstack/config/.github/comment-on-release@main
</shell_result>
site:github.com tanstack/config .github/actions comment-on-release
<web_search_result>
I searched for "site:github.com tanstack/config .github/actions comment-on-release". I found the TanStack/config repository but no matching .github/actions/comment-on-release path; and a separate community "release-comment-action" action (used by other projects). Sources: TanStack/config repo [1], release-comment-action (third‑party) [2].
Sources:
[1] https://github.com/TanStack/config
[2] https://github.com/remix-run/release-comment-action
</web_search_result>
changesets action publishedPackages output format
<web_search_result>
The changesets/action output publishedPackages is a JSON array of objects with each object containing "name" and "version". Example:
[{"name":"@scope/pkg-a","version":"1.2.0"},{"name":"pkg-b","version":"0.8.9"}]. [1][2]
</web_search_result>
site:github.com tanstack/config .github/setup
<web_search_result>
I found the TanStack/config repository on GitHub and its .github directory (where setup workflows or files would live). See TanStack/config and the .github folder. [1][2]
Sources:
[1] https://github.com/TanStack/config
[2] https://github.com/TanStack/config/tree/main/.github
</web_search_result>
Script executed:
#!/bin/bash
# Let's check the full context around the comment-on-release step to understand all inputs
sed -n '75,85p' .github/workflows/release.ymlRepository: TanStack/query
<shell_result>
Repository: TanStack/query
Exit code: 0
stdout:
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
- name: Comment on PRs about release
if: steps.changesets.outputs.published == 'true'
uses: tanstack/config/.github/comment-on-release@main
with:
published-packages: ${{ steps.changesets.outputs.publishedPackages }}
</shell_result>
The referenced action tanstack/config/.github/comment-on-release@main does not exist and will cause workflow failure.
Web searches confirm that TanStack Config does not provide a built-in comment-on-release action. While the repository exists and contains .github workflows, this specific action is not available. The workflow will fail when attempting to run this step because GitHub will be unable to resolve the action reference.
- ❌ Action does not exist:
tanstack/config/.github/comment-on-release@mainis not found in the TanStack Config repository - ✓ Input format is correct:
publishedPackagesfrom the changesets action outputs a JSON array format - ✓ Permissions are sufficient:
pull-requests: writeis already configured
Consider using a community action like remix-run/release-comment-action or marocchino/sticky-pull-request-comment instead, or verify if this custom action should be implemented in the TanStack Config repository.
🤖 Prompt for AI Agents
.github/workflows/release.yml around lines 77-81: the workflow references a
non-existent action `tanstack/config/.github/comment-on-release@main`, which
will fail; replace it with a valid action (for example
`remix-run/release-comment-action@v1` or
`marocchino/sticky-pull-request-comment@v2`) or point the `uses:` to an internal
custom action that actually exists in your org, and update the action input name
to match the chosen action (map the changesets output `publishedPackages` to the
correct input key for that action); ensure the repository token/permissions
remain set so the selected action can post comments.
🎯 Changes
Temporarily disables logic introduced in #9703 and #9710
Problematic PRs: #9867, #9916
(I added the PR comment logic too, because I noticed it was missing from this repo)
✅ Checklist
pnpm run test:pr.🚀 Release Impact
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.