Skip to content

chore: allow releases from PRs#1142

Merged
dobrac merged 7 commits intomainfrom
chore/allow-release-from-prs
Feb 18, 2026
Merged

chore: allow releases from PRs#1142
dobrac merged 7 commits intomainfrom
chore/allow-release-from-prs

Conversation

@dobrac
Copy link
Copy Markdown
Contributor

@dobrac dobrac commented Feb 17, 2026

Note

Medium Risk
Changes release/publishing workflows and introduces new publishing paths (npm/PyPI), so misconfiguration could publish incorrect candidate versions or tags.

Overview
Adds a new pkg_artifacts.yml workflow that, on PRs, builds/versions/packs the JS SDK and CLI and builds the Python SDK, uploads the resulting artifacts, and posts/updates a PR comment with install commands and a link to the run.

Refactors release.yml to support a manual candidate mode with validated/sanitized tag/preid, optional per-package tests (or skip-tests), and publishing via a new reusable publish_candidates.yml workflow (including npm provenance), while removing the old release_candidates.yml workflow and simplifying production release preflight gating.

Written by Cursor Bugbot for commit a5d53d0. This will update automatically on new commits. Configure here.

@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Feb 17, 2026

⚠️ No Changeset found

Latest commit: 2e9acc7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Feb 17, 2026

Package Artifacts

Built from c6a385f. Download artifacts from this workflow run.

JS SDK (e2b@2.12.2-chore-allow-release-from-prs.0):

npm install ./e2b-2.12.2-chore-allow-release-from-prs.0.tgz

CLI (@e2b/cli@2.7.1-chore-allow-release-from-prs.0):

npm install ./e2b-cli-2.7.1-chore-allow-release-from-prs.0.tgz

Python SDK (e2b==2.13.2+chore-allow-release-from-prs):

pip install ./e2b-2.13.2+chore.allow.release.from.prs-py3-none-any.whl

@dobrac dobrac marked this pull request as ready for review February 17, 2026 17:20
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 26ec8281c1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/publish_candidates.yml Outdated
Comment thread .github/workflows/publish_candidates.yml Outdated
Comment thread .github/workflows/release.yml Outdated
Comment thread .github/workflows/pkg_artifacts.yml Outdated
Comment thread .github/workflows/pkg_artifacts.yml
@dobrac dobrac requested a review from mishushakov as a code owner February 17, 2026 20:32
Comment thread .github/workflows/publish_candidates.yml
@dobrac dobrac force-pushed the chore/allow-release-from-prs branch 2 times, most recently from af855d9 to f6a9a45 Compare February 18, 2026 00:06
@dobrac dobrac force-pushed the chore/allow-release-from-prs branch from f6a9a45 to a5d53d0 Compare February 18, 2026 01:38
Comment thread .github/workflows/publish_candidates.yml
@dobrac dobrac enabled auto-merge (squash) February 18, 2026 05:19
@dobrac dobrac merged commit 571210a into main Feb 18, 2026
29 of 35 checks passed
@dobrac dobrac deleted the chore/allow-release-from-prs branch February 18, 2026 05:28
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

- name: Sanitize tag
id: tag
run: |
RAW_TAG="${{ github.event.inputs.tag }}"
Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Script injection via unsanitized workflow dispatch inputs

Low Severity

The rc-validate steps directly interpolate ${{ github.event.inputs.tag }} and ${{ github.event.inputs.preid || github.ref_name }} into shell run: blocks, making them vulnerable to GitHub Actions script injection. A collaborator could craft an input to break out of the double-quoted string and execute arbitrary commands, potentially exfiltrating secrets. The safe env: indirection pattern is already used in pkg_artifacts.yml (line 43–46 of that file) for github.head_ref but wasn't applied here.

Additional Locations (1)

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants