Skip to content

Comments

Fix prerelease PR comment and add Slack notifications#531

Merged
ignaciosantise merged 2 commits intodevelopfrom
fix-prerelease-pr-comment
Feb 12, 2026
Merged

Fix prerelease PR comment and add Slack notifications#531
ignaciosantise merged 2 commits intodevelopfrom
fix-prerelease-pr-comment

Conversation

@ignaciosantise
Copy link
Collaborator

@ignaciosantise ignaciosantise commented Feb 12, 2026

Summary

Fixed the CI action that comments pre-release versions on PRs to target the correct PR, and added Slack notifications for both snapshot and canary releases.

Changes:

  • Fix canary version comment to use changesets/action's pullRequestNumber output instead of broken commit API lookup
  • Add Slack notifications after snapshot releases (via workflow dispatch) with version, tag, branch, actor, and npm link
  • Add Slack notifications after canary releases (main branch) with same details

The notifications include a direct link to the npm package and installation command for easy testing.

Test plan

  • Trigger snapshot workflow on a branch with changesets → verify Slack message with correct version and tag
  • Merge a PR to main with a changeset → verify canary Slack message and PR comment on "chore: version packages" PR

Note

Low Risk
CI-only workflow changes affecting release notifications and PR comments; main risk is misconfigured secrets/webhook or conditional logic causing missed/duplicate notifications, not code/runtime behavior.

Overview
Fixes the canary prerelease workflow to comment on the correct PR by using changesets/action’s pullRequestNumber output (instead of commit-to-PR API lookup), and gates version extraction/commenting on the prerelease publish step succeeding.

Adds best-effort Slack incoming-webhook notifications after successful canary and snapshot publishes, including the published version, tag, branch, actor, and an npm link/install hint; version is now passed between steps via $GITHUB_OUTPUT.

Written by Cursor Bugbot for commit 92fdf6e. This will update automatically on new commits. Configure here.

- Fix prerelease comment targeting wrong PR by using changesets action's pullRequestNumber output instead of broken commit API lookup
- Add Slack notifications after snapshot and canary releases with version, tag, branch, actor, npm link, and install command
- Applies to both snapshot.yml (workflow dispatch) and changesets.yml (main branch canary releases)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings February 12, 2026 18:03
@changeset-bot
Copy link

changeset-bot bot commented Feb 12, 2026

⚠️ No Changeset found

Latest commit: 92fdf6e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@claude
Copy link

claude bot commented Feb 12, 2026

Claude finished @ignaciosantise's task —— View job


🔍 Code Review Complete

Tasks

  • Read modified workflow files
  • Review changesets.yml changes
  • Review snapshot.yml changes
  • Analyze security implications
  • Check GitHub Actions best practices
  • Provide comprehensive feedback

Issues Found

1. Critical: Script Injection Vulnerability in changesets.yml

.github/workflows/changesets.yml:89

The PR comment step uses unvalidated env.VERSION directly in the --body argument without proper quoting:

gh pr comment ${{ steps.changesets.outputs.pullRequestNumber }} \
  --body "Published pre-release version: ${{ env.VERSION }}"

Problem: If package.json version contains shell metacharacters (e.g., backticks, $(), etc.), this could lead to command injection.

Fix: Use proper quoting with single quotes or escape the variable:

gh pr comment ${{ steps.changesets.outputs.pullRequestNumber }} \
  --body 'Published pre-release version: ${{ env.VERSION }}'

Or use a heredoc:

gh pr comment ${{ steps.changesets.outputs.pullRequestNumber }} \
  --body "$(cat <<'EOF'
Published pre-release version: ${{ env.VERSION }}
EOF
)"

2. Environment Variable vs Step Output Mismatch in changesets.yml

.github/workflows/changesets.yml:76-81

The step outputs VERSION to $GITHUB_ENV:

echo "VERSION=$VERSION" >> $GITHUB_ENV

But it should also/instead use $GITHUB_OUTPUT for consistency with how other steps expose data, especially if other jobs need to reference it:

echo "VERSION=$VERSION" >> $GITHUB_OUTPUT

Then reference it as ${{ steps.get_version.outputs.VERSION }} (like snapshot.yml does correctly on line 119).

Current impact: Works for same-job steps via env.VERSION, but inconsistent pattern compared to snapshot.yml.

3. Missing Version in Environment for Slack Notification in changesets.yml

.github/workflows/changesets.yml:92-127

The Slack notification step uses ${{ env.VERSION }} but it's set in step 76-81 which only runs if: steps.changesets.outputs.published != 'true'. The Slack step on line 92 has the same condition, so it should work, but...

Problem: If the "Get NPM Version" step fails or is skipped, env.VERSION will be empty in the Slack payload, creating a broken notification.

Fix: Add explicit dependency or use step outputs:

- name: Send Slack notification
  if: steps.changesets.outputs.published != 'true' && steps.get_version.outputs.VERSION

4. Inconsistent Output Method in snapshot.yml

.github/workflows/snapshot.yml:95-100

This correctly uses $GITHUB_OUTPUT (line 100):

echo "VERSION=$VERSION" >> $GITHUB_OUTPUT

But then the Slack notification on line 119 correctly references it as ${{ steps.get_version.outputs.VERSION }}. This is the correct pattern that should also be applied to changesets.yml.

5. Missing Error Handling for Slack Notifications

Both .github/workflows/changesets.yml:92 and .github/workflows/snapshot.yml:102

The Slack notification steps don't have continue-on-error: true. If the Slack webhook fails (wrong URL, service down, timeout), the entire workflow fails.

Impact: A failed Slack notification would mark the release as failed even though the publish succeeded.

Fix: Add to both Slack steps:

- name: Send Slack notification
  if: steps.changesets.outputs.published != 'true'
  continue-on-error: true

6. Potential NPM Link 404 for Newly Published Versions

.github/workflows/changesets.yml:117 and .github/workflows/snapshot.yml:127

Both workflows link to npm with the version path immediately after publishing:

https://www.npmjs.com/package/@reown/appkit-react-native/v/${{ env.VERSION }}

Problem: npm CDN can take seconds to minutes to propagate. The link might 404 when clicked immediately.

Recommendation: Use the package page without version suffix, or add a note that the link may take a few minutes to be available:

https://www.npmjs.com/package/@reown/appkit-react-native

Or keep version link but document the delay in the text.


Summary

Security: 1 script injection vulnerability in PR comment command
Correctness: 2 issues with environment variable handling
Reliability: 2 issues with error handling and external dependencies

The PR correctly fixes the main issue (using pullRequestNumber output instead of commit API lookup) and adds useful Slack notifications, but has several important issues to address before merge.


Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the release automation workflows to (1) comment the canary/pre-release version on the correct PR generated by changesets/action, and (2) send Slack notifications when snapshot and canary releases are published.

Changes:

  • Switch PR commenting to use changesets/action’s pullRequestNumber output (instead of commit→PR lookup).
  • Add Slack incoming-webhook notifications after snapshot publishes.
  • Add Slack incoming-webhook notifications after canary publishes.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
.github/workflows/snapshot.yml Adds steps to read the published version and send a Slack notification after snapshot publish.
.github/workflows/changesets.yml Fixes PR commenting target via pullRequestNumber and adds Slack notification for canary publishes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

- Add id to publish step and gate PR comment, version, and Slack steps on publish_prerelease.outcome == 'success'
- Switch from GITHUB_ENV to GITHUB_OUTPUT for version consistency
- Add continue-on-error to Slack steps so failures don't block releases

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sonarqubecloud
Copy link

@ignaciosantise
Copy link
Collaborator Author

Thanks for the review. Here's what was addressed in 92fdf6e:

1. Script injection (PR comment) — Dismissed. VERSION comes from require('./package.json').version, a semver string we control. Not user input.

2. GITHUB_ENV vs GITHUB_OUTPUT inconsistency — Fixed. Switched to GITHUB_OUTPUT and steps.get_version.outputs.VERSION for consistency with snapshot.yml.

3. Missing VERSION check for Slack — Fixed. Gated all downstream steps on steps.publish_prerelease.outcome == 'success', which ensures VERSION is set.

4. Inconsistent output method — Fixed (same as #2).

5. Missing continue-on-error on Slack steps — Fixed. Added continue-on-error: true to both Slack notification steps.

6. NPM link 404 on new versions — Dismissed. Minor UX issue not worth added complexity. Links resolve within minutes.

@ignaciosantise ignaciosantise merged commit 3f39561 into develop Feb 12, 2026
12 checks passed
@ignaciosantise ignaciosantise deleted the fix-prerelease-pr-comment branch February 12, 2026 20:25
@github-actions github-actions bot locked and limited conversation to collaborators Feb 12, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant