fix: add create-contentful-app release remediation workflow

[Jared Jolton (jjolton-contentful)]

Summary

• Add a manual remediation workflow that uses the existing npmjs token secret to restore the public create-contentful-app dist-tag.
• The workflow moves latest back to create-contentful-app@2.0.24 and deprecates the accidental 3.0.0 release.
• This avoids requiring a local npm owner/admin to run the fix manually.

Context

• PR fix: bump react toolkit cma dependency to v12 #3082 triggered release commit 6729db21, which published public create-contentful-app@3.0.0.
• create-contentful-app@3.0.0 depends on @contentful/create-contentful-app@3.0.0, which is not available from public npm.
• Clean installs of create-contentful-app@3.0.0 fail with ETARGET.

How to run after merge

1. Open Actions → Remediate create-contentful-app release.
2. Run the workflow from main.
3. Confirm the final npm dist-tag ls create-contentful-app output shows latest: 2.0.24.

Test plan

• ruby -e "require 'yaml'; YAML.load_file('.github/workflows/remediate-create-contentful-app-release.yaml'); puts 'workflow yaml ok'"
• Confirmed a clean install of the accidental create-contentful-app@3.0.0 fails because @contentful/create-contentful-app@3.0.0 is missing from public npm.

Generated with Codex

Summary by Bito

This PR adds a manual remediation workflow that uses the existing npmjs token secret to restore the public create-contentful-app dist-tag, moving latest back to create-contentful-app@2.0.24 and deprecating the accidental 3.0.0 release. This avoids requiring a local npm owner/admin to run the fix manually and addresses the issue where PR #3082 triggered an erroneous release that depends on unavailable private packages.

Detailed Changes

• Introduces a new manual workflow in remediate-create-contentful-app-release.yaml to handle npm dist-tag adjustments and deprecation.
• The workflow configures Node.js and uses npm commands to restore the latest tag to 2.0.24 and deprecate version 3.0.0.
• Leverages the existing NPM_REGISTRY_REGISTRY_NPMJS_ORG_TOKEN secret for authentication to the npm registry.

[bito-code-review]

Code Review Agent Run #a767d0

Actionable Suggestions - 0

Review Details

• Files reviewed - 1 · Commit Range: c5d0d04..c5d0d04

  • .github/workflows/remediate-create-contentful-app-release.yaml
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at jared.jolton@contentful.com.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Changelist by Bito

This pull request implements the following key changes.

Key Change	Files Impacted	Summary
New Feature - Release Remediation Workflow	remediate-create-contentful-app-release.yaml	Adds a manual GitHub Actions workflow to remediate an accidental npm release by restoring the latest dist-tag to version 2.0.24 and deprecating version 3.0.0.

[bito-code-review]

Impact Analysis by Bito

Interaction Diagram

sequenceDiagram
participant Dev as Developer
participant Workflow as GitHub Actions Workflow<br/>🟩 Added | ●●● High
participant NPM as NPM Registry
Note over Workflow: Workflow added to remediate accidental release
Dev->>Workflow: Dispatch workflow
Workflow->>Workflow: Start restore-latest job
Workflow->>Workflow: Setup Node.js v22.22.1
Workflow->>NPM: Authenticate with NPM registry
Workflow->>NPM: Add dist-tag latest to 2.0.24
NPM-->>Workflow: Tag added successfully
Workflow->>NPM: Deprecate version 3.0.0
NPM-->>Workflow: Version deprecated
Workflow->>NPM: List dist-tags
NPM-->>Workflow: Tags listed

Loading

---

The merge request adds a new GitHub Actions workflow to address an accidental release by restoring the 'latest' npm tag to version 2.0.24 and deprecating version 3.0.0. This ensures users receive the stable version when installing the create-contentful-app package. No direct upstream or downstream impacts detected in repository scan or cross-repo dependency analysis.

Code Paths Analyzed

Impact:
Addition of a manual remediation workflow for npm package releases. No functional code changes to the create-contentful-app packages themselves.

Flow:
Manual workflow_dispatch trigger → Setup Node.js 22.22.1 → npm dist-tag add (restore latest to v2.0.24) → npm deprecate (v3.0.0) → dist-tag verification

Direct Changes (Diff Files):
• .github/workflows/remediate-create-contentful-app-release.yaml [1-29] — New workflow file added to remediate accidental npm releases by restoring the 'latest' dist-tag to v2.0.24 and deprecating v3.0.0

Repository Impact:
• CI/CD Infrastructure: Adds manual remediation capability for npm registry operations without affecting the main release workflow

Cross-Repository Dependencies:
• None.

Database/Caching Impact:
• None

API Contract Violations:
• None.

Infrastructure Dependencies:
• Requires GitHub secret NPM_REGISTRY_REGISTRY_NPMJS_ORG_TOKEN with npm publish permissions
• Node.js 22.22.1 runtime for npm CLI operations

Additional Insights:
• NPM Registry State: Workflow hardcodes versions 2.0.24 (to restore) and 3.0.0 (to deprecate). These should match the actual accidental release scenario.

Testing Recommendations

Frontend Impact:
• No issues detected

Service Integration:
• Verify NPM_REGISTRY_REGISTRY_NPMJS_ORG_TOKEN secret is configured in repository settings before merge

Data Serialization:
• No issues detected

Privacy Compliance:
• No issues detected

Backward Compatibility:
• No issues detected

OAuth Functionality:
• None

Cross-Service Communication:
• No issues detected

Reliability Testing:
• None

Additional Insights:
• Test workflow manually in a fork or test environment before using in production
• Verify npm dist-tag commands work correctly with the configured token permissions
• Consider adding input parameters for version numbers to make workflow reusable for future incidents

_{Analysis based on known dependency patterns and edges. Actual impact may vary.}