feat: promote npm edge tag to latest when prerelease is promoted

[AaronFeledy]

Problem

When a release is published as a prerelease, it gets tagged as edge on npm. Later, when the release is promoted to a full release in GitHub, the npm latest tag doesn't update because the workflow only triggered on published.

Solution

• Added released to the release workflow trigger types
• New lightweight promote job that only runs npm dist-tag add latest — no install, no lint, no tests, no re-publish
• Only fires on the released event (when a prerelease is promoted to full release)
• Existing deploy job is now explicitly gated to published events only (no behavior change)
• Uses TAG_NAME env var instead of direct interpolation to prevent script injection

Flow

1. Publish as prerelease → full pipeline runs, publishes with edge tag (unchanged)
2. Promote release → uncheck prerelease → promote job runs, points latest to that version (~15s)

The dist-tag add command is idempotent, so if both published and released fire on a fresh non-prerelease publish, the redundant promote is harmless.

---

Note

Low Risk
CI-only change that updates npm dist-tags; risk is limited to release automation behavior and potential mis-tagging if the workflow is misconfigured.

Overview
Updates the NPM publish GitHub Actions workflow to also run on release released events (in addition to published).

Adds a lightweight promote job that, on released, uses npm dist-tag add to move the promoted version from edge to latest, while explicitly gating the existing deploy job to only execute on published events.

^{Written by Cursor Bugbot for commit 0dcb3ed. This will update automatically on new commits. Configure here.}

[netlify]

❌ Deploy Preview for lando-mysql failed. Why did it fail? →

Name	Link
🔨 Latest commit	0dcb3ed
🔍 Latest deploy log	https://app.netlify.com/projects/lando-mysql/deploys/6997dc8e2fe9b300085d5014

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON. A Cloud Agent has been kicked off to fix the reported issue.}

[cursor]

Race condition: promote fails before deploy publishes package

Medium Severity

When a fresh non-prerelease is published, GitHub fires both published and released events, creating two independent workflow runs. The lightweight promote job (~15s) in the released run will attempt npm dist-tag add well before the heavy deploy job (install, lint, test, publish — minutes) in the published run finishes publishing the package. Since the version doesn't exist on npm yet, npm dist-tag add fails. The PR description claims this is "harmless" and "idempotent," but that only holds if the version already exists on npm.

Additional Locations (1)

• .github/workflows/release.yml#L5-L7