fix(rest,client): show only the business message for sandboxed hook/a… #3321
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: | |
| - main | |
| concurrency: ${{ github.workflow }}-${{ github.ref }} | |
| jobs: | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v7 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| # 22 (not 20 like the other workflows): the downstream hotcrm smoke | |
| # below clones hotcrm@v1.2.0, whose manifest pins engines.node >=22. | |
| # pnpm install aborts with ERR_PNPM_UNSUPPORTED_ENGINE on Node 20. | |
| node-version: '22' | |
| - name: Enable Corepack | |
| run: corepack enable | |
| - name: Verify pnpm version | |
| run: pnpm --version | |
| - name: Get pnpm store directory | |
| shell: bash | |
| run: | | |
| echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV | |
| - name: Setup pnpm cache | |
| uses: actions/cache@v6 | |
| with: | |
| path: ${{ env.STORE_PATH }} | |
| key: ${{ runner.os }}-pnpm-store-v3-${{ hashFiles('**/pnpm-lock.yaml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pnpm-store-v3- | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Verify Changesets "fixed" group covers every public package | |
| run: node scripts/check-changeset-fixed.mjs | |
| - name: Build | |
| run: pnpm run build | |
| - name: Build vendored @objectstack/console SPA | |
| # Clones objectstack-ai/objectui at the SHA pinned in .objectui-sha, | |
| # builds @object-ui/console, and copies dist/ into | |
| # packages/console/dist/. Must run before publish so the | |
| # prepublishOnly guard in @objectstack/console passes. | |
| run: bash scripts/build-console.sh | |
| - name: Downstream backward-compat smoke (live hotcrm) | |
| # Pre-publish gate (#2035): the about-to-publish @objectstack/spec must | |
| # not break a real third-party consumer pinned to a published release. | |
| # Clones objectstack-ai/hotcrm@${HOTCRM_REF}, installs it (published | |
| # deps), overlays the freshly-built spec dist, and runs hotcrm's own | |
| # typecheck + `objectstack validate`. A red here blocks the publish. | |
| # The deterministic in-repo floor is @objectstack/downstream-contract; | |
| # this is the live ceiling. | |
| env: | |
| # v2.0.0: hotcrm adopted the ADR-0090 Permission Model v2 vocabulary | |
| # (role→position recipients, profiles removed, explicit OWD — | |
| # hotcrm#438), closing the launch-window advisory period from #2719. | |
| # Bump this ref whenever a deliberate spec surface removal ships a | |
| # matching hotcrm release. | |
| HOTCRM_REF: v2.0.0 | |
| run: bash scripts/downstream-smoke.sh | |
| - name: Create Release Pull Request or Publish to npm | |
| id: changesets | |
| uses: changesets/action@v1 | |
| with: | |
| # publish (pnpm run release) ends in scripts/release-publish.sh, | |
| # which pushes all new version tags in ONE atomic git push. This | |
| # pre-empts changesets/action's own concurrent per-tag pushes, which | |
| # otherwise race GitHub's ref backend (remote: fatal error in | |
| # commit_refs) and reject ~half the tags on a large fixed-group bump (#2191). | |
| publish: pnpm run release | |
| version: pnpm run version | |
| commit: 'chore: version packages' | |
| title: 'chore: version packages' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} |