ci(publish): publish @agent-relay/harnesses on release#1049
Conversation
@agent-relay/harnesses was set up as a public package (no private flag, publishConfig.access public, versioned in lockstep) but was never wired into the publish workflow, so it never reached npm. External SDK consumers (e.g. relayflows) need it for the prebuilt PTY harnesses and the definePtyHarness/createHuman author helpers. Add a publish-harnesses job to the package=all path. It runs after publish-packages — where its exact-version workspace deps (@agent-relay/sdk, @agent-relay/harness-driver) land on the registry — so an external `npm install @agent-relay/harnesses@<v>` can always resolve its dependencies. Mirrors the existing provenance + skip-if-exists publish pattern. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. |
|
Caution Review failedPull request was closed or merged during review No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThis PR adds automated NPM publishing for the ChangesPublish harnesses to NPM
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
codeant-ai
Bot
added
the
size:M
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4e78e52144
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # the same install race the broker/sdk ordering above is built to avoid. | ||
| publish-harnesses: | ||
| name: Publish @agent-relay/harnesses | ||
| needs: [build, publish-packages] |
There was a problem hiding this comment.
For package=all, this new job starts after publish-packages, but nothing downstream waits for it: publish-main only waits on publish-packages and create-release only waits on publish-main. That means if @agent-relay/harnesses publishing fails or is delayed during the first trusted-publisher setup, the workflow can still publish agent-relay and create the GitHub tag/release for that version, leaving the official release without the package this change is meant to ship. Please include this job in the release gating path (or otherwise make create-release wait for it) so a partial release cannot be finalized.
Useful? React with 👍 / 👎.
|
CodeAnt AI finished reviewing your PR. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish.yml:
- Around line 981-990: Replace the floating action tags used in the job
(actions/checkout@v4, actions/setup-node@v4, actions/download-artifact@v4) with
immutable commit SHAs: locate the official GitHub repos for each action
(actions/checkout, actions/setup-node, actions/download-artifact), find the
commit SHA that corresponds to the v4 release you intend to use, and update the
workflow to reference the full SHA (e.g., actions/checkout@<SHA>) instead of
`@v4`; keep the existing inputs (node-version, registry-url, etc.) unchanged and
ensure each action ref is pinned consistently across the new job.
- Around line 973-976: The create-release and summary jobs should be gated on
the new publish-harnesses job so a release/tag isn't created if harness
publication fails; update the workflow so the create-release job's needs array
(and the summary job's needs array) include "publish-harnesses" (or add
publish-harnesses to any higher-level job group they depend on) ensuring that
create-release and summary will only run after publish-harnesses succeeds.
In `@CHANGELOG.md`:
- Line 12: Shorten the changelog bullet to an impact-first single sentence:
replace the detailed implementation list with a concise user-facing statement
mentioning that the `@agent-relay/harnesses` package is now published to npm and
available for SDK consumers, omitting specific harness names and helper
identifiers (e.g., definePtyHarness, defineHarness, createHuman, claude, codex,
gemini). Make the entry one short bullet that emphasizes availability and user
impact only.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 9efc92b2-13fb-4a61-b726-8dd06f150eb6
📒 Files selected for processing (2)
.github/workflows/publish.ymlCHANGELOG.md
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '22.14.0' | ||
| registry-url: 'https://registry.npmjs.org' | ||
|
|
||
| - name: Download build artifacts | ||
| uses: actions/download-artifact@v4 |
There was a problem hiding this comment.
Pin action references to commit SHAs in this new job.
The new steps use tag refs (@v4) for third-party actions. Static policy flags this as required-to-fix; pinning to immutable SHAs avoids supply-chain drift.
Example pattern
- - name: Checkout code
- uses: actions/checkout@v4
+ - name: Checkout code
+ uses: actions/checkout@<full_commit_sha>
- - name: Setup Node.js
- uses: actions/setup-node@v4
+ - name: Setup Node.js
+ uses: actions/setup-node@<full_commit_sha>
- - name: Download build artifacts
- uses: actions/download-artifact@v4
+ - name: Download build artifacts
+ uses: actions/download-artifact@<full_commit_sha>🧰 Tools
🪛 zizmor (1.25.2)
[error] 981-981: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 984-984: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 990-990: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish.yml around lines 981 - 990, Replace the floating
action tags used in the job (actions/checkout@v4, actions/setup-node@v4,
actions/download-artifact@v4) with immutable commit SHAs: locate the official
GitHub repos for each action (actions/checkout, actions/setup-node,
actions/download-artifact), find the commit SHA that corresponds to the v4
release you intend to use, and update the workflow to reference the full SHA
(e.g., actions/checkout@<SHA>) instead of `@v4`; keep the existing inputs
(node-version, registry-url, etc.) unchanged and ensure each action ref is
pinned consistently across the new job.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 2 files
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
Address PR review: publish-harnesses ran outside the release gate, so a tag/release could be cut even if harness publishing failed. - create-release now needs publish-harnesses and its `if` requires the job to not have failed. It tolerates `skipped` so package=main releases (where publish-harnesses does not run) are not blocked. - summary job lists the harness publish result. - Trim the changelog bullet to impact-first per the repo changelog rule. Leaving the new job's actions on @v4 tags to match the rest of the workflow (the repo uses tag refs throughout; SHA-pinning would be inconsistent and is not the enforced policy here). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Thanks for the reviews. Addressed in ✅ P1 — gate the release on harness publication (flagged by Codex, CodeRabbit, and cubic). Valid:
✅ Changelog brevity (CodeRabbit). Trimmed to an impact-first bullet, dropping the exhaustive helper/harness name list per the repo's changelog rule. ❌ Pin actions to commit SHAs (CodeRabbit/zizmor). Declining for consistency: this workflow — and the repo's workflows generally — use |
1 participant
User description
What
Wires
@agent-relay/harnessesinto the release pipeline so it actually gets published to npm.Why
@agent-relay/harnessesis set up as a public package (noprivateflag,publishConfig.access: public, versioned in lockstep at the release version) but appeared nowhere inpublish.yml— not in the package dropdown, the SDK-internal-deps matrix, or any pack step. As a result it was never published (npm view @agent-relay/harnesses→ 404), even though:claude,codex,gemini,cursor,droid,opencode,aider,goose) plusdefinePtyHarness/defineHarness/createHuman.web/content/docs/harnesses.mdx, plus quickstart / typescript-sdk / migration / actions).@agent-relay/harnessesis NOT published to npm" as the fix(truncation): improvements #1 blocker in its v8 SDK migration plan, with "publish from the relay repo first" as the preferred resolution.How
Adds a
publish-harnessesjob to thepackage=allpath. It runs afterpublish-packages— the matrix where its exact-version workspace deps (@agent-relay/sdk,@agent-relay/harness-driver) land on the registry — so an externalnpm install @agent-relay/harnesses@<v>can always resolve its dependencies. This respects the same install-ordering discipline the broker/SDK jobs already use.The job mirrors the existing publish pattern:
--provenance(OIDC),--ignore-scripts, and the skip-if-already-exists guard for safe re-runs.Notes
publish.yml. Subsequent releases then publish via provenance with no token.harnesses(which isn't a dep of theagent-relayCLI).🤖 Generated with Claude Code
CodeAnt-AI Description
Publish
@agent-relay/harnessesto npm during releasesWhat Changed
@agent-relay/harnessesalongside the other packagesnpm install @agent-relay/harnesses@<version>can resolve cleanlyImpact
✅ External SDK users can install harnesses✅ Fewer broken installs for released versions✅ Safer repeat release runs💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.