Release/1.0.1 beta.0#6
Conversation
…Maven Central for RN sdk (#3) - Removes the GitHub Packages sdk to 1.0.1 published to Maven Central. - Updates README to remove the token setup instructions for consumers.
- Add publish.yml: validates then publishes to npm on v* tags, with dry-run support and provenance attestation - Disable npm publish in release-it (CI is now the publish path) - Remove --only-version from release script to run full release flow - Add requireBranch and CHANGELOG.md config to release-it - Drop build-ios job (Android-only library) - Remove GitHub Packages credentials from build-android
#5) * chore(ci): move GitHub release creation to CI and add dist-tag support - Resolve npm dist tag from version tag (beta/rc/latest) automatically - Create GitHub release in CI using auto-provided GITHUB_TOKEN - Set github.release: false in release-it — no PAT needed locally - Grant contents: write permission in publish job for release creation * fix(ci): guard publish and release steps to tag refs only
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
📝 WalkthroughSummary by CodeRabbit
WalkthroughThis PR updates the release and CI infrastructure by tightening CI permissions, introducing an npm publish workflow, switching Android dependencies from GitHub Packages to Maven Central, and updating the release-it configuration to remove npm publish and GitHub release automation in favor of the new workflow. ChangesRelease Infrastructure & Dependency Migration
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish.yml:
- Around line 3-7: Update the publish workflow (.github/workflows/publish.yml)
to validate that the pushed tag points at the main branch commit before
publishing: add a pre-publish step (run in the same job or a separate job that
gates publishing) which checks out refs, fetches origin/main (use full fetch),
compares the tag target commit SHA to origin/main HEAD (fail/exit non-zero if
they differ) and only proceed to the publish steps when they match; this
enforces the intended branch restriction instead of relying on package.json's
local release-it setting.
- Around line 63-65: The prerelease tag extraction using sed with '[a-zA-Z]*'
fails for numeric/hyphenated semver parts; update the logic that sets TAG from
VERSION (the block that currently uses sed) to use bash parameter expansion to
strip the leading version and then take the first dot-separated prerelease
identifier (so it captures digits and hyphens too), e.g., isolate the part after
the first '-' in VERSION and then split on '.' to assign TAG; ensure you update
the branch where TAG is set so inputs like 1.0.0-0.3.7, 1.0.0-rc-1, and
2.1.5-dev-20240101 produce 0, rc-1, and dev-20240101 respectively.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 309d2a03-a0d9-4036-b8f2-3a36e53f05c7
📒 Files selected for processing (5)
.github/workflows/ci.yml.github/workflows/publish.ymlREADME.mdandroid/build.gradlepackage.json
💤 Files with no reviewable changes (1)
- .github/workflows/ci.yml
| on: | ||
| push: | ||
| tags: | ||
| - 'v*' | ||
| workflow_dispatch: |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Read-only check: list existing v* tags that are not reachable from origin/main.
git fetch origin main --depth=1 --tags
git tag -l 'v*' | while read -r tag; do
sha=$(git rev-list -n1 "$tag")
if ! git merge-base --is-ancestor "$sha" origin/main; then
echo "$tag -> $sha is NOT on origin/main"
fi
doneRepository: lokal-app/react-native-device-metrics
Length of output: 231
🏁 Script executed:
cat -n .github/workflows/publish.yml | head -100Repository: lokal-app/react-native-device-metrics
Length of output: 3127
🏁 Script executed:
find . -name "*.json" -o -name "*.yml" -o -name "*.yaml" | xargs grep -l "branch.*protect\|protection" 2>/dev/null | head -5Repository: lokal-app/react-native-device-metrics
Length of output: 63
Enforce that release tags point to main before publishing.
The workflow publishes any v* tag without verifying it originates from the main branch. A tag created on a non-main commit will pass validation and publish to npm. The release-it branch restriction in package.json only applies to local CLI invocations, not direct tag pushes.
🔧 Proposed hardening
publish:
needs: validate
runs-on: ubuntu-latest
@@
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+ - name: Verify tag commit is on main
+ if: ${{ startsWith(github.ref, 'refs/tags/') }}
+ run: |
+ git fetch origin main --depth=1
+ git merge-base --is-ancestor "$GITHUB_SHA" "origin/main" || {
+ echo "Tag commit is not on origin/main; aborting publish."
+ exit 1
+ }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish.yml around lines 3 - 7, Update the publish
workflow (.github/workflows/publish.yml) to validate that the pushed tag points
at the main branch commit before publishing: add a pre-publish step (run in the
same job or a separate job that gates publishing) which checks out refs, fetches
origin/main (use full fetch), compares the tag target commit SHA to origin/main
HEAD (fail/exit non-zero if they differ) and only proceed to the publish steps
when they match; this enforces the intended branch restriction instead of
relying on package.json's local release-it setting.
| if [[ "$VERSION" == *"-"* ]]; then | ||
| TAG=$(echo "$VERSION" | sed 's/[0-9]*\.[0-9]*\.[0-9]*-\([a-zA-Z]*\).*/\1/') | ||
| else |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/publish.yml | sed -n '55,75p'Repository: lokal-app/react-native-device-metrics
Length of output: 935
🌐 Web query:
semantic versioning prerelease identifier rules specification
💡 Result:
In Semantic Versioning 2.0.0, a prerelease version is formed by appending a hyphen and dot-separated “pre-release identifiers” immediately after the patch version: ..-. Pre-release identifiers must use only ASCII alphanumerics and hyphens [0-9A-Za-z-]; identifiers must not be empty; numeric identifiers must not include leading zeroes. [1] Prerelease precedence rules (how two prereleases are ordered): precedence is calculated by comparing major, minor, patch, then pre-release; for prerelease parts, compare dot-separated identifiers from left to right until a difference is found. Identifiers consisting only of digits are compared numerically; identifiers containing letters or hyphens are compared lexically in ASCII sort order; numeric identifiers always have lower precedence than non-numeric identifiers; and if all compared identifiers are equal, a version with more pre-release fields has higher precedence. [1] Examples of valid prerelease forms per the spec include: 1.0.0-alpha, 1.0.0-alpha.1, and 1.0.0-0.3.7. [1]
Citations:
🏁 Script executed:
python3 << 'EOF'
import re
# Current regex from line 64
current_pattern = r'[0-9]*\.[0-9]*\.[0-9]*-([a-zA-Z]*)'
# Test cases based on semantic versioning spec
test_cases = [
"1.0.0-alpha", # alphabetic only - should work
"1.0.0-alpha.1", # alphabetic + numeric - current fails
"1.0.0-0.3.7", # numeric-only prerelease - current fails
"1.0.0-rc-1", # hyphenated - current fails
"1.0.0-beta", # basic case - should work
"2.1.5-dev-20240101", # complex - current fails
]
print("Current regex results:")
print("-" * 50)
for version in test_cases:
match = re.search(current_pattern, version)
extracted = match.group(1) if match else "NO MATCH"
print(f"{version:25} → TAG='{extracted}'")
print("\n" + "=" * 50)
print("Proposed fix results (simulated in Python):")
print("-" * 50)
for version in test_cases:
# Simulate: PRERELEASE="${VERSION#*-}"
if "-" in version:
prerelease = version.split("-", 1)[1]
else:
prerelease = ""
# Simulate: TAG="${PRERELEASE%%.*}"
if "." in prerelease:
tag = prerelease.split(".")[0]
else:
tag = prerelease
# Simulate: [[ -z "$TAG" ]] && TAG="next"
if not tag:
tag = "next"
print(f"{version:25} → TAG='{tag}'")
EOFRepository: lokal-app/react-native-device-metrics
Length of output: 772
Make prerelease dist-tag extraction more robust.
The current regex only captures alphabetic characters ([a-zA-Z]*), causing it to fail with valid semantic versioning prerelease identifiers that contain digits or hyphens:
1.0.0-0.3.7produces an empty TAG1.0.0-rc-1producesrcinstead ofrc-12.1.5-dev-20240101producesdevinstead ofdev-20240101
Use bash parameter expansion to extract the first dot-separated prerelease segment, which naturally handles all valid semver formats ([0-9A-Za-z-]):
🔧 Proposed parsing update
if [[ "$VERSION" == *"-"* ]]; then
- TAG=$(echo "$VERSION" | sed 's/[0-9]*\.[0-9]*\.[0-9]*-\([a-zA-Z]*\).*/\1/')
+ PRERELEASE="${VERSION#*-}"
+ TAG="${PRERELEASE%%.*}"
+ [[ -z "$TAG" ]] && TAG="next"
else
TAG="latest"
fi🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish.yml around lines 63 - 65, The prerelease tag
extraction using sed with '[a-zA-Z]*' fails for numeric/hyphenated semver parts;
update the logic that sets TAG from VERSION (the block that currently uses sed)
to use bash parameter expansion to strip the leading version and then take the
first dot-separated prerelease identifier (so it captures digits and hyphens
too), e.g., isolate the part after the first '-' in VERSION and then split on
'.' to assign TAG; ensure you update the branch where TAG is set so inputs like
1.0.0-0.3.7, 1.0.0-rc-1, and 2.1.5-dev-20240101 produce 0, rc-1, and
dev-20240101 respectively.
1 participant
No description provided.