Skip to content

fix(ci): publish packages in dependency order, fail fast on failure#3549

Open
felipefreitag wants to merge 2 commits into
canaryfrom
worktree-fix-publish-packages-in-dependency-order
Open

fix(ci): publish packages in dependency order, fail fast on failure#3549
felipefreitag wants to merge 2 commits into
canaryfrom
worktree-fix-publish-packages-in-dependency-order

Conversation

@felipefreitag
Copy link
Copy Markdown
Contributor

@felipefreitag felipefreitag commented May 27, 2026
edited by cubic-dev-ai Bot
Loading

Replace changeset publish (which publishes in arbitrary order and keeps going when one package fails) with an explicit pipeline in release.mts that:

  • publishes packages in topological (dependency) order
  • skips a package's dependents when it fails, so a broken dependency can never produce a broken dependent published against a version that isn't on npm
  • derives each npm dist-tag from the version itself (x.y.z -> latest, a prerelease -> its own tag), so a prerelease can never overwrite latest - @gabrielmfern not sure if we should do that here? It's one more layer on top of the existing pre controls
  • adds a --dry-run flag that prints the publish plan without publishing
  • exits non-zero when any package fails

Adds unit tests (scripts/release.spec.mts) for the pure pipeline helpers and wires them into the tests workflow, since scripts/ isn't a workspace and turbo run test doesn't cover it.

Closes #3045

Run examples:
CleanShot 2026-05-27 at 17 04 10@2x

Summary by cubic

Publishes packages in dependency order and fails fast to avoid releasing broken dependents. Adds version-based npm dist-tags, --dry-run, provenance on publish, and CI unit tests.

  • New Features

    • Replace changeset publish with an explicit pipeline in scripts/release.mts that publishes in topological order, skips dependents when a package fails, derives the dist-tag from the version (x.y.z -> latest, prereleases -> their own tag), supports --dry-run, and exits non-zero on any failure.
    • Publish with npm provenance via pnpm publish --provenance (replaces NPM_CONFIG_PROVENANCE).
    • Add unit tests for the release helpers and run them in CI; update the release script in package.json to build packages only.

  • Bug Fixes

Written for commit e8a3a5c. Summary will update on new commits. Review in cubic

@felipefreitag
fix(ci): publish packages in dependency order, fail fast on failure
54169e2 
Replace `changeset publish` (which publishes in arbitrary order and keeps
going when one package fails) with an explicit pipeline in release.mts that:

- publishes packages in topological (dependency) order
- skips a package's dependents when it fails, so a broken dependency can
  never produce a broken dependent published against a version that isn't
  on npm
- derives each npm dist-tag from the version itself (x.y.z -> latest, a
  prerelease -> its own tag), so a prerelease can never overwrite latest
- adds a --dry-run flag that prints the publish plan without publishing
- exits non-zero when any package fails

Adds unit tests (scripts/release.spec.mts) for the pure pipeline helpers and
wires them into the tests workflow, since scripts/ isn't a workspace and
turbo run test doesn't cover it.
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 27, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: e8a3a5c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented May 27, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
react-email Ready Ready Preview, Comment May 27, 2026 8:12pm
react-email-demo Ready Ready Preview, Comment May 27, 2026 8:12pm

@felipefreitag felipefreitag requested a review from dielduarte May 27, 2026 20:03
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 27, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednext@​16.2.662100919970
Added@​types/​react-dom@​19.1.21001007485100
Added@​types/​react@​19.1.21001008095100
Added@​types/​node@​20.17.301001008195100
Added@​tailwindcss/​postcss@​4.1.41001008198100
Addedreact@​19.2.61001008497100
Addedtailwindcss@​4.1.41001008598100
Addedtypescript@​5.8.3100100909590
Addedreact-dom@​19.2.61001009298100

View full report

@felipefreitag
fix(ci): request npm provenance explicitly via pnpm publish --provenance
e8a3a5c 
pnpm publish has no implicit provenance; the NPM_CONFIG_PROVENANCE env var
carried over from the changeset publish path is replaced with the documented
--provenance flag so each package is published with provenance attestation.
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 issues found across 1 file (changes from recent commits).

Requires human review: This PR replaces the entire changeset publish pipeline with a custom publish orchestrator in scripts/release.mts, which is a critical path for production releases — any bug could result in incorrect package ordering, broken dependency chains on npm, or improper dist-tags, so it requires...

Re-trigger cubic

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 5 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Requires human review: This PR rewrites the CI release pipeline to publish packages in dependency order instead of using changeset publish, which is a critical infrastructure change where any undetected bug could cause broken releases, incorrect dist-tags, or partial publishes, so it requires a human to verify the logic.

Re-trigger cubic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@gabrielmfern gabrielmfern Awaiting requested review from gabrielmfern

@dielduarte dielduarte Awaiting requested review from dielduarte

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Packages should not be published if any of their dependencies fail to publish

1 participant

@felipefreitag