From 37fa101666f0169818925bdc1aea9cc3b4b93c2b Mon Sep 17 00:00:00 2001 From: Aaron Feledy Date: Thu, 19 Feb 2026 19:55:13 -0600 Subject: [PATCH 1/3] feat: promote npm edge tag to latest when release is edited Adds an 'edited' trigger to the release workflow with a lightweight 'promote' job that runs npm dist-tag to move 'latest' to the current version. Only fires when a prerelease is changed to a full release (not drafts). The existing publish pipeline remains gated to 'published' events only. --- .github/workflows/release.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d424fe57..b52c39e3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,9 +4,32 @@ on: release: types: - published + - edited jobs: + # When a prerelease is edited to a full release, just promote the npm tag + promote: + if: github.event.action == 'edited' && !github.event.release.prerelease && !github.event.release.draft + runs-on: ubuntu-24.04 + steps: + - name: Checkout code + uses: actions/checkout@v6 + - name: Install node 20 + uses: actions/setup-node@v6 + with: + node-version: '20' + registry-url: https://registry.npmjs.org + - name: Promote edge to latest + run: | + VERSION=$(node -p "require('./package.json').version") + PACKAGE=$(node -p "require('./package.json').name") + npm dist-tag add "$PACKAGE@$VERSION" latest + echo "::notice title=Promoted $VERSION to latest::The latest tag now points to $VERSION (was edge-only)" + env: + NODE_AUTH_TOKEN: ${{secrets.NPM_DEPLOY_TOKEN}} + deploy: + if: github.event.action == 'published' runs-on: ${{ matrix.os }} env: TERM: xterm From 9fe8933b15359bbad627a3c1f8d17390518c6d32 Mon Sep 17 00:00:00 2001 From: Aaron Feledy Date: Thu, 19 Feb 2026 20:05:10 -0600 Subject: [PATCH 2/3] fix: use release tag_name for version in promote job package.json on main may not reflect the released version since prepare-release-action only runs in the deploy job. Using github.event.release.tag_name is more reliable. --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b52c39e3..9dcb11d4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,7 +21,7 @@ jobs: registry-url: https://registry.npmjs.org - name: Promote edge to latest run: | - VERSION=$(node -p "require('./package.json').version") + VERSION=$(echo "${{ github.event.release.tag_name }}" | sed 's/^v//') PACKAGE=$(node -p "require('./package.json').name") npm dist-tag add "$PACKAGE@$VERSION" latest echo "::notice title=Promoted $VERSION to latest::The latest tag now points to $VERSION (was edge-only)" From a8e3c0538610e90e6210aa8c7f2663ea1ab64606 Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Fri, 20 Feb 2026 02:10:36 +0000 Subject: [PATCH 3/3] fix: prevent script injection and npm tag regression in release workflow - Move tag_name to env variable to prevent shell injection vulnerability - Add prerelease.from check to prevent npm latest tag regression on edits --- .github/workflows/release.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9dcb11d4..a9415e8e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,7 +9,7 @@ on: jobs: # When a prerelease is edited to a full release, just promote the npm tag promote: - if: github.event.action == 'edited' && !github.event.release.prerelease && !github.event.release.draft + if: github.event.action == 'edited' && !github.event.release.prerelease && !github.event.release.draft && github.event.changes.prerelease.from == true runs-on: ubuntu-24.04 steps: - name: Checkout code @@ -21,11 +21,12 @@ jobs: registry-url: https://registry.npmjs.org - name: Promote edge to latest run: | - VERSION=$(echo "${{ github.event.release.tag_name }}" | sed 's/^v//') + VERSION=$(echo "$TAG_NAME" | sed 's/^v//') PACKAGE=$(node -p "require('./package.json').name") npm dist-tag add "$PACKAGE@$VERSION" latest echo "::notice title=Promoted $VERSION to latest::The latest tag now points to $VERSION (was edge-only)" env: + TAG_NAME: ${{ github.event.release.tag_name }} NODE_AUTH_TOKEN: ${{secrets.NPM_DEPLOY_TOKEN}} deploy: