add release ci

[steven-passynkov]

Summary by CodeRabbit

• Chores
  • Added an automated release workflow to run tests and publish packages on tagged releases or manual trigger.
  • Updated LICENSE to specify the concrete copyright holder and year.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added a new GitHub Actions workflow release.yaml that triggers on version tag pushes (v*) and manual dispatch, performs checkout, sets up pnpm and Node 20.19.0, installs deps, runs tests, and publishes to npm; updated LICENSE copyright line to Copyright 2026 Leap0. (50 words)

Changes

Cohort / File(s)	Summary
Release workflow \.github/workflows/release.yaml	New workflow "Release" triggered on tag v* and workflow_dispatch. Single publish job on ubuntu-latest: checkout, setup pnpm, install Node@20.19.0 with pnpm cache, pnpm install --frozen-lockfile, pnpm test, then npm publish --provenance --access public using secrets.NPM_TOKEN.
License metadata LICENSE	Replaced placeholder copyright line with: Copyright 2026 Leap0.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer (push tag / manual)
    participant GH as GitHub Actions
    participant Runner as Runner (ubuntu-latest)
    participant PNPM as pnpm
    participant Node as Node.js
    participant NPM as npm Registry

    Dev->>GH: push tag `v*` / workflow_dispatch
    GH->>Runner: start `publish` job
    Runner->>Runner: actions/checkout
    Runner->>PNPM: setup pnpm
    Runner->>Node: install Node 20.19.0 (pnpm cache)
    Runner->>PNPM: pnpm install --frozen-lockfile
    Runner->>Runner: pnpm test
    Runner->>NPM: npm publish --provenance --access public (uses NODE_AUTH_TOKEN)
    NPM-->>GH: publish result

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I nudged a tag, a tiny drumbeat,

PNPM hummed and Node set the beat,
Tests ran tidy, the publish took flight,
A carrot for CI — cozy and bright 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'add release ci' accurately describes the main change: adding a GitHub Actions release workflow. It is concise and clearly identifies the primary purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/release-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release.yaml (1)

14-16: Add explicit least-privilege permissions and a job timeout.

At Line 14-16, consider adding permissions: { contents: read } and timeout-minutes on verify to harden token scope and prevent stuck runners.

Suggested hardening patch

 jobs:
   verify:
+    permissions:
+      contents: read
+    timeout-minutes: 20
     runs-on: ubuntu-latest

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yaml around lines 14 - 16, Add least-privilege
permissions and a job timeout to the verify job: under the verify job (the job
with name/identifier "verify" and the existing runs-on: ubuntu-latest), add a
permissions block with contents: read to limit the GITHUB_TOKEN scope, and add a
timeout-minutes key (e.g., timeout-minutes: 10) to prevent stuck runners; ensure
both keys are at the job level alongside runs-on.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yaml:
- Around line 25-33: Replace the mutable action tags with immutable commit SHAs
for the referenced actions to prevent unexpected updates: update uses:
actions/checkout@v4, uses: pnpm/action-setup@v4, and uses: actions/setup-node@v4
to their corresponding full commit SHAs (e.g., actions/checkout@<commit-sha>,
pnpm/action-setup@<commit-sha>, actions/setup-node@<commit-sha>), optionally
appending a comment with the original tag (e.g., "# v4") for readability; verify
each SHA corresponds to the intended v4 release before committing.

---

Nitpick comments:
In @.github/workflows/release.yaml:
- Around line 14-16: Add least-privilege permissions and a job timeout to the
verify job: under the verify job (the job with name/identifier "verify" and the
existing runs-on: ubuntu-latest), add a permissions block with contents: read to
limit the GITHUB_TOKEN scope, and add a timeout-minutes key (e.g.,
timeout-minutes: 10) to prevent stuck runners; ensure both keys are at the job
level alongside runs-on.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a9e16702-b5bb-4fd6-8b13-43b5bbff02b4

📥 Commits

Reviewing files that changed from the base of the PR and between 105d513 and 6d7a36a.

📒 Files selected for processing (1)

• .github/workflows/release.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether workflow actions are pinned to full commit SHAs.
# Expected: all `uses:` entries should match @<40-hex-sha> for strict pinning.
rg -n '^\s*uses:\s*[^@]+@' .github/workflows \
| awk '
{
  ref=$0
  if (ref ~ /@[0-9a-fA-F]{40}([[:space:]]|$)/) {
    print "PINNED   " ref
  } else {
    print "UNPINNED " ref
  }
}'

Repository: leap0-dev/langchain-leap0-js

Length of output: 305

---

Pin GitHub Actions to commit SHAs instead of mutable version tags.

Lines 26, 29, and 32 use mutable tags (@v4): actions/checkout@v4, pnpm/action-setup@v4, and actions/setup-node@v4. Replace with full commit SHAs to prevent unintended updates if the action repository is compromised. Optionally retain the version tag in a comment (e.g., uses: actions/checkout@abc123... # v4) for readability.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yaml around lines 25 - 33, Replace the mutable
action tags with immutable commit SHAs for the referenced actions to prevent
unexpected updates: update uses: actions/checkout@v4, uses:
pnpm/action-setup@v4, and uses: actions/setup-node@v4 to their corresponding
full commit SHAs (e.g., actions/checkout@<commit-sha>,
pnpm/action-setup@<commit-sha>, actions/setup-node@<commit-sha>), optionally
appending a comment with the original tag (e.g., "# v4") for readability; verify
each SHA corresponds to the intended v4 release before committing.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release.yaml (1)

37-38: Add an explicit tag-to-package version consistency check before publish.

This prevents accidental release mismatches (e.g., tag v1.2.3 while package.json is another version).

Suggested fix

       - name: Run tests
         run: pnpm test

+      - name: Verify tag matches package version
+        run: |
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          PKG_VERSION="$(node -e "console.log(JSON.parse(require('fs').readFileSync('package.json','utf8')).version)")"
+          test "$TAG_VERSION" = "$PKG_VERSION" || {
+            echo "Tag version ($TAG_VERSION) does not match package.json version ($PKG_VERSION)"
+            exit 1
+          }
+
       - name: Publish package
         run: npm publish --provenance --access public
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yaml around lines 37 - 38, Add a pre-publish step
before the existing "Publish package" step that compares the Git tag to
package.json's version and fails the workflow on mismatch: extract the tag from
GITHUB_REF (or GITHUB_REF_NAME), read the version from package.json (e.g., via
jq or node -e), and if tag (strip leading "v" if present) !== package version
exit non-zero with a clear error; place this check step immediately upstream of
the "Publish package" step so the job aborts on inconsistencies.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yaml:
- Around line 7-8: The workflow_dispatch trigger currently allows manual runs
from branches; add a job-level guard so the publish job only runs for tag refs.
Update the publish job (the job that performs the release/publish) to include a
conditional like if: startsWith(github.ref, 'refs/tags/') (or equivalent
checking github.ref_type == 'tag') to skip non-tag refs, and apply the same
guard to the other publish-related job block noted in the review (the second
publish block at lines 37-38).

---

Nitpick comments:
In @.github/workflows/release.yaml:
- Around line 37-38: Add a pre-publish step before the existing "Publish
package" step that compares the Git tag to package.json's version and fails the
workflow on mismatch: extract the tag from GITHUB_REF (or GITHUB_REF_NAME), read
the version from package.json (e.g., via jq or node -e), and if tag (strip
leading "v" if present) !== package version exit non-zero with a clear error;
place this check step immediately upstream of the "Publish package" step so the
job aborts on inconsistencies.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0badf8e0-1bf2-44e6-9a7f-6ffa329aa072

📥 Commits

Reviewing files that changed from the base of the PR and between 5aad476 and 4c9382e.

📒 Files selected for processing (1)

• .github/workflows/release.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Manual dispatch currently allows publishing from non-tag refs.

With workflow_dispatch enabled, this job can publish from a branch run unless constrained. Add a ref-type/tag guard so publish only runs for version tags.

Suggested fix

 jobs:
   publish:
+    if: github.ref_type == 'tag' && startsWith(github.ref_name, 'v')
     runs-on: ubuntu-latest

Also applies to: 37-38

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yaml around lines 7 - 8, The workflow_dispatch
trigger currently allows manual runs from branches; add a job-level guard so the
publish job only runs for tag refs. Update the publish job (the job that
performs the release/publish) to include a conditional like if:
startsWith(github.ref, 'refs/tags/') (or equivalent checking github.ref_type ==
'tag') to skip non-tag refs, and apply the same guard to the other
publish-related job block noted in the review (the second publish block at lines
37-38).