chore: Decouple browse-cli release cycle from stagehand core

[shrey150]

Summary

• Adds @browserbasehq/browse-cli to the changeset ignore list so the main "Version Packages" PR no longer includes CLI version bumps
• Creates a new release-cli.yml workflow (triggered via workflow_dispatch) that independently versions and publishes browse-cli to npm

How it works

Main release flow (release.yml) — unchanged, but now skips browse-cli. Core stagehand changesets are versioned and published as before.

CLI release flow (release-cli.yml) — triggered manually via GitHub Actions "Run workflow":

1. Detects pending browse-cli changesets (fails early if a changeset mixes browse-cli with other packages)
2. Temporarily swaps the changeset ignore config to version only browse-cli
3. Runs changeset version to consume CLI changesets and bump packages/cli/package.json
4. Builds all packages, publishes browse-cli to npm via Trusted Publishing
5. Commits the version bump and pushes a git tag

Constraints

• Changesets that reference both browse-cli and another package (e.g., stagehand core) must be split into separate changeset files — the workflow enforces this with a pre-check
• browse-cli is excluded from canary (alpha) releases — add a canary step to release-cli.yml if needed later

Test plan

• Verify existing release.yml still creates "Version Packages" PR for core changesets (browse-cli changesets should be excluded)
• Trigger release-cli.yml via workflow_dispatch with a pending browse-cli changeset and verify it publishes correctly
• Verify mixed changeset detection fails the workflow with a clear error

🤖 Generated with Claude Code

---

Summary by cubic

Decouples the @browserbasehq/browse-cli release cycle from stagehand core so we can ship CLI updates independently. Implements STG-1663.

• New Features

  • Adds @browserbasehq/browse-cli to .changeset ignore so release.yml skips CLI.
  • Adds release-cli.yml (manual via workflow_dispatch, restricted to main) to version and publish CLI with Trusted Publishing.
  • Pre-checks for CLI-only changesets; fails on mixed changesets.
  • Temporarily swaps .changeset ignore to version only CLI and strips the @browserbasehq/stagehand workspace dep before changeset version to satisfy Changesets; restores both after.
  • Builds and publishes packages/cli to npm, commits the bump, and tags.

• Migration

  • Split changesets that touch CLI and core.
  • Use the “Release CLI” workflow to publish CLI releases.
  • Canary releases for CLI are not included.

^{Written for commit c298904. Summary will update on new commits. Review in cubic}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8cd46e1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cubic-dev-ai]

1 issue found across 2 files

Confidence score: 2/5

• There is a high-risk release integrity issue in .github/workflows/release-cli.yml: manual dispatch from non-main refs can publish unmerged branch code.
• Given the issue’s high severity/confidence (8/10, 8/10) and direct impact on what gets released to users, this is likely merge-blocking until ref restrictions are added.
• Pay close attention to .github/workflows/release-cli.yml - ensure the release job is restricted to main so only merged code can be published.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/release-cli.yml">

<violation number="1" location=".github/workflows/release-cli.yml:13">
P1: Restrict this release job to `main`; currently a manual dispatch on another ref can publish unmerged branch code.</violation>
</file>

Architecture diagram

sequenceDiagram
    participant Dev as Developer
    participant GHA as GitHub Actions (release-cli)
    participant FS as Local Filesystem
    participant NPM as npm Registry
    participant Git as GitHub Repository

    Note over Dev,Git: NEW: Independent CLI Release Flow (Manual)

    Dev->>GHA: Trigger workflow_dispatch
    GHA->>FS: Scan .changeset/*.md for "@browserbasehq/browse-cli"
    
    alt No CLI changesets found
        GHA-->>Dev: Exit (Success/Neutral)
    else Mixed changesets detected (CLI + Core)
        GHA-->>Dev: NEW: Fail with Error (Must split changesets)
    else CLI-only changesets found
        GHA->>FS: Backup .changeset/config.json
        GHA->>FS: NEW: Patch config.json (Ignore Core, include CLI)
        
        GHA->>GHA: pnpm changeset version
        Note right of GHA: Consumes CLI changesets,<br/>updates CLI version/changelog
        
        GHA->>FS: Restore original .changeset/config.json
        
        GHA->>GHA: pnpm exec turbo run build
        
        GHA->>NPM: NEW: npm publish (packages/cli)
        Note right of NPM: Uses Trusted Publishing (OIDC)
        
        GHA->>Git: Commit version bump & push tag
        Git-->>GHA: Success
        GHA-->>Dev: Release Complete
    end

    Note over Git,FS: CHANGED: Standard Release Flow (release.yml)
    Note over Git,FS: Now automatically ignores browse-cli changesets<br/>due to updated .changeset/config.json

Loading

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}