Skip to content

fix(ci): publish packages in dependency order, fail fast on failure#3549

Merged
felipefreitag merged 3 commits into
canaryfrom
worktree-fix-publish-packages-in-dependency-order
May 28, 2026
Merged

fix(ci): publish packages in dependency order, fail fast on failure#3549
felipefreitag merged 3 commits into
canaryfrom
worktree-fix-publish-packages-in-dependency-order

Conversation

@felipefreitag
Copy link
Copy Markdown
Contributor

@felipefreitag felipefreitag commented May 27, 2026
edited by cubic-dev-ai Bot
Loading

Replace changeset publish (which publishes in arbitrary order and keeps going when one package fails) with an explicit pipeline in release.mts that:

  • publishes packages in topological (dependency) order
  • skips a package's dependents when it fails, so a broken dependency can never produce a broken dependent published against a version that isn't on npm
  • derives each npm dist-tag from the version itself (x.y.z -> latest, a prerelease -> its own tag), so a prerelease can never overwrite latest - @gabrielmfern not sure if we should do that here? It's one more layer on top of the existing pre controls
  • adds a --dry-run flag that prints the publish plan without publishing
  • exits non-zero when any package fails

Adds unit tests (scripts/release.spec.mts) for the pure pipeline helpers and wires them into the tests workflow, since scripts/ isn't a workspace and turbo run test doesn't cover it.

Closes #3045

Run examples:
CleanShot 2026-05-27 at 17 04 10@2x

Summary by cubic

Publishes packages in dependency order and fails fast to avoid releasing broken dependents. Adds version-based npm dist-tags, --dry-run, provenance on publish, and exposes the release as pnpm release with CI coverage.

  • New Features

    • Replace changeset publish with an explicit pipeline in scripts/release.mts that publishes in topological order, skips dependents on failure, derives the dist-tag from the version (x.y.z -> latest, prereleases -> their own tag), supports --dry-run, and exits non-zero on any failure.
    • Publish with npm provenance via pnpm publish --provenance.
    • Expose the pipeline as pnpm release; add release:dry-run and release:build; update the release workflow to run pnpm release; run scripts/release.spec.mts explicitly in CI.

  • Bug Fixes

Written for commit 358be20. Summary will update on new commits.

Review in cubic

@felipefreitag
fix(ci): publish packages in dependency order, fail fast on failure
54169e2 
Replace `changeset publish` (which publishes in arbitrary order and keeps
going when one package fails) with an explicit pipeline in release.mts that:

- publishes packages in topological (dependency) order
- skips a package's dependents when it fails, so a broken dependency can
  never produce a broken dependent published against a version that isn't
  on npm
- derives each npm dist-tag from the version itself (x.y.z -> latest, a
  prerelease -> its own tag), so a prerelease can never overwrite latest
- adds a --dry-run flag that prints the publish plan without publishing
- exits non-zero when any package fails

Adds unit tests (scripts/release.spec.mts) for the pure pipeline helpers and
wires them into the tests workflow, since scripts/ isn't a workspace and
turbo run test doesn't cover it.
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 27, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 358be20

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented May 27, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
react-email Ready Ready Preview, Comment May 28, 2026 12:40pm
react-email-demo Ready Ready Preview, Comment May 28, 2026 12:40pm

@felipefreitag felipefreitag requested a review from dielduarte May 27, 2026 20:03
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 27, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​changesets/​pre@​2.0.21001007991100
Addedmdast-util-to-string@​4.0.010010010082100

View full report

@felipefreitag
fix(ci): request npm provenance explicitly via pnpm publish --provenance
e8a3a5c 
pnpm publish has no implicit provenance; the NPM_CONFIG_PROVENANCE env var
carried over from the changeset publish path is replaced with the documented
--provenance flag so each package is published with provenance attestation.
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 issues found across 1 file (changes from recent commits).

Requires human review: This PR replaces the entire changeset publish pipeline with a custom publish orchestrator in scripts/release.mts, which is a critical path for production releases — any bug could result in incorrect package ordering, broken dependency chains on npm, or improper dist-tags, so it requires...

Re-trigger cubic

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 5 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Requires human review: This PR rewrites the CI release pipeline to publish packages in dependency order instead of using changeset publish, which is a critical infrastructure change where any undetected bug could cause broken releases, incorrect dist-tags, or partial publishes, so it requires a human to verify the logic.

Re-trigger cubic

gabrielmfern
gabrielmfern reviewed May 28, 2026
View reviewed changes
Comment thread package.json Outdated
gabrielmfern
gabrielmfern reviewed May 28, 2026
View reviewed changes
Comment thread scripts/release.mts
@felipefreitag
chore(root): expose release.mts as pnpm release / release:dry-run
358be20 
The old "release" script (turbo build) is renamed to "release:build" and
now runs as the build step inside release.mts. "release" itself now runs
the full pipeline, and "release:dry-run" runs the offline plan-printing
mode locally. The release workflow uses the new "pnpm release" shorthand.
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 issues found across 3 files (changes from recent commits).

Requires human review: This PR replaces the core publishing pipeline with a custom script that controls package ordering, dist-tag assignment, and failure handling — a significant change to the release process with potential to break production deployments if any edge case is missed, so it requires human review...

Re-trigger cubic

@felipefreitag felipefreitag merged commit 4d505bb into canary May 28, 2026
18 of 19 checks passed
@felipefreitag felipefreitag deleted the worktree-fix-publish-packages-in-dependency-order branch May 28, 2026 12:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gabrielmfern gabrielmfern gabrielmfern approved these changes

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@dielduarte dielduarte Awaiting requested review from dielduarte

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Packages should not be published if any of their dependencies fail to publish

2 participants

@felipefreitag @gabrielmfern