Skip to content

feat: add release relay and npm audit fix workflows#921

Merged
kyteinsky merged 2 commits into
mainfrom
feat/add-release-relay-and-npm-audit-fix-workflows
Jul 9, 2026
Merged

feat: add release relay and npm audit fix workflows#921
kyteinsky merged 2 commits into
mainfrom
feat/add-release-relay-and-npm-audit-fix-workflows

Conversation

@kyteinsky

Copy link
Copy Markdown
Collaborator

🤖 AI (if applicable)

  • The content of this PR was partly or fully generated using AI

kyteinsky added 2 commits July 9, 2026 17:23
Signed-off-by: kyteinsky <kyteinsky@gmail.com>
Signed-off-by: kyteinsky <kyteinsky@gmail.com>
@kyteinsky kyteinsky requested a review from oleksandr-nc July 9, 2026 11:54
@kyteinsky

Copy link
Copy Markdown
Collaborator Author

/backport 70c83d3 to stable34

@kyteinsky

Copy link
Copy Markdown
Collaborator Author

/backport 70c83d3 to stable33

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Two new GitHub Actions workflows were added. The first, npm-audit-fix.yml, runs on a weekly schedule or manual trigger, iterates over the default branch plus stable34, stable33, and stable32, checks out each branch, resolves Node/npm versions, runs an npm audit-fix action, rebuilds the project, and opens a pull request with the fixes. The second, release-relay.yml, triggers on published releases restricted to the nextcloud-releases owner, verifies the triggering actor has write permission, and dispatches an app-tagged repository-dispatch event with repository and tag information to the nextcloud-gmbh/release-relay repository.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Description check ❓ Inconclusive The description is only an AI disclosure checkbox and does not describe the workflow changes. Add a brief description of the release relay and npm audit fix workflow changes.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the two new workflow additions in the pull request.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/release-relay.yml (1)

38-38: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Use toJSON() to safely construct the client-payload.

The client-payload is a manually constructed JSON string with raw ${{ }} interpolation. If github.event.release.tag_name contains a double quote or backslash, the JSON becomes malformed; if it contains a single quote, the surrounding YAML single-quoted string breaks. Using GitHub Actions' built-in toJSON() function properly escapes all values.

♻️ Proposed refactor: use toJSON() for safe payload construction
-          client-payload: '{"app": "${{ github.repository }}", "tag": "${{ github.event.release.tag_name }}"}'
+          client-payload: ${{ toJSON({ "app": github.repository, "tag": github.event.release.tag_name }) }}

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: d7f3d81e-867d-4f09-b6f8-4926ff9ded10

📥 Commits

Reviewing files that changed from the base of the PR and between f3ebac3 and 916ee07.

📒 Files selected for processing (2)
  • .github/workflows/npm-audit-fix.yml
  • .github/workflows/release-relay.yml

Comment on lines +44 to +61
- name: Read package.json node and npm engines version
uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3
id: versions
with:
fallbackNode: '^24'
fallbackNpm: '^11.3'

- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}

- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'

- name: Fix npm audit
id: npm-audit
uses: nextcloud-libraries/npm-audit-action@1b1728b2b4a7a78d69de65608efcf4db0e3e42d0 # v0.2.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Intermediate steps lack checkout outcome guard, causing job failures for missing branches.

Checkout uses continue-on-error: true (line 42) to gracefully handle branches that don't exist, and the build/PR steps (lines 64, 72) correctly guard with if: steps.checkout.outcome == 'success'. However, the steps in between — read package versions (44-49), setup node (51-54), setup npm (56-57), and npm audit fix (59-61) — have no such guard. When a branch doesn't exist, these steps will run against an empty workspace and fail (no package.json), stopping the job and defeating the purpose of continue-on-error on checkout.

🛡️ Proposed fix: add checkout outcome guard to intermediate steps
       - name: Read package.json node and npm engines version
+        if: steps.checkout.outcome == 'success'
         uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3
         id: versions
         with:
           fallbackNode: '^24'
           fallbackNpm: '^11.3'

       - name: Set up node ${{ steps.versions.outputs.nodeVersion }}
+        if: steps.checkout.outcome == 'success'
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ steps.versions.outputs.nodeVersion }}

       - name: Set up npm ${{ steps.versions.outputs.npmVersion }}
+        if: steps.checkout.outcome == 'success'
         run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'

       - name: Fix npm audit
+        if: steps.checkout.outcome == 'success'
         id: npm-audit
         uses: nextcloud-libraries/npm-audit-action@1b1728b2b4a7a78d69de65608efcf4db0e3e42d0 # v0.2.0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Read package.json node and npm engines version
uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3
id: versions
with:
fallbackNode: '^24'
fallbackNpm: '^11.3'
- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'
- name: Fix npm audit
id: npm-audit
uses: nextcloud-libraries/npm-audit-action@1b1728b2b4a7a78d69de65608efcf4db0e3e42d0 # v0.2.0
- name: Read package.json node and npm engines version
if: steps.checkout.outcome == 'success'
uses: skjnldsv/read-package-engines-version-actions@06d6baf7d8f41934ab630e97d9e6c0bc9c9ac5e4 # v3
id: versions
with:
fallbackNode: '^24'
fallbackNpm: '^11.3'
- name: Set up node ${{ steps.versions.outputs.nodeVersion }}
if: steps.checkout.outcome == 'success'
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: ${{ steps.versions.outputs.nodeVersion }}
- name: Set up npm ${{ steps.versions.outputs.npmVersion }}
if: steps.checkout.outcome == 'success'
run: npm i -g 'npm@${{ steps.versions.outputs.npmVersion }}'
- name: Fix npm audit
if: steps.checkout.outcome == 'success'
id: npm-audit
uses: nextcloud-libraries/npm-audit-action@1b1728b2b4a7a78d69de65608efcf4db0e3e42d0 # v0.2.0

@kyteinsky

Copy link
Copy Markdown
Collaborator Author

/backport 70c83d3 to stable32

@kyteinsky kyteinsky merged commit 5fb289c into main Jul 9, 2026
50 of 53 checks passed
@kyteinsky kyteinsky deleted the feat/add-release-relay-and-npm-audit-fix-workflows branch July 9, 2026 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant