ci: keep npm publish and GitHub releases coupled, self-heal release gaps

[AlemTuzlak]

Problem

GitHub releases stopped being created after 2026-06-15 (@tanstack/ai-react@0.15.5 was the last one), even though npm kept receiving new versions through CI (ai-react is now at 0.15.12).

Root cause: GitHub releases are created by one thing only — the changesets/action step in release.yml — and that step has not completed cleanly on any release-triggering run since mid-June:

• Jun 16–23: every ci: Version Packages merge run (ci: Version Packages #773, ci: Version Packages #778, ci: Version Packages #787, ci: Version Packages #792, ci: Version Packages #808, ci: Version Packages #813) passed Run Tests and then failed at the "Run Changesets" step. CI ran changeset publish and npm advanced, but the step died before the tag-push / GitHub-release phase — so no git tags (0.15.6–0.15.12 don't exist) and no releases were created.
• Jun 24: runs now die even earlier, at the test gate — root:test:kiira (added to test:ci in ci(docs): type-check doc code samples with kiira #805) fails, so the changesets step is never reached.

(The exact in-step error from the Jun 16–23 runs is no longer recoverable — those runs' logs have expired — but the structural signature is clear: test gate green, changesets step red, npm published, no tags, no releases.)

What this PR does

• Split into test (gate) + release (needs: test) jobs. A flaky run blocks both npm and GitHub releases together — never one without the other.
• Tightened permissions — top-level contents: read; write scoped to the release job.

What this PR does NOT do

It does not diagnose or fix why the changesets step itself was failing after publishing to npm (logs expired). If that step still fails mid-way, npm and GitHub can still drift — this PR relies on the changesets step succeeding. The next post-merge release run is the place to capture its Run Changesets log before it expires.

Follow-ups (not in this PR)

• Backfill the missing releases (0.15.6–0.15.12, etc.) as a one-off, with accurate per-version commits.
• Diagnose the changesets-step failure from a fresh run's logs.

Testing

Workflow changes can only be fully exercised on main. Validated locally: YAML parses and the job graph is test → release.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The release workflow now uses read-only top-level permissions, runs tests in a separate job before release, and passes GITHUB_TOKEN to the changesets action.

Changes

Release Workflow Improvements

Layer / File(s)	Summary
Permissions and job split .github/workflows/release.yml	Sets top-level permissions: contents: read, adds a test job running pnpm run test:ci, makes release depend on test with job-scoped write permissions, and passes GITHUB_TOKEN into changesets/action.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 Hop hop, the tests run first in line,
Then release follows when the checks align.
Read-only at the top, with tokens tucked away,
A tidy workflow keeps the bunnies at play 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions the coupled release flow, but it also promises self-healing release gaps, which this PR explicitly removed.	Remove the self-heal wording and focus on the actual workflow change, e.g. split test and release jobs to keep npm publish and GitHub releases coupled.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The description clearly explains the problem, fix, limitations, follow-ups, and testing, though it does not use the repository's exact template.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/couple-npm-github-releases

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

🚀 Changeset Version Preview

No changeset entries found. Merging this PR will not cause a version bump for any packages.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 3b16c5c

Command	Status	Duration	Result
nx run-many --targets=build --exclude=examples/...	✅ Succeeded	2s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-06-24 16:24:43 UTC

[pkg-pr-new]

Open in StackBlitz

@tanstack/ai

npm i https://pkg.pr.new/@tanstack/ai@829

@tanstack/ai-angular

npm i https://pkg.pr.new/@tanstack/ai-angular@829

@tanstack/ai-anthropic

npm i https://pkg.pr.new/@tanstack/ai-anthropic@829

@tanstack/ai-client

npm i https://pkg.pr.new/@tanstack/ai-client@829

@tanstack/ai-code-mode

npm i https://pkg.pr.new/@tanstack/ai-code-mode@829

@tanstack/ai-code-mode-skills

npm i https://pkg.pr.new/@tanstack/ai-code-mode-skills@829

@tanstack/ai-devtools-core

npm i https://pkg.pr.new/@tanstack/ai-devtools-core@829

@tanstack/ai-elevenlabs

npm i https://pkg.pr.new/@tanstack/ai-elevenlabs@829

@tanstack/ai-event-client

npm i https://pkg.pr.new/@tanstack/ai-event-client@829

@tanstack/ai-fal

npm i https://pkg.pr.new/@tanstack/ai-fal@829

@tanstack/ai-gemini

npm i https://pkg.pr.new/@tanstack/ai-gemini@829

@tanstack/ai-grok

npm i https://pkg.pr.new/@tanstack/ai-grok@829

@tanstack/ai-groq

npm i https://pkg.pr.new/@tanstack/ai-groq@829

@tanstack/ai-isolate-cloudflare

npm i https://pkg.pr.new/@tanstack/ai-isolate-cloudflare@829

@tanstack/ai-isolate-node

npm i https://pkg.pr.new/@tanstack/ai-isolate-node@829

@tanstack/ai-isolate-quickjs

npm i https://pkg.pr.new/@tanstack/ai-isolate-quickjs@829

@tanstack/ai-mcp

npm i https://pkg.pr.new/@tanstack/ai-mcp@829

@tanstack/ai-ollama

npm i https://pkg.pr.new/@tanstack/ai-ollama@829

@tanstack/ai-openai

npm i https://pkg.pr.new/@tanstack/ai-openai@829

@tanstack/ai-openrouter

npm i https://pkg.pr.new/@tanstack/ai-openrouter@829

@tanstack/ai-preact

npm i https://pkg.pr.new/@tanstack/ai-preact@829

@tanstack/ai-react

npm i https://pkg.pr.new/@tanstack/ai-react@829

@tanstack/ai-react-ui

npm i https://pkg.pr.new/@tanstack/ai-react-ui@829

@tanstack/ai-solid

npm i https://pkg.pr.new/@tanstack/ai-solid@829

@tanstack/ai-solid-ui

npm i https://pkg.pr.new/@tanstack/ai-solid-ui@829

@tanstack/ai-svelte

npm i https://pkg.pr.new/@tanstack/ai-svelte@829

@tanstack/ai-utils

npm i https://pkg.pr.new/@tanstack/ai-utils@829

@tanstack/ai-vue

npm i https://pkg.pr.new/@tanstack/ai-vue@829

@tanstack/ai-vue-ui

npm i https://pkg.pr.new/@tanstack/ai-vue-ui@829

@tanstack/openai-base

npm i https://pkg.pr.new/@tanstack/openai-base@829

@tanstack/preact-ai-devtools

npm i https://pkg.pr.new/@tanstack/preact-ai-devtools@829

@tanstack/react-ai-devtools

npm i https://pkg.pr.new/@tanstack/react-ai-devtools@829

@tanstack/solid-ai-devtools

npm i https://pkg.pr.new/@tanstack/solid-ai-devtools@829

commit: 3b16c5c

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 79-92: The release backfill logic only checks each package’s
current package.json version, so it misses earlier npm-published versions that
also lack GitHub releases. Update the release workflow loop around the
package.json scan to enumerate all published npm versions for each package, then
filter those versions to the intended recovery window or changelog entries
before calling gh release view/create so every missing npm version is restored,
not just the latest one.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5cd34324-75a1-41ad-97ca-0a6596f86dcd

📥 Commits

Reviewing files that changed from the base of the PR and between f3144a6 and 6c08f6d.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy lift

Backfill all missing npm versions, not just the current one.

This loop only checks the current package.json version. If multiple versions were published after the release gap started, older npm versions without GitHub releases remain missing, so the stated published to npm => GitHub release exists invariant is not fully restored. Consider enumerating npm versions and filtering to the intended recovery window/changelog entries before creating missing releases.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 79 - 92, The release backfill
logic only checks each package’s current package.json version, so it misses
earlier npm-published versions that also lack GitHub releases. Update the
release workflow loop around the package.json scan to enumerate all published
npm versions for each package, then filter those versions to the intended
recovery window or changelog entries before calling gh release view/create so
every missing npm version is restored, not just the latest one.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 80-82: The release tag creation block is tagging the current
checkout, which can point the GitHub Release at a later commit than the actual
npm publish. Update the workflow around the git rev-parse/git tag/git push logic
to resolve the commit that produced the published version first using the
release/tag context, and create the tag on that commit instead of HEAD; if that
commit cannot be determined, fail closed rather than backfilling the tag. Use
the existing tag-generation flow in the release workflow to locate the fix.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 80447b04-f738-4fc4-8093-b0b5e10679eb

📥 Commits

Reviewing files that changed from the base of the PR and between cda8ae3 and a9ffa7b.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | 🏗️ Heavy lift

Don’t backfill release tags at workflow HEAD.

For already-published npm versions, Line 81 can point the GitHub Release at a later commit than the package that was actually published. Resolve the publish commit first, or fail closed instead of tagging the current checkout.

