feat: promote npm edge tag to latest on release edit

[AaronFeledy]

Problem

When a release is published as a prerelease, it gets tagged as edge on npm. Later, when the release is edited in GitHub to mark it as a full release, the npm latest tag doesn't update because the workflow only triggered on published.

Solution

• Added edited to the release workflow trigger types
• New lightweight promote job that only runs npm dist-tag add latest — no install, no lint, no tests, no re-publish
• Gated so it only fires when: edited + not a prerelease + not a draft
• Existing deploy job is now explicitly gated to published events only (no behavior change)

Flow

1. Publish as prerelease → full pipeline runs, publishes with edge tag (unchanged)
2. Edit release → uncheck prerelease → promote job runs, points latest to that version (~15s)

The dist-tag add command is idempotent, so editing a non-prerelease release description is harmless.

---

Note

Low Risk
CI-only change that adjusts npm dist-tags based on GitHub release edits; limited blast radius but could mis-tag latest if the event gating/conditions are incorrect.

Overview
Updates the release workflow to also trigger on release.edited events.

Adds a new promote job that runs only when a prerelease flag is turned off (and release is not draft), and updates npm by promoting the edited release version to the latest dist-tag via npm dist-tag add.

Explicitly gates the existing deploy job to release.published events to avoid running the full publish/test pipeline on edits.

^{Written by Cursor Bugbot for commit e29e7b9. This will update automatically on new commits. Configure here.}

[netlify]

✅ Deploy Preview for lando-php ready!

Name	Link
🔨 Latest commit	e29e7b9
🔍 Latest deploy log	https://app.netlify.com/projects/lando-php/deploys/6997d07a5b241f00089c9bee
😎 Deploy Preview	https://deploy-preview-229--lando-php.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 84 (🔴 down 2 from production) Accessibility: 98 (no change from production) Best Practices: 100 (no change from production) SEO: 100 (no change from production) PWA: - View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is ON. A Cloud Agent has been kicked off to fix the reported issues.}

[cursor]

Bugbot Autofix prepared fixes for 2 of the 2 bugs found in the latest run.

• ✅ Fixed: Script injection via tag_name in shell command
  • Moved github.event.release.tag_name to an environment variable TAG_NAME to prevent shell injection vulnerability.
• ✅ Fixed: Editing older release regresses npm latest tag
  • Added github.event.changes.prerelease.from == true check to ensure promotion only happens when prerelease status actually changed.

Or push these changes by commenting:

@cursor push a8e3c05386

Preview (a8e3c05386)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@
 jobs:
   # When a prerelease is edited to a full release, just promote the npm tag
   promote:
-    if: github.event.action == 'edited' && !github.event.release.prerelease && !github.event.release.draft
+    if: github.event.action == 'edited' && !github.event.release.prerelease && !github.event.release.draft && github.event.changes.prerelease.from == true
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
@@ -21,11 +21,12 @@
           registry-url: https://registry.npmjs.org
       - name: Promote edge to latest
         run: |
-          VERSION=$(echo "${{ github.event.release.tag_name }}" | sed 's/^v//')
+          VERSION=$(echo "$TAG_NAME" | sed 's/^v//')
           PACKAGE=$(node -p "require('./package.json').name")
           npm dist-tag add "$PACKAGE@$VERSION" latest
           echo "::notice title=Promoted $VERSION to latest::The latest tag now points to $VERSION (was edge-only)"
         env:
+          TAG_NAME: ${{ github.event.release.tag_name }}
           NODE_AUTH_TOKEN: ${{secrets.NPM_DEPLOY_TOKEN}}
 
   deploy: