Skip to content

Commit 3b16c5c

Browse files
committed
ci: gate release on a separate test job, least-privilege permissions
GitHub releases are created only by the changesets/action step, and that step has not completed cleanly on any release-triggering run since mid-June (last release: @tanstack/ai-react@0.15.5 on 2026-06-15; npm is now at 0.15.12). The "Version Packages" merge runs (#773, #778, #787, #792, #808, #813) passed the test gate and then FAILED at the "Run Changesets" step: CI ran `changeset publish` and npm advanced, but the step died before the tag-push / GitHub-release phase, so no tags (0.15.6-0.15.12 don't exist) and no releases were created. More recent runs (#814, #825) now fail even earlier, at the test gate (test:kiira). (The exact in-step error is no longer recoverable - those runs' logs have expired.) Changes: - Split into a `test` gate job and a `release` job (needs: test) so a flaky run blocks BOTH npm and GitHub releases together, never one without the other. - Tighten permissions: top-level contents:read; write scoped to the release job.
1 parent f3144a6 commit 3b16c5c

1 file changed

Lines changed: 22 additions & 6 deletions

File tree

.github/workflows/release.yml

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -12,25 +12,41 @@ env:
1212
NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
1313

1414
permissions:
15-
contents: write
16-
id-token: write
17-
pull-requests: write
15+
contents: read
1816

1917
jobs:
20-
release:
21-
name: Release
18+
test:
19+
name: Test
2220
if: github.repository_owner == 'TanStack'
2321
runs-on: ubuntu-latest
2422
steps:
2523
- name: Checkout
2624
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2725
with:
2826
fetch-depth: 0
29-
persist-credentials: true # release job pushes version/docs changes
27+
persist-credentials: false
3028
- name: Setup Tools
3129
uses: TanStack/config/.github/setup@190f659075ff0845850e330883eb26d7ffd0671f # main
3230
- name: Run Tests
3331
run: pnpm run test:ci
32+
33+
release:
34+
name: Release
35+
needs: test
36+
if: github.repository_owner == 'TanStack'
37+
runs-on: ubuntu-latest
38+
permissions:
39+
contents: write
40+
id-token: write
41+
pull-requests: write
42+
steps:
43+
- name: Checkout
44+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
45+
with:
46+
fetch-depth: 0
47+
persist-credentials: true
48+
- name: Setup Tools
49+
uses: TanStack/config/.github/setup@190f659075ff0845850e330883eb26d7ffd0671f # main
3450
- name: Run Changesets (version or publish)
3551
id: changesets
3652
uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1.7.0

0 commit comments

Comments
 (0)