ci: Add workflow to bump @workos-inc/node on major release#1569
ci: Add workflow to bump @workos-inc/node on major release#1569gjtorikian wants to merge 4 commits intomainfrom
Conversation
Without automation, every major release requires manually opening dep-bump PRs across each authkit-* repo. This workflow fires on `release: published` (filtered to vN.0.0 tags) and via `workflow_dispatch` with an explicit version input and dry-run mode. It discovers all authkit-* repos in the workos org, skips any already at or ahead of the new major, and opens a PR in each that lags behind.
📝 WalkthroughWalkthroughAdds a GitHub Actions workflow that, on release publication or manual dispatch, computes a target major for Changes
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/workos-node-dep-bump.yml:
- Around line 29-57: Validate the workflow_dispatch version input before parsing
in the "Determine target major version" step: ensure INPUT is non-empty and
matches a semantic version pattern (e.g., ^v?\d+(\.\d+\.\d+)?$) or at minimum
that the extracted MAJOR is numeric; if validation fails, emit a clear error via
echo and set skip=true (or fail the job) instead of proceeding with malformed
INPUT; update the logic around INPUT, VERSION, MAJOR, and TAG to perform this
check early and handle invalid inputs gracefully.
- Around line 168-180: The git push can fail silently if the remote branch
already exists and that failure is later masked by the "|| echo" on the
subsequent gh pr create; change the flow so push failures are validated before
creating a PR: after git push origin "$BRANCH", check its exit code and if
non-zero run git ls-remote --heads origin "$BRANCH" (or gh api
repos/"$REPO"/git/refs/heads/"$BRANCH") to confirm the branch actually exists
remotely; if ls-remote shows the branch exists, continue to run gh pr create,
otherwise abort with a non-zero exit and an error log; keep the existing
variables ($BRANCH, $REPO, DEFAULT_BRANCH) and the gh pr create call but
remove/move the "|| echo" so it doesn't mask a real push failure.
- Around line 132-139: The CURRENT_MAJOR extraction is brittle because
CURRENT_CLEAN="${CURRENT#^}" only strips a caret; update the logic around
CURRENT, CURRENT_CLEAN and CURRENT_MAJOR so you robustly extract the leading
numeric major version (e.g., strip any non-digit prefixes like ^, ~, >=,
whitespace, and any suffixes like .x or patch/minor data) before doing the
arithmetic compare with NEW_MAJOR; if extraction fails, default CURRENT_MAJOR to
0 or skip the compare to avoid non-numeric comparisons, then proceed with the
existing if [ "$CURRENT_MAJOR" -ge "$NEW_MAJOR" ] branch unchanged.
- Around line 160-162: The sed replacement uses $CURRENT directly which may
contain regex metacharacters (like . or ^) and can match unintended text; before
invoking the sed command that references the pattern "\"@workos-inc/node\":
\"${CURRENT}\"" either escape regex metacharacters in $CURRENT (.,^,$,*,[,],\
etc.) so the sed pattern is treated literally, or switch to a tool that supports
literal/quotemeta matching (e.g., use perl -pe with quotemeta or an awk
approach) and then run the replacement using the escaped value and
"${NEW_CONSTRAINT}" in place of the right-hand side.
