feat(ui-scripts): allow pr-snapshot to publish at an operator-supplied prerelease version#2556
Open
balzss wants to merge 1 commit into
Open
feat(ui-scripts): allow pr-snapshot to publish at an operator-supplied prerelease version#2556balzss wants to merge 1 commit into
balzss wants to merge 1 commit into
Conversation
|
Visual regression report✅ No changes.
Baselines come from the |
…d prerelease version
Adds two optional inputs to the pr-snapshot workflow_dispatch path:
custom_version (e.g. 11.7.3-SECURITY.0) and dist_tag (e.g. security).
When set, they override the auto-computed snapshot version and the
default pr-snapshot dist-tag.
Use case: mirror a previously-published private security release onto
the public registry under a non-latest dist-tag, so open-source
consumers who pinned to a prerelease version from the private registry
can switch their resolution to npmjs without changing package.json.
Workflow plumbing:
- release_to_npm.yml: two new optional inputs forwarded to the
pr-release job
- _pr-release-reusable.yml: accepts the inputs, validates them, and
forwards as --customVersion / --distTag (via env vars to avoid
shell-injection from workflow_dispatch input values)
publish.js:
- new --customVersion / --distTag flags
- publishSnapshotVersion uses customVersion when supplied, else
falls back to calculateNextSnapshotVersion as today
- validateCustomVersionInputs() enforces guards: valid semver,
prerelease only (refuses stable versions so we can never take
over a future stable slot), distTag not 'latest', distTag
required when customVersion is set
Existing pr-snapshot behavior is unchanged when the new inputs are
blank. OIDC auth + --provenance preserved.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
matyasf
approved these changes
Jul 8, 2026
Comment on lines
+179
to
+187
| if (!distTag) { | ||
| throw new Error('--distTag is required when --customVersion is set.') | ||
| } | ||
| } else if (distTag) { | ||
| // distTag on its own would override the tag while still auto-computing the | ||
| // version — almost certainly not what the operator intended. | ||
| throw new Error('--distTag can only be used together with --customVersion.') | ||
| } | ||
| } |
Collaborator
There was a problem hiding this comment.
bit awkward if/else structure, but its OK. I would extract this to the top with something like if (customVersion && !distTag || !customVersion && distTag) { throw new Error(..
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds optional
custom_version+dist_taginputs to thepr-snapshotrelease path so an operator can publish an exact prerelease (e.g.11.7.3-SECURITY.0) to npmjs under a non-latesttag. Blank inputs → behavior unchanged.Plumbed
release_to_npm.yml→_pr-release-reusable.yml→publish.tsas--customVersion/--distTag, passed viaenv:(not${{ }}) to avoid shell injection.Why
Mirrors a privately-shipped coordinated-disclosure fix (
x.y.z-SECURITY.N) onto npmjs under thesecuritytag so OSS consumers can re-resolve without editingpackage.json.Safety rails
validateCustomVersionInputsrejects: non-prerelease / invalid semver,dist_tag=latest,custom_versionwithoutdist_tag(and vice-versa), and use on a release commit. OIDC +--provenanceunchanged.Testing
E2E: trigger
pr-snapshotwithcustom_version=11.7.3-SECURITY.0,dist_tag=securityon a test branch. Confirm packages publish under thesecuritytag (npm view @instructure/ui-buttons dist-tags) and thatlatestis unchanged.🤖 Generated with Claude Code