Skip to content

ci: /snapshot PR-comment alpha release (write-access gated)#108

Merged
RuudBurger merged 1 commit into
mainfrom
ruud/snapshot-release-workflow
Jul 13, 2026
Merged

ci: /snapshot PR-comment alpha release (write-access gated)#108
RuudBurger merged 1 commit into
mainfrom
ruud/snapshot-release-workflow

Conversation

@RuudBurger

@RuudBurger RuudBurger commented Jul 13, 2026

Copy link
Copy Markdown
Member

Adds a /snapshot command: comment /snapshot on any PR and CI publishes an alpha of the changed @plextv/* packages so you can test the change in a consumer (e.g. the Plex client) without cutting a real release. Same idea as Luma's snapshot workflow, with a stricter trigger gate.

How it works

  • Trigger: issue_comment with body exactly /snapshot on a PR.
  • Auth gate (three layers, all fail closed):
    1. Org membership — the job only runs for plexinc members (author_association MEMBER/OWNER, set server-side, private members included).
    2. Repo write — a step checks the commenter's permission (admin/maintain/write) via the API.
    3. No forks — a step refuses the run unless the PR's head is a same-repo branch, since publish runs the PR's head code with npm credentials in scope. This runs before any PR code is checked out or built.
  • Requires a changeset (changeset status --since origin/main), then changeset version --snapshot <PR#> → versions like 0.0.0-<PR#>-<datetime>.
  • Publishes via ci:publish --tag snapshot --no-git-tag: the snapshot dist-tag keeps these off latest. Same npm OIDC auth as release-packages.yml (id-token: write, no token secret).
  • Comments back the published version (eyes → rocket, or a ❌ if the changeset is missing).

Consume it

pnpm add @plextv/react-lightning@0.0.0-<PR#>-<datetime>

or pin the snapshot tag. In the Plex client, point the @plextv/* catalog: entries at the version.

Two things to know before this is useful

  • issue_comment workflows always run the file on the default branch, so /snapshot won't work until this is merged to main. It can't be tested from this PR itself.
  • npm trusted publishing is usually pinned to a specific workflow filename. If @plextv/*'s trusted-publisher config only allows release-packages.yml, the OIDC publish here will 401 until snapshot.yml is added as an authorized trusted publisher for each package (or an NPM_TOKEN fallback is wired in). Worth checking the npm side before relying on it.

First real use: merge this, then comment /snapshot on #107 to get an alpha of the whole embed burst.

@RuudBurger RuudBurger requested a review from DouweBos July 13, 2026 19:07
@RuudBurger RuudBurger force-pushed the ruud/snapshot-release-workflow branch from 1749915 to cc6bb7a Compare July 13, 2026 19:09
@RuudBurger RuudBurger requested a review from m-hall July 13, 2026 19:17
@RuudBurger RuudBurger merged commit 09cbfd7 into main Jul 13, 2026
1 check passed
@RuudBurger RuudBurger deleted the ruud/snapshot-release-workflow branch July 13, 2026 19:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants