Add CLI release workflow with beta/stable options#19
Add CLI release workflow with beta/stable options#19
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if: ${{ inputs.release_type == 'stable' || inputs.release_type == 'beta-and-promote' }} | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20' | ||
| registry-url: 'https://registry.npmjs.org' | ||
|
|
||
| - name: Get current beta version | ||
| id: beta-version | ||
| run: | | ||
| BETA_VERSION=$(npm view @withgraphite/prompts dist-tags.beta 2>/dev/null || echo "") | ||
| if [ -z "$BETA_VERSION" ]; then | ||
| echo "No beta version found to promote" | ||
| exit 1 | ||
| fi | ||
| echo "version=$BETA_VERSION" >> $GITHUB_OUTPUT | ||
| echo "Found beta version: $BETA_VERSION" | ||
|
|
||
| - name: Promote beta to stable | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| run: | | ||
| npm dist-tag add @withgraphite/prompts@${{ steps.beta-version.outputs.version }} latest | ||
| echo "Promoted ${{ steps.beta-version.outputs.version }} to stable (latest)" | ||
|
|
||
| # Release new beta version (runs for 'beta' and 'beta-and-promote') | ||
| release-beta: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix this issue, add the explicit permissions key to the workflow at the root level (after the name field and before on:). This will apply the most restrictive permissions required to all jobs in the workflow unless overridden per job. As this workflow is mainly reading repository contents (e.g., for checkout, install, and npm publish), the minimal required permissions are usually:
permissions:
contents: readIf jobs require publishing packages or interacting with other resources, those granular permissions can be added. In this case, since the jobs publish to npm using a token provided in NODE_AUTH_TOKEN, and do not update releases, issues, or pull requests, setting contents: read at the root is the least privilege approach and sufficient for most workflows.
The change should be made by adding the following block after the name: CD CLI Release line and before the on: block.
| @@ -1,4 +1,6 @@ | ||
| name: CD CLI Release | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: |
| needs: [promote-beta-to-stable] | ||
| # Run even if promote-beta-to-stable was skipped (for 'beta' only releases) | ||
| if: ${{ always() && (inputs.release_type == 'beta' || inputs.release_type == 'beta-and-promote') && (needs.promote-beta-to-stable.result == 'success' || needs.promote-beta-to-stable.result == 'skipped') }} | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20' | ||
| registry-url: 'https://registry.npmjs.org' | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Determine beta version number | ||
| id: beta-number | ||
| run: | | ||
| # Get existing beta versions for this base version | ||
| EXISTING_BETAS=$(npm view @withgraphite/prompts versions --json 2>/dev/null | jq -r '.[]' | grep "^${{ inputs.version }}-beta\." | sort -V | tail -1 || echo "") | ||
| if [ -z "$EXISTING_BETAS" ]; then | ||
| BETA_NUM=0 | ||
| else | ||
| # Extract the beta number and increment | ||
| BETA_NUM=$(echo "$EXISTING_BETAS" | sed 's/.*-beta\.//' | awk '{print $1 + 1}') | ||
| fi | ||
| FULL_VERSION="${{ inputs.version }}-beta.${BETA_NUM}" | ||
| echo "version=$FULL_VERSION" >> $GITHUB_OUTPUT | ||
| echo "Will publish beta version: $FULL_VERSION" | ||
|
|
||
| - name: Update package version | ||
| run: npm version ${{ steps.beta-number.outputs.version }} --no-git-tag-version | ||
|
|
||
| - name: Publish beta to npm | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| run: npm publish --tag beta | ||
|
|
||
| - name: Output published version | ||
| run: echo "Published @withgraphite/prompts@${{ steps.beta-number.outputs.version }} with tag 'beta'" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix the identified problem, add a top-level permissions block to the workflow YAML file immediately after the name field. This way, the least privilege permissions will apply to all jobs unless overridden. Based on the current jobs and steps, contents: read suffices, since the workflow does not interact with the repository contents via the GITHUB_TOKEN, nor does it use this token to push, create releases, or modify issues/pull requests.
Steps:
- Insert the following after
name: CD CLI Release(on line 1):permissions: contents: read
- No changes are needed elsewhere in the file, as this will cover all workflow jobs unless one needs additional permissions in the future.
| @@ -1,4 +1,6 @@ | ||
| name: CD CLI Release | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: |
1 participant
This PR was created by a Graphite background agent: https://app.stg.graphite.com/background-agents/withgraphite/prompts/task/bgt_01kcktcb4wfggb2g4f4bynqcke