Safer tag target example

             if ! git rev-parse -q --verify "refs/tags/${tag}" >/dev/null; then
-              git tag "$tag"
+              git_head="$(npm view "${name}@${version}" gitHead --json 2>/dev/null | jq -r 'select(type == "string" and length > 0) // empty')"
+              if [ -z "$git_head" ] || ! git cat-file -e "${git_head}^{commit}" 2>/dev/null; then
+                echo "::error::Cannot resolve git commit for ${tag}; refusing to tag the workflow HEAD"
+                exit 1
+              fi
+              git tag "$tag" "$git_head"
               git push origin "refs/tags/${tag}"
             fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if ! git rev-parse -q --verify "refs/tags/${tag}" >/dev/null; then
	git tag "$tag"
	git push origin "refs/tags/${tag}"
	if ! git rev-parse -q --verify "refs/tags/${tag}" >/dev/null; then
	git_head="$(npm view "${name}@${version}" gitHead --json 2>/dev/null | jq -r 'select(type == "string" and length > 0) // empty')"
	if [ -z "$git_head" ] || ! git cat-file -e "${git_head}^{commit}" 2>/dev/null; then
	echo "::error::Cannot resolve git commit for ${tag}; refusing to tag the workflow HEAD"
	exit 1
	fi
	git tag "$tag" "$git_head"
	git push origin "refs/tags/${tag}"
	fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 80 - 82, The release tag creation
block is tagging the current checkout, which can point the GitHub Release at a
later commit than the actual npm publish. Update the workflow around the git
rev-parse/git tag/git push logic to resolve the commit that produced the
published version first using the release/tag context, and create the tag on
that commit instead of HEAD; if that commit cannot be determined, fail closed
rather than backfilling the tag. Use the existing tag-generation flow in the
release workflow to locate the fix.

[AlemTuzlak]

Thanks @coderabbitai — addressing both findings:

Tag pointing at the wrong commit — fixed. The tag now pins explicitly to the release commit (git tag "$tag" "$GITHUB_SHA") instead of relying on implicit HEAD. In this step's scope that's the correct commit by construction: the step only runs on an actual release attempt (if gates on published == 'true' or the changesets step failing), and the workflow is checked out at the commit that bumped the version and triggered the publish. So $GITHUB_SHA is the commit that produced the published version — no drift.

Only the current version is backfilled, not earlier missing ones — intentional, not fixing here. This step's job is the coupling guarantee for the current release (publish → release, in one run), not a historical sweep. Auto-backfilling every earlier npm version would require resolving the correct commit per old version, which can't be reliably reconstructed after the fact — synthesizing those tags at the release commit would create a pile of wrong-commit tags across ~30 packages. Restoring the existing 0.15.6–0.15.12 gap is therefore a deliberate one-off (noted in the PR description as a follow-up), done with accurate per-version commits rather than guessed ones.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@AlemTuzlak — both responses make sense:

1. $GITHUB_SHA pin — the explicit commit anchor is the right call. Given the step's if condition, $GITHUB_SHA is indeed the version-bump commit by construction, so no drift is possible.

2. Historical backfill scope — the reasoning is sound. Synthesizing tags at the current release commit for previous versions would produce incorrect attribution across all ~30 packages. Keeping this step's responsibility narrowly to the current publish run and handling the 0.15.6–0.15.12 gap as a separate, commit-accurate operation is the safer approach.

Thanks for the clear write-up!

---

✏️ Learnings added

Learnt from: AlemTuzlak
URL: https://github.com/TanStack/ai/pull/829

Timestamp: 2026-06-24T15:51:13.170Z
Learning: In the TanStack/ai repository's `.github/workflows/release.yml` "Ensure GitHub releases for published versions" step, the historical backfill of missing GitHub releases (e.g., the 0.15.6–0.15.12 gap) is intentionally out of scope. The step only guarantees coupling for the **current** release run (publish → GitHub release, in one workflow execution). Auto-backfilling older npm versions is deliberately deferred to a manual/one-off process because the correct commit per old version cannot be reliably reconstructed after the fact; synthesizing tags at the current release commit would create wrong-commit tags across ~30 packages.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{}

[AlemTuzlak]

Update: removed the self-heal/backfill step entirely. The two findings above were both about that step, so they're now moot. The PR is reduced to the structural changes: test/release job split (gated together), explicit GITHUB_TOKEN on the changesets step, and least-privilege permissions.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.yml (1)

30-55: 🗄️ Data Integrity & Integration | 🟠 Major

Build packages in the release job before publishing

changeset:publish is just changeset publish and does not rebuild the workspace. The publishable packages point at dist/ outputs, and the release runner starts from a fresh checkout with no tracked build artifacts. Add an explicit build step before the Changesets action, or make the publish command build first.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 30 - 55, The release job
currently runs changesets publish without rebuilding the workspace, so the
publishable packages may point to missing dist outputs on a fresh checkout.
Update the release workflow around the release job and the changesets/action
step to ensure package builds happen first, either by adding an explicit build
step before Run Changesets or by changing the publish command to invoke the
build before publishing. Use the release job, Run Changesets (version or
publish), and changesets/action as the anchors for the fix.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/release.yml:
- Around line 30-55: The release job currently runs changesets publish without
rebuilding the workspace, so the publishable packages may point to missing dist
outputs on a fresh checkout. Update the release workflow around the release job
and the changesets/action step to ensure package builds happen first, either by
adding an explicit build step before Run Changesets or by changing the publish
command to invoke the build before publishing. Use the release job, Run
Changesets (version or publish), and changesets/action as the anchors for the
fix.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 01e72976-e416-4398-88dc-2ffce818ff6b

📥 Commits

Reviewing files that changed from the base of the PR and between a9ffa7b and a78389c.

📒 Files selected for processing (1)

• .github/workflows/release.yml