🔧 [PB-1278] Automated deployment with developer-controlled versioning

[crisap94]

Summary

This PR transforms the deployment workflow from manual trigger with automatic version bumping to an automated deployment that triggers when version changes are merged to main.

Key Changes

1. Automated Trigger

• Changed from workflow_dispatch (manual) to push trigger
• Only runs when package.json changes on main branch
• No more manual workflow execution needed

2. Developer-Controlled Versioning

• Developers manually update version in their PRs
• No automatic version bumping by workflow
• Version changes are visible and reviewable in PRs
• Solves branch protection conflict (workflow no longer commits to main)

3. Docker-Based Version Validation

• Uses node:22-alpine Docker image for validation
• Leverages semver package to ensure valid version increments
• Prevents version downgrades or invalid changes
• Fails fast if version hasn't actually changed

4. Auto-Detection of Pre-releases

• Parses version format to determine npm tag
• 1.0.0 → publishes with tag latest
• 1.0.0-beta.1 → publishes with tag beta
• 1.0.0-alpha.1 → publishes with tag alpha

5. Simplified Workflow

• Removed: Git configuration, version bumping, commit steps
• Added: registry-url for OIDC publishing
• Cleaner, fewer steps to fail

Benefits

✅ No branch protection conflicts - workflow doesn't commit to main
✅ Fully automated - merge triggers deployment
✅ Developer controls version - explicit in PR
✅ Auto-detects pre-releases - from version format
✅ No special tokens needed - uses GITHUB_TOKEN + OIDC
✅ Semantic version validation - Docker + semver ensures valid increments

How It Works Now

1. Developer updates version in package.json in their PR
2. PR goes through normal review + CI checks
3. When merged to main → workflow automatically:
   • Validates version increment (Docker + semver)
   • Runs quality checks
   • Publishes to npm with correct tag
   • Creates GitHub release

Updated Documentation

• README now documents the new automated deployment process
• Includes version format guide
• Step-by-step instructions for developers

Testing

After merge, test with:

1. Create PR bumping version to 0.2.8
2. Merge to main
3. Verify workflow triggers automatically
4. Check npm publish succeeds
5. Verify GitHub release created

Summary by CodeRabbit

• New Features

  • Deployment now triggers automatically when package version changes are merged to main.
  • Pre-release detection and tagging are automatic based on version format.
  • Install and release instructions now reference specific published versions and registry-aware install commands.

• Documentation

  • Workflow docs updated for the automated PR → merge → publish flow.
  • Added version format examples and updated release/install guidance.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Automated deployment now triggers on pushes to main when package.json changes. The workflow sets checkout fetch-depth to 0, runs a Docker-based semantic version validation, parses package.json to derive version_number, tag, and prerelease, and uses those outputs for publish and release steps; legacy git-bump steps removed.

Changes

Cohort / File(s)	Summary
Workflow Automation .github/workflows/deploy.yml	Replaced manual workflow_dispatch with push-to-main trigger scoped to package.json changes; checkout set to fetch-depth: 0; added Docker-based semantic version validation; added version parsing step that sets outputs: version, version_number, tag, prerelease; added npm registry URL in pnpm/node setup; removed legacy Git bump/commit steps; downstream install/build/publish steps now reference version_number.
Documentation README.md	Replaced manual deployment instructions with PR-centric automated flow: bump package.json in PR, merge to main to trigger publish; documented version-format → tag mapping (stable vs prerelease) and updated install and release examples to use the parsed version_number.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Developer (PR / Merge)
  participant GH as GitHub (repo)
  participant GA as GitHub Actions
  participant Dock as Docker (version-check)
  participant NPM as npm Registry
  participant GR as GitHub Releases

  Dev->>GH: Push commit / merge updating `package.json`
  GH->>GA: Trigger workflow (push to main, package.json changed)
  GA->>GA: checkout (fetch-depth: 0)
  GA->>Dock: Run Docker-based semantic version validation
  Dock-->>GA: validation result
  GA->>GA: Parse `package.json` -> outputs: version_number, tag, prerelease
  alt prerelease
    GA->>NPM: publish with prerelease tag
  else stable
    GA->>NPM: publish with `latest` tag
  end
  GA->>GR: Create/update GitHub Release (uses version_number)
  GA-->>Dev: Publish & release summary (includes install command with version_number)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 I nudged the version, pushed with a thump,
The workflow awoke and took one big jump—
Docker checked numbers, tags found their place,
npm got the package, release took its space.
Hops of automation, tidy and spry!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly identifies the main change: automated deployment with developer-controlled versioning, supported by the PR objectives and file changes.
Description check	✅ Passed	PR description covers key changes, benefits, and testing instructions but is missing several required template sections (Type of Change checklist, Testing checklist, Code Quality checklist, etc.).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e968095 and a074b05.

📒 Files selected for processing (2)

• .github/workflows/deploy.yml
• README.md

🔇 Additional comments (5)

README.md (2)

187-193: LGTM! Clear documentation of the new automated deployment workflow.

The documentation accurately describes the trigger mechanism, pre-release detection, and quality checks. The OIDC trusted publishing with provenance attestation is a security best practice.

---

199-229: LGTM! Well-structured deployment instructions.

The step-by-step instructions and version format table are clear and helpful for developers. The examples for stable and pre-release versions align with the workflow's regex patterns.

.github/workflows/deploy.yml (3)

4-8: Verify: Workflow may trigger on non-version changes to package.json.

The workflow triggers on any change to package.json, including dependency updates, script changes, or metadata edits—not just version bumps. While the PR objective mentions Docker-based validation was initially added to verify version actually changed, commit history indicates this was later removed.

Consider whether re-adding version change validation would prevent unnecessary workflow runs when package.json is modified for other reasons.

---

29-51: Prerelease regex may not capture full tag identifiers.

The regex ^[0-9]+\.[0-9]+\.[0-9]+-([a-zA-Z]+) captures only the alphabetic part of the prerelease identifier, stopping at the first non-letter character. This works for extracting beta from 1.0.0-beta.1, which is likely the intended behavior for npm tags.

However, versions like 1.0.0-rc1 would capture rc (correct), but 1.0.0-beta1 (without dot) would also capture beta and lose the 1. Ensure this aligns with your versioning conventions.

---

83-104: LGTM! GitHub Release step is well-configured.

The release creation properly uses version outputs, includes helpful installation instructions, and correctly sets the prerelease flag based on version detection. The NPM links are correctly formatted with version_number (without v prefix).

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 PR Quality Check Summary

Check	Status
Code Quality & Tests	❌ failure
Security Audit	✅ success

📋 Checks Performed:

• ✅ TypeScript compilation
• ✅ ESLint code quality
• ✅ Prettier code formatting
• ✅ Unit tests with coverage (80%+ required)
• ✅ Build verification
• ✅ Security audit

⚠️ Some checks failed. Please review the details above.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

README.md (1)

1-232: Address Prettier formatting issues.

The PR checks pipeline reports a Prettier formatting warning for this file. Please run pnpm run format to fix the formatting issues before merging.

#!/bin/bash
# Run Prettier to show the formatting differences
cd "${{ github.workspace }}" && pnpm run format:check

.github/workflows/deploy.yml (1)

103-105: Remove the NODE_AUTH_TOKEN environment variable.

Setting NODE_AUTH_TOKEN to an empty string (or any value) breaks OIDC-based trusted publishing. When using the --provenance flag with npm publish, the OIDC token exchange must occur without any NODE_AUTH_TOKEN present. If NODE_AUTH_TOKEN is set—even to an empty string—npm will attempt token-based authentication instead of exchanging the OIDC ID token for a short-lived credential, preventing the trusted publisher flow and disabling automatic provenance generation.

Remove lines 104-105 entirely:

Diff

      - name: Publish to NPM
        run: npm publish --access public --tag ${{ steps.version.outputs.tag }} --provenance
-       env:
-         NODE_AUTH_TOKEN: ''

🤖 Fix all issues with AI agents

In @.github/workflows/deploy.yml:
- Around line 29-48: The YAML step "Validate version increment" (id:
version_check) uses a multi-line shell script in the args field of uses:
docker://node:22-alpine which is causing a YAML parsing error; fix it by
replacing the complex inline args string with a properly formatted YAML literal
block scalar or by converting the step into a normal run step that invokes
docker run (or a node container) and placing the entire multi-line script under
a | block (or the run key) so the shell script is treated as a single YAML
string; ensure the fields referenced (uses: docker://node:22-alpine, args, and
the step name/id) remain but the script is moved into a block scalar or run step
to resolve the "mapping values are not allowed" parsing error.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3a84096 and e968095.

📒 Files selected for processing (2)

• .github/workflows/deploy.yml
• README.md

🧰 Additional context used

🪛 actionlint (1.7.9)

.github/workflows/deploy.yml

47-47: could not parse as YAML: mapping values are not allowed in this context

(syntax-check)

🪛 GitHub Actions: PR Checks

.github/workflows/deploy.yml

[error] 1-1: Prettier formatting check failed. SyntaxError: All collection items must start at the same column (33:11).

README.md

[warning] 1-1: Code style check reported a warning for README.md during formatting check.

🪛 YAMLlint (1.37.1)

.github/workflows/deploy.yml

[error] 47-47: syntax error: mapping values are not allowed here

(syntax)

🔇 Additional comments (9)

.github/workflows/deploy.yml (6)

4-8: LGTM! Trigger configuration aligns with automated deployment goals.

The path filter ensures the workflow runs only when package.json changes on main, which is exactly what's needed for automatic version-based deployment.

---

27-27: Good optimization for version comparison.

Changing fetch-depth from 0 to 2 is appropriate since the validation step only needs to compare with the previous commit (HEAD~1). This improves checkout performance.

---

50-76: Version parsing logic is sound for typical semver formats.

The regex patterns correctly handle:

• Stable versions: 1.0.0 → tag latest
• Pre-releases: 1.0.0-beta.1 → tag beta

The pre-release pattern ([a-zA-Z]+) captures only alphabetic characters, which works well for common npm tags (beta, alpha, rc, next). This is appropriate for deriving the npm dist-tag from the version string.

---

87-87: Correct setup for OIDC-based npm publishing.

Adding registry-url is required for the setup-node action to configure authentication with npm registry using OIDC trusted publishing.

---

118-124: Consistent version reference usage in release notes.

The migration to steps.version.outputs.version_number is correct. This output contains the version without the 'v' prefix, which is appropriate for npm install commands and package URLs.

---

127-127: Pre-release detection correctly integrated.

The prerelease flag properly uses the output from the version parsing step, ensuring GitHub releases are appropriately marked for pre-release versions (e.g., beta, alpha).

README.md (3)

187-194: Clear and accurate deployment documentation.

The deployment pipeline description accurately reflects the workflow changes, including automated triggering, Docker-based validation, pre-release detection, and OIDC publishing with provenance.

---

200-222: Excellent developer-friendly deployment instructions.

The step-by-step guide clearly explains the new PR-based version bump workflow. Including examples for both stable releases and pre-releases helps developers understand the process.

---

224-228: Clear version-to-tag mapping examples.

The version format examples clearly illustrate how the workflow derives npm tags from version strings, which will help developers choose appropriate version formats for their releases.

[github-actions]

🔍 PR Quality Check Summary

Check	Status
Code Quality & Tests	❌ failure
Security Audit	✅ success

📋 Checks Performed:

• ✅ TypeScript compilation
• ✅ ESLint code quality
• ✅ Prettier code formatting
• ✅ Unit tests with coverage (80%+ required)
• ✅ Build verification
• ✅ Security audit

⚠️ Some checks failed. Please review the details above.

[github-actions]

🔍 PR Quality Check Summary

Check	Status
Code Quality & Tests	✅ success
Security Audit	✅ success

📋 Checks Performed:

• ✅ TypeScript compilation
• ✅ ESLint code quality
• ✅ Prettier code formatting
• ✅ Unit tests with coverage (80%+ required)
• ✅ Build verification
• ✅ Security audit

🎉 All checks passed! This PR is ready for review.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/deploy.yml (1)

78-81: Critical: Empty NODE_AUTH_TOKEN will cause npm publish to fail.

The NODE_AUTH_TOKEN is set to an empty string (''). For npm publish to work with OIDC trusted publishing, you need to omit NODE_AUTH_TOKEN entirely or provide a valid token. An empty string will cause authentication failure.

For OIDC-based publishing (provenance attestation), the token is automatically provided by the id-token: write permission—you should remove the NODE_AUTH_TOKEN env var entirely.

🔧 Proposed fix

       - name: Publish to NPM
         run: npm publish --access public --tag ${{ steps.version.outputs.tag }} --provenance
-        env:
-          NODE_AUTH_TOKEN: ''

npm OIDC trusted publishing provenance NODE_AUTH_TOKEN 2024

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e968095 and a074b05.

📒 Files selected for processing (2)

• .github/workflows/deploy.yml
• README.md

🔇 Additional comments (5)

README.md (2)

187-193: LGTM! Clear documentation of the new automated deployment workflow.

The documentation accurately describes the trigger mechanism, pre-release detection, and quality checks. The OIDC trusted publishing with provenance attestation is a security best practice.

---

199-229: LGTM! Well-structured deployment instructions.

The step-by-step instructions and version format table are clear and helpful for developers. The examples for stable and pre-release versions align with the workflow's regex patterns.

.github/workflows/deploy.yml (3)

4-8: Verify: Workflow may trigger on non-version changes to package.json.

The workflow triggers on any change to package.json, including dependency updates, script changes, or metadata edits—not just version bumps. While the PR objective mentions Docker-based validation was initially added to verify version actually changed, commit history indicates this was later removed.

Consider whether re-adding version change validation would prevent unnecessary workflow runs when package.json is modified for other reasons.

---

29-51: Prerelease regex may not capture full tag identifiers.

The regex ^[0-9]+\.[0-9]+\.[0-9]+-([a-zA-Z]+) captures only the alphabetic part of the prerelease identifier, stopping at the first non-letter character. This works for extracting beta from 1.0.0-beta.1, which is likely the intended behavior for npm tags.

However, versions like 1.0.0-rc1 would capture rc (correct), but 1.0.0-beta1 (without dot) would also capture beta and lose the 1. Ensure this aligns with your versioning conventions.

---

83-104: LGTM! GitHub Release step is well-configured.

The release creation properly uses version outputs, includes helpful installation instructions, and correctly sets the prerelease flag based on version detection. The NPM links are correctly formatted with version_number (without v prefix).