Skip to content

Comments

feat: promote npm edge tag to latest when prerelease is promoted#88

Merged
AaronFeledy merged 1 commit intomainfrom
feature/promote-edge-on-edit
Feb 20, 2026
Merged

feat: promote npm edge tag to latest when prerelease is promoted#88
AaronFeledy merged 1 commit intomainfrom
feature/promote-edge-on-edit

Conversation

@AaronFeledy
Copy link
Member

@AaronFeledy AaronFeledy commented Feb 20, 2026

Problem

When a release is published as a prerelease, it gets tagged as edge on npm. Later, when the release is promoted to a full release in GitHub, the npm latest tag doesn't update because the workflow only triggered on published.

Solution

  • Added released to the release workflow trigger types
  • New lightweight promote job that only runs npm dist-tag add latest — no install, no lint, no tests, no re-publish
  • Only fires on the released event (when a prerelease is promoted to full release)
  • Existing deploy job is now explicitly gated to published events only (no behavior change)
  • Uses TAG_NAME env var instead of direct interpolation to prevent script injection

Flow

  1. Publish as prerelease → full pipeline runs, publishes with edge tag (unchanged)
  2. Promote release → uncheck prerelease → promote job runs, points latest to that version (~15s)

The dist-tag add command is idempotent, so if both published and released fire on a fresh non-prerelease publish, the redundant promote is harmless.


Note

Low Risk
CI-only change that updates npm dist-tags; risk is limited to release automation behavior and potential mis-tagging if the workflow is misconfigured.

Overview
Updates the NPM publish GitHub Actions workflow to also run on release released events (in addition to published).

Adds a lightweight promote job that, on released, uses npm dist-tag add to move the promoted version from edge to latest, while explicitly gating the existing deploy job to only execute on published events.

Written by Cursor Bugbot for commit 0dcb3ed. This will update automatically on new commits. Configure here.

Adds a 'released' trigger to the release workflow with a lightweight 'promote' job that runs npm dist-tag to move 'latest' to the current version when a prerelease is promoted to a full release. The existing publish pipeline remains gated to 'published' events only.
@netlify
Copy link

netlify bot commented Feb 20, 2026

Deploy Preview for lando-mysql failed. Why did it fail? →

Name Link
🔨 Latest commit 0dcb3ed
🔍 Latest deploy log https://app.netlify.com/projects/lando-mysql/deploys/6997dc8e2fe9b300085d5014

Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is ON. A Cloud Agent has been kicked off to fix the reported issue.

echo "::notice title=Promoted $VERSION to latest::The latest tag now points to $VERSION (was edge-only)"
env:
TAG_NAME: ${{ github.event.release.tag_name }}
NODE_AUTH_TOKEN: ${{secrets.NPM_DEPLOY_TOKEN}}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Race condition: promote fails before deploy publishes package

Medium Severity

When a fresh non-prerelease is published, GitHub fires both published and released events, creating two independent workflow runs. The lightweight promote job (~15s) in the released run will attempt npm dist-tag add well before the heavy deploy job (install, lint, test, publish — minutes) in the published run finishes publishing the package. Since the version doesn't exist on npm yet, npm dist-tag add fails. The PR description claims this is "harmless" and "idempotent," but that only holds if the version already exists on npm.

Additional Locations (1)

Fix in Cursor Fix in Web

@AaronFeledy AaronFeledy merged commit 9046891 into main Feb 20, 2026
12 of 16 checks passed
@AaronFeledy AaronFeledy deleted the feature/promote-edge-on-edit branch February 20, 2026 04:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant