Fix prerelease PR comment and add Slack notifications

[ignaciosantise]

Summary

Fixed the CI action that comments pre-release versions on PRs to target the correct PR, and added Slack notifications for both snapshot and canary releases.

Changes:

• Fix canary version comment to use changesets/action's pullRequestNumber output instead of broken commit API lookup
• Add Slack notifications after snapshot releases (via workflow dispatch) with version, tag, branch, actor, and npm link
• Add Slack notifications after canary releases (main branch) with same details

The notifications include a direct link to the npm package and installation command for easy testing.

Test plan

• Trigger snapshot workflow on a branch with changesets → verify Slack message with correct version and tag
• Merge a PR to main with a changeset → verify canary Slack message and PR comment on "chore: version packages" PR

---

Note

Low Risk
CI-only workflow changes affecting release notifications and PR comments; main risk is misconfigured secrets/webhook or conditional logic causing missed/duplicate notifications, not code/runtime behavior.

Overview
Fixes the canary prerelease workflow to comment on the correct PR by using changesets/action’s pullRequestNumber output (instead of commit-to-PR API lookup), and gates version extraction/commenting on the prerelease publish step succeeding.

Adds best-effort Slack incoming-webhook notifications after successful canary and snapshot publishes, including the published version, tag, branch, actor, and an npm link/install hint; version is now passed between steps via $GITHUB_OUTPUT.

^{Written by Cursor Bugbot for commit 92fdf6e. This will update automatically on new commits. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 92fdf6e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[claude]

Claude finished @ignaciosantise's task —— View job

---

🔍 Code Review Complete

Tasks

• Read modified workflow files
• Review changesets.yml changes
• Review snapshot.yml changes
• Analyze security implications
• Check GitHub Actions best practices
• Provide comprehensive feedback

---

Issues Found

1. Critical: Script Injection Vulnerability in changesets.yml

.github/workflows/changesets.yml:89

The PR comment step uses unvalidated env.VERSION directly in the --body argument without proper quoting:

gh pr comment ${{ steps.changesets.outputs.pullRequestNumber }} \
  --body "Published pre-release version: ${{ env.VERSION }}"

Problem: If package.json version contains shell metacharacters (e.g., backticks, $(), etc.), this could lead to command injection.

Fix: Use proper quoting with single quotes or escape the variable:

gh pr comment ${{ steps.changesets.outputs.pullRequestNumber }} \
  --body 'Published pre-release version: ${{ env.VERSION }}'

Or use a heredoc:

gh pr comment ${{ steps.changesets.outputs.pullRequestNumber }} \
  --body "$(cat <<'EOF'
Published pre-release version: ${{ env.VERSION }}
EOF
)"

2. Environment Variable vs Step Output Mismatch in changesets.yml

.github/workflows/changesets.yml:76-81

The step outputs VERSION to $GITHUB_ENV:

echo "VERSION=$VERSION" >> $GITHUB_ENV

But it should also/instead use $GITHUB_OUTPUT for consistency with how other steps expose data, especially if other jobs need to reference it:

echo "VERSION=$VERSION" >> $GITHUB_OUTPUT

Then reference it as ${{ steps.get_version.outputs.VERSION }} (like snapshot.yml does correctly on line 119).

Current impact: Works for same-job steps via env.VERSION, but inconsistent pattern compared to snapshot.yml.

3. Missing Version in Environment for Slack Notification in changesets.yml

.github/workflows/changesets.yml:92-127

The Slack notification step uses ${{ env.VERSION }} but it's set in step 76-81 which only runs if: steps.changesets.outputs.published != 'true'. The Slack step on line 92 has the same condition, so it should work, but...

Problem: If the "Get NPM Version" step fails or is skipped, env.VERSION will be empty in the Slack payload, creating a broken notification.

Fix: Add explicit dependency or use step outputs:

- name: Send Slack notification
  if: steps.changesets.outputs.published != 'true' && steps.get_version.outputs.VERSION

4. Inconsistent Output Method in snapshot.yml

.github/workflows/snapshot.yml:95-100

This correctly uses $GITHUB_OUTPUT (line 100):

echo "VERSION=$VERSION" >> $GITHUB_OUTPUT

But then the Slack notification on line 119 correctly references it as ${{ steps.get_version.outputs.VERSION }}. This is the correct pattern that should also be applied to changesets.yml.

5. Missing Error Handling for Slack Notifications

Both .github/workflows/changesets.yml:92 and .github/workflows/snapshot.yml:102

The Slack notification steps don't have continue-on-error: true. If the Slack webhook fails (wrong URL, service down, timeout), the entire workflow fails.

Impact: A failed Slack notification would mark the release as failed even though the publish succeeded.

Fix: Add to both Slack steps:

- name: Send Slack notification
  if: steps.changesets.outputs.published != 'true'
  continue-on-error: true

6. Potential NPM Link 404 for Newly Published Versions

.github/workflows/changesets.yml:117 and .github/workflows/snapshot.yml:127

Both workflows link to npm with the version path immediately after publishing:

https://www.npmjs.com/package/@reown/appkit-react-native/v/${{ env.VERSION }}

Problem: npm CDN can take seconds to minutes to propagate. The link might 404 when clicked immediately.

Recommendation: Use the package page without version suffix, or add a note that the link may take a few minutes to be available:

https://www.npmjs.com/package/@reown/appkit-react-native

Or keep version link but document the delay in the text.

---

Summary

Security: 1 script injection vulnerability in PR comment command
Correctness: 2 issues with environment variable handling
Reliability: 2 issues with error handling and external dependencies

The PR correctly fixes the main issue (using pullRequestNumber output instead of commit API lookup) and adds useful Slack notifications, but has several important issues to address before merge.

---

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[Copilot]

Pull request overview

This PR updates the release automation workflows to (1) comment the canary/pre-release version on the correct PR generated by changesets/action, and (2) send Slack notifications when snapshot and canary releases are published.

Changes:

• Switch PR commenting to use changesets/action’s pullRequestNumber output (instead of commit→PR lookup).
• Add Slack incoming-webhook notifications after snapshot publishes.
• Add Slack incoming-webhook notifications after canary publishes.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/snapshot.yml	Adds steps to read the published version and send a Slack notification after snapshot publish.
.github/workflows/changesets.yml	Fixes PR commenting target via pullRequestNumber and adds Slack notification for canary publishes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[ignaciosantise]

Thanks for the review. Here's what was addressed in 92fdf6e:

1. Script injection (PR comment) — Dismissed. VERSION comes from require('./package.json').version, a semver string we control. Not user input.

2. GITHUB_ENV vs GITHUB_OUTPUT inconsistency — Fixed. Switched to GITHUB_OUTPUT and steps.get_version.outputs.VERSION for consistency with snapshot.yml.

3. Missing VERSION check for Slack — Fixed. Gated all downstream steps on steps.publish_prerelease.outcome == 'success', which ensures VERSION is set.

4. Inconsistent output method — Fixed (same as #2).

5. Missing continue-on-error on Slack steps — Fixed. Added continue-on-error: true to both Slack notification steps.

6. NPM link 404 on new versions — Dismissed. Minor UX issue not worth added complexity. Links resolve within minutes.