fix(preview-release,monorepo-preview-release): drop unremovable latest demote#21
Merged
Merged
Conversation
…t demote `demoteAutoLatest` shelled out to `pnpm dist-tag rm <pkg> latest`, but npm rejects deleting the `latest` tag (every package must always have one) — the registry returns `400 Bad Request`. So the call never achieved its goal: it just emitted a scary error in the Actions log while `latest` stayed pointing at the first preview build. Verified live on a real first-time publish (@vlandoss/theme-toggle): publish succeeded via the NPM_TOKEN fallback, the dist-tag rm got `400 Bad Request`, and `latest` remained on the preview version. npm fundamentally requires a `latest` tag pointing at a real published version, so for a brand-new package the first preview unavoidably becomes `latest` until a stable release re-points it. There is no registry-side fix. Remove `demoteAutoLatest` from both actions. Keep first-time detection and the `firstTime` flag in the vland-bot payload so the PR comment can warn that `pnpm add <pkg>` resolves to a preview until a real release lands. READMEs rewritten to describe the actual (unavoidable) behavior instead of the removal that never worked. dist/ rebuilt via ncc. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Both preview actions called
demoteAutoLatest→pnpm dist-tag rm <pkg> latestto undo npm's auto-assignedlateston a package's first publish. npm forbids deleting thelatesttag — every package must always have one — so the registry returns400 Bad Request. The call never worked: it just emitted a scary error in the Actions log whilelateststayed pointing at the first preview build.Verified live on a real first-time publish of
@vlandoss/theme-toggle:NPM_TOKENfallback (OIDC → token, no provenance — working as designed).pnpm dist-tag rm latest→npm error 400 Bad Request - DELETE .../dist-tags/latest.{"pr-2":"0.0.1-git-3dca01d.0","latest":"0.0.1-git-3dca01d.0"}—lateststill points at the preview.npm fundamentally requires a
latesttag pointing at a real published version, so for a brand-new package the first preview unavoidably becomeslatestuntil a stable release re-points it. There is no registry-side fix.Change
demoteAutoLatestfrom bothpreview-releaseandmonorepo-preview-release(and its call sites).isUnpublishedbefore publish) and thefirstTimefield in thevland-botpayload, so the PR comment can warn thatpnpm add <pkg>resolves to a preview build until a real release lands.@pr-<n>or exact version; cut a release to fixlatest) instead of the removal that never worked.dist/rebuilt via ncc.tsc+biome checkpass.runLoggedstreaming, the OIDC/token fallback, andcore.setSecret(npm_token)are unchanged.🤖 Generated with Claude Code