feat: promote npm edge tag to latest when prerelease is promoted

[AaronFeledy]

Problem

When a release is published as a prerelease, it gets tagged as edge on npm. Later, when the release is promoted to a full release in GitHub, the npm latest tag doesn't update because the workflow only triggered on published.

Solution

• Added released to the release workflow trigger types
• New lightweight promote job that only runs npm dist-tag add latest — no install, no lint, no tests, no re-publish
• Only fires on the released event (when a prerelease is promoted to full release)
• Existing deploy job is now explicitly gated to published events only (no behavior change)
• Uses TAG_NAME env var instead of direct interpolation to prevent script injection

Flow

1. Publish as prerelease → full pipeline runs, publishes with edge tag (unchanged)
2. Promote release → uncheck prerelease → promote job runs, points latest to that version (~15s)

The dist-tag add command is idempotent, so if both published and released fire on a fresh non-prerelease publish, the redundant promote is harmless.

---

Note

Low Risk
Only CI workflow logic changes; the main risk is accidentally retagging npm latest on release events, but it’s limited to released/published gates and uses an idempotent dist-tag command.

Overview
The GitHub Actions release workflow now also triggers on release.released events and adds a lightweight promote job that runs npm dist-tag add ... latest using the release tag version, so promoting a prerelease updates npm’s latest tag without re-publishing.

The existing deploy publish pipeline is explicitly gated to release.published events to avoid running on promotions.

^{Written by Cursor Bugbot for commit 378ed4a. This will update automatically on new commits. Configure here.}

[netlify]

❌ Deploy Preview for lando-python failed. Why did it fail? →

Name	Link
🔨 Latest commit	378ed4a
🔍 Latest deploy log	https://app.netlify.com/projects/lando-python/deploys/6997dc9c049bbd0008f2d39e

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON. A Cloud Agent has been kicked off to fix the reported issue.}

[cursor]

Race condition: promote fails before deploy publishes package

Medium Severity

When a non-prerelease release is published directly, GitHub fires both published and released as separate webhook deliveries, creating two concurrent workflow runs. The promote job (~15 seconds) will almost certainly attempt npm dist-tag add before the deploy job (several minutes of install, lint, test, then publish) has actually published the version to npm, causing promote to fail with a "version not found" error. The PR description calls this "harmless" assuming idempotency, but npm dist-tag add requires the version to already exist on the registry.

Additional Locations (1)

• .github/workflows/release.yml#L30-L32