- Around line 166-168: The workflow currently updates package.json and commits
it (see the git add/commit lines that use NEW_MAJOR and BRANCH) but doesn't
regenerate lockfiles; update the job steps to detect the repo's package manager
(pnpm, npm, or yarn) or simply run both pnpm install and npm install (or use
corepack to enable pnpm) after changing package.json so the corresponding
lockfile (pnpm-lock.yaml or package-lock.json) is regenerated, then git add the
updated lockfile(s) and include them in the git commit/push that follows; ensure
the commit message still references the bump and that the changed lockfile names
are staged before git commit.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 399313f2-737f-4fdf-8794-0f5c2b885862
📒 Files selected for processing (1)
.github/workflows/workos-node-dep-bump.yml
Greptile SummaryThis PR introduces an automated GitHub Actions workflow that discovers all
Confidence Score: 4/5Safe to merge with the Yarn lockfile gap in mind — review whether any authkit-* repos use Yarn before merging. All previously-flagged P0/P1 issues are resolved. One new P1 remains: repos using Yarn will receive PRs with a stale yarn.lock, breaking frozen-lockfile CI checks. This is a concrete present defect on the changed code path, not a speculative concern. .github/workflows/workos-node-dep-bump.yml — specifically the lockfile regeneration block (lines 183–191) Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Trigger: release published or workflow_dispatch] --> B[check-version job]
B --> C{Is major release?}
C -- No --> D[skip=true, exit]
C -- Yes --> E[Emit major and tag outputs]
E --> F[bump-workos-node-deps job]
F --> G[Generate GitHub App token]
G --> H[Discover authkit repos via gh repo list]
H --> I[For each repo: fetch package.json via API]
I --> J{package present and behind new major?}
J -- No --> K[Skip repo]
J -- Yes --> L{DRY_RUN?}
L -- true --> M[Log intended change]
L -- false --> N[gh repo clone]
N --> O[git checkout branch and sed update package.json]
O --> P{Lockfile type?}
P -- pnpm-lock.yaml --> Q[pnpm install lockfile-only]
P -- package-lock.json --> R[npm install package-lock-only]
P -- yarn.lock --> S[No handler: stale yarn.lock opened in PR]
Q --> T[git add, commit, push]
R --> T
S --> T
T --> U{PR exists?}
U -- No --> V[gh pr create]
U -- Yes --> W[Skip PR creation]
Reviews (3): Last reviewed commit: "fix(ci): Isolate per-repo errors in dep-..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Move GitHub expression interpolations into env vars to prevent script injection. Add input validation, version parsing guards, and lockfile regeneration so bumped repos get a consistent, installable dependency tree.
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/workos-node-dep-bump.yml:
- Around line 104-110: The workflow step "Bump dependencies" currently relies on
GH_TOKEN for gh commands but never wires Git to use gh credentials; add a call
to "gh auth setup-git" once before any git push occurs (i.e., before the
repository loop that performs pushes) so that subsequent git push commands can
delegate to the GitHub CLI. Ensure this new command runs within the same step or
an earlier step that has GH_TOKEN in env so credential delegation is configured
for the pushes.
- Around line 171-193: The loop currently leaves critical per-repo steps (git
checkout -b, sed to package.json, git config, lockfile regeneration logic, git
add/commit, git push) unguarded so a single repo failure aborts the entire run;
wrap lines performing git checkout -b, sed, git config, the pnpm/npm/yarn
lockfile regeneration block, git add/commit, and git push in a subshell or
helper function (e.g., process_repo) that traps failures (use set +e or check
each command's exit status) and on any error performs a continue to the outer
loop instead of allowing errexit to terminate the step, ensuring repo-local
failures do not stop processing remaining repos.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: b9cec37a-b163-4cad-b05f-bb07e7d3ab45
📒 Files selected for processing (1)
.github/workflows/workos-node-dep-bump.yml
| - name: Bump dependencies | ||
| env: | ||
| GH_TOKEN: ${{ steps.generate-token.outputs.token }} | ||
| NEW_MAJOR: ${{ needs.check-version.outputs.major }} | ||
| DRY_RUN: ${{ inputs.dry_run || 'false' }} | ||
| RELEASE_TAG: ${{ needs.check-version.outputs.tag }} | ||
| run: | |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, let's locate and examine the workflow file
find . -name "workos-node-dep-bump.yml" -type fRepository: workos/workos-node
Length of output: 106
🏁 Script executed:
# Get the full workflow file to understand the context around lines 104-110 and 169-193
if [ -f ".github/workflows/workos-node-dep-bump.yml" ]; then
cat -n .github/workflows/workos-node-dep-bump.yml
fiRepository: workos/workos-node
Length of output: 8945
🌐 Web query:
GitHub CLI GH_TOKEN git push authentication requirements
💡 Result:
