Conversation
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| # if: success() && github.event_name == 'push' |
There was a problem hiding this comment.
Release job guard commented out, runs on PRs
High Severity
The if: success() && github.event_name == 'push' guard on the release job is commented out. In the old workflow this condition restricted the release job to only run on pushes to main. Without it, the release job — including changesets/action with publish: yarn release — will also execute on pull_request events, potentially publishing packages to npm from PR branches or creating unwanted release PRs.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| fi | ||
| else | ||
| echo "changeset-release/main branch does not exist on remote." | ||
| fi |
There was a problem hiding this comment.
Lock file update runs on wrong branch
Medium Severity
The setup-node-yarn-install with update-lock-only (lines 155–162) runs yarn install --mode update-lockfile while still checked out on main. The next step then does git checkout changeset-release/main, which either fails due to uncommitted yarn.lock changes conflicting with the target branch, or silently replaces the updated lock file with that branch's version. Either way, the lock file for changeset-release/main is never actually regenerated from its own bumped package.json files, defeating the purpose of this entire block.


Note
Medium Risk
CI/release workflow changes can affect build validation and npm publishing behavior; mistakes could lead to skipped checks or unintended release/lockfile commits.
Overview
Replaces the
test-release-sync.yamlworkflow with a newtest-and-release.yamlpipeline that first auto-updates/commitssdks/js/yarn.lockon PRs (and enforces immutable installs onmain), then runs JS SDK unit tests using the verified lockfile commit.Updates the test matrix to Node
20.xand24.x, changes release gating/steps (including pinningchangesets/actiontov1.5.1, adding system/Rust/Protoc setup, and adding logic to update the lockfile on thechangeset-release/mainbranch when a version-packages PR is created), and fixes a YAML typo inpublic/actions/js-sdk-unit-test(save-if).Written by Cursor Bugbot for commit 95330f9. This will update automatically on new commits. Configure here.