fix(monorepo-preview-release): don't pollute npm latest on first publish + stream pnpm output#18
Merged
Conversation
… + stream pnpm output npm force-assigns the `latest` dist-tag to a package's first-ever publish even when `--tag pr-<n>` is used, so a brand-new package's preview build silently became the default that `pnpm add <pkg>` (no tag) resolves to. Capture first-time publishes (checked before publishing) and remove the auto-assigned `latest` afterwards (best-effort, never fatal): only `pr-<n>` remains, so `pnpm add <pkg>` fails loudly until a real release re-points `latest`, while `<pkg>@pr-<n>` and exact-version installs keep working. Also: - Stream mutating commands (pnpm version/publish/dist-tag) to the Actions log via a `runLogged` helper using tinyexec's async iterator, while keeping JSON query commands (list/view) silent so their parsed output isn't corrupted. tinyexec consumes the child streams once, so we capture during iteration and read `proc.exitCode` after the loop. - Report `firstTime` per package in the vland-bot payload so the PR comment can flag previews whose `latest` was just removed. - core.setSecret(npm_token) to mask any accidental echo in streamed output. dist/ rebuilt via ncc. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
rqbazan
force-pushed
the
feat/preview-release-latest-fix-and-streaming
branch
from
3f9340d to
1e966ba
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Spotted on variableland/dx#244: the preview-release of the brand-new
@rrlab/vitest-pluginpublished fine, but its npmlatestdist-tag ended up pointing at the PR preview0.0.1-git-9a2ee7f.0.npm force-assigns
latestto a package's first-ever publish, even when the publish used--tag pr-<n>. So a brand-new package's preview build silently becomes the versionpnpm add <pkg>(no tag) resolves to — until a real release re-pointslatest. No flag at publish time prevents this; it has to be corrected afterwards.Changes
latestpollution. Capture which packages are first-time publishes (checked before publishing) and runpnpm dist-tag rm <pkg> latestafterwards. Best-effort — warns instead of failing if the registry refuses. Result: onlypr-<n>remains,pnpm add <pkg>fails loudly instead of installing a PR build, and<pkg>@pr-<n>/exact-version installs keep working. Self-heals once a stable release runs.runLoggedhelper streams the mutating commands (pnpm version/publish/dist-tag) to the Actions log in collapsible groups while still capturing output for error context. JSON query commands (list/view) stay silent so their parsed output isn't corrupted. tinyexec consumes child streams once, so we capture during iteration and readproc.exitCodeafter.firstTimein the vland-bot payload. Each package entry now carriesfirstTime: booleanso the PR comment can flag previews whoselatestwas just removed. (Bot-side consumption tracked separately in vland-bot.)core.setSecret(npm_token)to mask any accidental echo (makes the README's existing security claim true).latest" section, logging behavior).Verification
tsc --noEmitclean;biome checkclean.dist/rebuilt via ncc.exitCodepopulated after the loop, non-zero exit doesn't throw).Not retroactive
@rrlab/vitest-plugin@lateststill points at the PR #244 preview. Clean up withpnpm dist-tag rm @rrlab/vitest-plugin latest(token with@rrlabscope rights), or let it self-correct when the package gets its first stable release.🤖 Generated with Claude Code