To perform git push authentication with GitHub CLI (gh) using GH_TOKEN: 1. Set the GH_TOKEN environment variable with a valid Personal Access Token (PAT) that has the necessary scopes (minimum: 'repo' for private repos, 'public_repo' for public). GH_TOKEN takes precedence over stored credentials for gh commands. {value: Set GH_TOKEN env var with PAT, citations: [2,3], confidence: high} 2. Run gh auth setup-git to configure Git to use gh as the credential helper. This enables git push (and other git operations over HTTPS) to automatically use the token from gh/gh's credential store or GH_TOKEN. {value: Run gh auth setup-git, citations: [18,17], confidence: high} - If no prior authentication, you may need to login first with gh auth login --with-token < tokenfile or rely on GH_TOKEN. - For HTTPS remotes (default after setup), git will prompt or use the helper seamlessly. 3. Ensure your git remote is HTTPS (e.g., git remote set-url origin https://github.com/user/repo.git). SSH requires separate key setup. {value: Use HTTPS remote URL, citations: [9,15], confidence: high} In GitHub Actions, use env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} (or custom PAT), and gh auth setup-git after actions/checkout with persist-credentials: false if overriding default creds. {value: In Actions, set GH_TOKEN and handle checkout creds, citations: [1,19], confidence: medium} GH_TOKEN primarily authenticates gh CLI/API calls but enables git ops via the credential helper. Direct git push without gh setup requires embedding token in remote URL: https://username:GH_TOKEN@github.com/user/repo.git (less secure). {value: Alternative: token in remote URL, citations: [4,9], confidence: high}
Citations:
- 1: https://cli.github.com/manual/gh_auth_login
- 2: https://cli.github.com/manual/gh_help_environment
- 3: https://docs.github.com/en/github/using-git/caching-your-github-credentials-in-git
- 4: https://cli.github.com/manual/gh_auth_setup-git
- 5: https://docs.github.com/articles/creating-an-access-token-for-command-line-use
- 6: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
- 7:
gh auth setup-gitdoes not override the git user following anactions/checkoutinvocation cli/cli#10905 - 8: https://stackoverflow.com/questions/78825827/want-to-push-to-my-github-repository-from-my-github-actions-workflow
- 9: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens
🌐 Web query:
gh auth setup-git GitHub Actions GH_TOKEN git credential
💡 Result:
To authenticate Git operations in GitHub Actions using GitHub CLI, use GH_TOKEN for gh commands and run gh auth setup-git so git uses GitHub CLI as its credential helper. 1) For GitHub CLI commands (gh api, gh issue, etc.) - In your workflow step, set: env: GH_TOKEN: ${{ github.token }} GitHub docs show that “you must set an environment variable called GH_TOKEN to a token with the required scopes” for steps that use GitHub CLI. 2) For git clone/push/pull over HTTPS using git (not gh) - Run gh auth setup-git before running git operations. This command “configures git to use GitHub CLI as a credential helper.” By default it sets up the helper for all authenticated hosts. - After this, git will delegate credential retrieval to GitHub CLI (which reads the token from GH_TOKEN in automation). Example workflow pattern env: GH_TOKEN: ${{ github.token }} steps: - uses: actions/checkout@v4 # Important: see note below about persist-credentials. - name: Configure git to use gh as credential helper run: gh auth setup-git - name: Git operation run: git push 3) Important Actions/checkout gotcha (credential precedence) - If you use actions/checkout@v4 with its default settings, checkout may leave an http..extraheader AUTHORIZATION header in .git/config, which can take precedence over git credential helpers configured by gh auth setup-git. - A CLI issue documents that gh auth setup-git may not affect the git push credentials if checkout already set such a header; it suggests using persist-credentials: 'false' on actions/checkout to remove the custom header before the next step. So, when your goal is “gh auth setup-git + GH_TOKEN should control git push,” prefer: - actions/checkout with persist-credentials: 'false' - then gh auth setup-git - then git push
Citations:
- 1: https://cli.github.com/manual/gh_auth_setup-git
- 2: https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows
- 3: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
- 4:
gh auth setup-gitdoes not override the git user following anactions/checkoutinvocation cli/cli#10905 - 5: https://docs.github.com/en/rest/quickstart?tool=cli
Add gh auth setup-git before git push to enable credential delegation.
GH_TOKEN authenticates gh commands, but plain git push requires explicit credential helper setup. GitHub's documentation shows that gh auth setup-git must be called to wire Git operations to GitHub CLI's credentials; without it, the push at line 193 will fail even though the gh repo clone succeeds. This must be called once before entering the repository loop.
🔐 Minimal fix
- name: Bump dependencies
env:
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
NEW_MAJOR: ${{ needs.check-version.outputs.major }}
DRY_RUN: ${{ inputs.dry_run || 'false' }}
RELEASE_TAG: ${{ needs.check-version.outputs.tag }}
run: |
+ gh auth setup-git --hostname github.com
echo "Target major: $NEW_MAJOR | Dry run: $DRY_RUN"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/workos-node-dep-bump.yml around lines 104 - 110, The
workflow step "Bump dependencies" currently relies on GH_TOKEN for gh commands
but never wires Git to use gh credentials; add a call to "gh auth setup-git"
once before any git push occurs (i.e., before the repository loop that performs
pushes) so that subsequent git push commands can delegate to the GitHub CLI.
Ensure this new command runs within the same step or an earlier step that has
GH_TOKEN in env so credential delegation is configured for the pushes.
A partial run left a stale remote branch, causing push to fail on retry. The error was masked by the `|| echo` fallback on `gh pr create`. Also removed the yarn lockfile path since no authkit repo uses yarn.
GitHub Actions runs `bash -e` by default, so any unguarded failure (checkout, sed, commit, push) aborted the entire step and skipped all remaining repos.
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
.github/workflows/workos-node-dep-bump.yml (1)
104-110:⚠️ Potential issue | 🟠 MajorConfigure Git to use the app token before the push path.
This step authenticates
gh, but not Git itself. The latergit pushon Line 199 can still fail unless Git is explicitly wired to GitHub CLI's credential helper first.🔐 Minimal fix
- name: Bump dependencies env: GH_TOKEN: ${{ steps.generate-token.outputs.token }} NEW_MAJOR: ${{ needs.check-version.outputs.major }} DRY_RUN: ${{ inputs.dry_run || 'false' }} RELEASE_TAG: ${{ needs.check-version.outputs.tag }} run: | + gh auth setup-git --hostname github.com echo "Target major: $NEW_MAJOR | Dry run: $DRY_RUN"GitHub CLI official docs: in GitHub Actions, when using GH_TOKEN for gh commands, is `gh auth setup-git` required so plain `git push` can reuse those credentials?🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/workos-node-dep-bump.yml around lines 104 - 110, The workflow step "Bump dependencies" sets GH_TOKEN for gh but doesn't configure Git to use the GitHub CLI credential helper, so add a command to run gh auth setup-git (or otherwise configure git credential helper) in the same step before any git push; update the "Bump dependencies" step to call gh auth setup-git (using the GH_TOKEN already provided) so subsequent plain git push commands succeed.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/workos-node-dep-bump.yml:
- Around line 89-95: The gh repo list call is limited to 200 which can miss
matching repos when the org grows; update the loop that iterates REPO_PATTERNS
and the gh repo list invocation to fetch all pages instead of using --limit 200
(or raise the limit to a safe high value), e.g. implement gh pagination by
repeatedly calling gh repo list with --limit and --page (or use --visibility/all
with --json and process until no more results) for the command that writes to
/tmp/repos.txt so all repos matching the startswith patterns are discovered
reliably.
---
Duplicate comments:
In @.github/workflows/workos-node-dep-bump.yml:
- Around line 104-110: The workflow step "Bump dependencies" sets GH_TOKEN for
gh but doesn't configure Git to use the GitHub CLI credential helper, so add a
command to run gh auth setup-git (or otherwise configure git credential helper)
in the same step before any git push; update the "Bump dependencies" step to
call gh auth setup-git (using the GH_TOKEN already provided) so subsequent plain
git push commands succeed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 174e93d3-c5c5-4848-81e5-e6e0adb2effa
📒 Files selected for processing (1)
.github/workflows/workos-node-dep-bump.yml
2 participants
Summary
This PR adds a new CI workflow that bump
workos-inc/nodeacross repos in the WorkOS org. It fires onrelease: published(filtered to MAJOR changes only) and viaworkflow_dispatchwith an explicit version inputWithout this, bumping
@workos-inc/nodeacross everyauthkit-*repo after a major release requires manually opening one PR per repoThis workflow discovers all
authkit-*repos in the workos org dynamically and skips repos that are already at or ahead of the new release version.workflow_dispatchaccepts aversioninput (e.g.9,9.0.0,v9.0.0) and adry_runboolean (defaulttrue) that logs intended changes without opening any PRs.Summary by CodeRabbit