ci: fix labeled-PR release path so npm publish actually fires#13
Merged
Conversation
Two bugs in the publish chain caused PR #12 (release: 0.6.4) to bump package.json, tag, and create the GitHub Release but skip npm publish: 1. npm-publish.yml gated its job on `github.event_name == 'workflow_call'`. When a reusable workflow is invoked via `workflow_call`, `event_name` reflects the root triggering event of the caller (e.g. `pull_request`), not `workflow_call`. The condition never matched, the job silently skipped, and 0.6.4 never made it to npm. Replace the workflow_call branch with `event_name != 'release'`; trust the caller's gating. 2. publish-release.yml used the default `GITHUB_TOKEN` to create the GitHub Release. Events fired by GITHUB_TOKEN do not trigger downstream workflows, so even the `release: [published]` path was inert. Swap to the app token already configured earlier in the job for git operations, restoring the release path as a viable backup.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| uses: actions/create-release@v1 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} |
There was a problem hiding this comment.
🟡 App token on release creation causes duplicate npm publish (one will always fail)
Switching to the app token for actions/create-release (line 81) means the resulting release: [published] event will now trigger other workflows (unlike GITHUB_TOKEN, which suppresses such triggers). Since npm-publish.yml is triggered by both release: [published] (line 4-5 of that file) and workflow_call (from the publish-package job at .github/workflows/publish-release.yml:90-94), every automated release will now invoke npm publish twice concurrently: once via the release event and once via the workflow_call chain. One invocation will succeed; the other will fail with a 403 (version already exists on npm), producing a noisy, permanently-failed workflow run on every release.
The two trigger paths
publish-releasejob creates a GitHub Release with the app token → firesrelease: [published]→ triggersnpm-publish.ymldirectly.publish-packagejob (needs: publish-release) → callsnpm-publish.ymlviaworkflow_call.
Both paths pass the updated if condition in npm-publish.yml and will execute npm publish.
Prompt for agents
The problem is that switching from GITHUB_TOKEN to the app token for the create-release step means the release: [published] event will now propagate and trigger npm-publish.yml directly, in addition to the existing workflow_call invocation from the publish-package job. This causes a duplicate npm publish.
There are several ways to fix this:
1. Keep the app token for create-release (to support manual re-cuts) but remove the publish-package job (lines 88-94 of publish-release.yml) entirely, relying solely on the release event to trigger npm-publish.yml.
2. Keep both paths but add a concurrency group to npm-publish.yml so only one run proceeds (e.g. concurrency: group: npm-publish-${{ github.ref }}, cancel-in-progress: true). However, this is fragile — the cancelled run still shows as failed.
3. Keep the GITHUB_TOKEN for create-release (reverting this change) and keep the workflow_call path as the sole publish mechanism. If manual re-cut support is needed, address it separately.
Option 1 is the cleanest: remove the redundant publish-package workflow_call job and let the release event (now properly propagated via the app token) be the single trigger for npm-publish.yml.
Was this helpful? React with 👍 or 👎 to provide feedback.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two bugs in the publish chain caused PR #12 (the release-trigger for
0.6.4) to bumppackage.json, tag, and create the GitHub Release — but silently skip the npm publish step.Bug 1:
npm-publish.ymlgated onevent_name == 'workflow_call'When a reusable workflow is invoked via
workflow_call,github.event_namereflects the root triggering event of the caller (in our casepull_request), not the literal string'workflow_call'. The condition never matched, the build job was marked skipped, andnpm publishnever ran. Replaced withevent_name != 'release'— trust the caller's own gating when called as a sub-workflow; only re-checkdraft/ tag-prefix when fired directly by a release event.Bug 2:
actions/create-release@v1used defaultGITHUB_TOKENPer GitHub's security model, events emitted by
GITHUB_TOKENdo not trigger downstream workflows. So even if someone created a release expecting therelease: [published]event to firenpm-publish.yml, nothing happened. Swapped to the app token already configured earlier in the same job (steps.app-token.outputs.token), restoring the release path as a viable backup trigger.Recovery plan for 0.6.4
package.jsonis at0.6.4on master, tagv0.6.4exists, GitHub Releasev0.6.4exists — but npm registry is still at0.6.3. After this PR merges, recreate thev0.6.4GitHub Release from a human/app token (e.g.gh release delete v0.6.4 --cleanup-tag=false && gh release create v0.6.4 --target master --title v0.6.4 --notes "..."). The newrelease: [published]event will firenpm-publish.yml, which now passes theifand publishes0.6.4to npm. The tag stays the same, so no version churn.Test plan
actionlint/yamlsyntactically validv0.6.4release → confirmPublish to NPMrun completes →npm view @jam.dev/rimless versionreturns0.6.4