Skip to content

fix(preview-release,monorepo-preview-release): drop unremovable latest demote#21

Merged
rqbazan merged 1 commit into
mainfrom
fix/drop-unremovable-latest-demote
Jun 27, 2026
Merged

fix(preview-release,monorepo-preview-release): drop unremovable latest demote#21
rqbazan merged 1 commit into
mainfrom
fix/drop-unremovable-latest-demote

Conversation

@rqbazan

@rqbazan rqbazan commented Jun 27, 2026

Copy link
Copy Markdown
Member

Problem

Both preview actions called demoteAutoLatestpnpm dist-tag rm <pkg> latest to undo npm's auto-assigned latest on a package's first publish. npm forbids deleting the latest tag — every package must always have one — so the registry returns 400 Bad Request. The call never worked: it just emitted a scary error in the Actions log while latest stayed pointing at the first preview build.

Verified live on a real first-time publish of @vlandoss/theme-toggle:

  • ✅ Publish succeeded via the NPM_TOKEN fallback (OIDC → token, no provenance — working as designed).
  • pnpm dist-tag rm latestnpm error 400 Bad Request - DELETE .../dist-tags/latest.
  • Result on the registry: {"pr-2":"0.0.1-git-3dca01d.0","latest":"0.0.1-git-3dca01d.0"}latest still points at the preview.

npm fundamentally requires a latest tag pointing at a real published version, so for a brand-new package the first preview unavoidably becomes latest until a stable release re-points it. There is no registry-side fix.

Change

  • Remove demoteAutoLatest from both preview-release and monorepo-preview-release (and its call sites).
  • Keep first-time detection (isUnpublished before publish) and the firstTime field in the vland-bot payload, so the PR comment can warn that pnpm add <pkg> resolves to a preview build until a real release lands.
  • README rewritten in both actions to describe the actual, unavoidable behavior (install via @pr-<n> or exact version; cut a release to fix latest) instead of the removal that never worked.
  • dist/ rebuilt via ncc. tsc + biome check pass.

runLogged streaming, the OIDC/token fallback, and core.setSecret(npm_token) are unchanged.

🤖 Generated with Claude Code

…t demote

`demoteAutoLatest` shelled out to `pnpm dist-tag rm <pkg> latest`, but npm
rejects deleting the `latest` tag (every package must always have one) — the
registry returns `400 Bad Request`. So the call never achieved its goal: it
just emitted a scary error in the Actions log while `latest` stayed pointing at
the first preview build. Verified live on a real first-time publish
(@vlandoss/theme-toggle): publish succeeded via the NPM_TOKEN fallback, the
dist-tag rm got `400 Bad Request`, and `latest` remained on the preview version.

npm fundamentally requires a `latest` tag pointing at a real published version,
so for a brand-new package the first preview unavoidably becomes `latest` until
a stable release re-points it. There is no registry-side fix.

Remove `demoteAutoLatest` from both actions. Keep first-time detection and the
`firstTime` flag in the vland-bot payload so the PR comment can warn that
`pnpm add <pkg>` resolves to a preview until a real release lands. READMEs
rewritten to describe the actual (unavoidable) behavior instead of the removal
that never worked. dist/ rebuilt via ncc.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@rqbazan rqbazan merged commit c6df4e7 into main Jun 27, 2026
1 check passed
@rqbazan rqbazan deleted the fix/drop-unremovable-latest-demote branch June 27, 2026 23:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant