fix(repo): add recovery for release downstream notifications

[jacekradko]

Summary

• Adds a recovery step to the release workflow that catches the case where changeset publish succeeds (packages land on npm) but the changesets action step fails afterward (e.g. during git push --follow-tags)
• When the changesets step fails, the published output is never set to true, so downstream repo notifications are silently skipped — and on retry, nothing is left to publish

Root cause investigation: The 6.1.0 stable release on March 9 published to npm but the changesets action failed on attempt 1. Attempt 2 found "No unpublished projects" and also skipped the dispatch. As a result, sdk-infra-workers was stuck on 6.0.0 until manually dispatched today.

How the recovery step works

1. Only runs when the changesets step fails (if: always() && steps.changesets.conclusion == 'failure')
2. Reads the local package.json versions for @clerk/clerk-js and @clerk/ui
3. Skips if it's a pre-release (canary/snapshot)
4. Checks npm to see if either package was actually published
5. If at least one was published, dispatches to all downstream repos (same targets as the normal trigger)

The dispatches are idempotent — sdk-infra-workers just pins the version, dashboard prepares an update, clerk-docs rebuilds typedoc.

Test plan

• Verify workflow YAML is valid
• Recovery step is a no-op in normal version-mode runs (changesets succeeds → condition not met)
• Recovery step is a no-op when changesets fails before publishing (npm check returns not found for both)
• Recovery step dispatches when changesets fails after publishing either package

Summary by CodeRabbit

• Chores
  • Improved release workflow reliability with an automatic recovery mechanism that dispatches updates to downstream workflows when packages are confirmed published, while avoiding pre-release disruptions.
  • Added a minimal placeholder changeset file to track release metadata.

[changeset-bot]

🦋 Changeset detected

Latest commit: ce4cb24

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Mar 17, 2026 2:45pm

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: fc639810-ba65-49c9-b1af-db0f113a2766

📥 Commits

Reviewing files that changed from the base of the PR and between 740d5a8 and ce4cb24.

📒 Files selected for processing (1)

• .github/workflows/release.yml

---

📝 Walkthrough

Walkthrough

Adds .changeset/release-dispatch-recovery.md containing minimal front matter (---). Updates .github/workflows/release.yml to add a recovery step "Recover downstream notifications" that runs when the changesets action fails, reads local package versions, skips on pre-releases or when pre-mode is active, checks npm for publication of @clerk/clerk-js and @clerk/ui, and conditionally dispatches three workflow_dispatch events (update-pkg-versions, prepare-nextjs-sdk-update, typedoc). Adds id: trigger to the downstream trigger step and updates notification steps to use the recovery publishedPackages output.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and concisely summarizes the main change: adding recovery logic for release downstream notifications when the changesets action fails after publishing.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

.github/workflows/release.yml (3)

188-190: Optional: Use Promise.allSettled for more resilient dispatch.

If one dispatch fails (e.g., network issue to one repo), Promise.all rejects immediately and remaining dispatches may not complete. Using Promise.allSettled ensures all dispatches are attempted and failures can be logged individually.

♻️ Proposed change

-            await Promise.all(dispatches);
-            core.notice('Recovery dispatch completed successfully');
+            const results = await Promise.allSettled(dispatches);
+            const failures = results.filter(r => r.status === 'rejected');
+            if (failures.length > 0) {
+              failures.forEach((f, i) => core.warning(`Dispatch ${i} failed: ${f.reason}`));
+              core.setFailed(`${failures.length} of ${results.length} dispatches failed`);
+            } else {
+              core.notice('Recovery dispatch completed successfully');
+            }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 188 - 190, Replace the
Promise.all usage so all items in the dispatches array are awaited even if some
fail: use Promise.allSettled(dispatches) instead of Promise.all(dispatches),
then iterate the returned results to log individual failures (use core.error or
core.warning for rejected results) and call core.notice('Recovery dispatch
completed successfully') only if all settled results succeeded or adjust message
to reflect partial failures; update references in this block to the dispatches
identifier and the core.notice call accordingly.

---

167-189: Duplicated dispatch logic — consider extracting to a shared script or composite action.

The dispatch array here is identical to lines 91–113 in the normal trigger step. If downstream targets change, both locations need updating. Consider extracting to a reusable composite action or a shared Node script to keep them in sync.

That said, keeping the recovery step self-contained has clarity benefits for incident response.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 167 - 189, The dispatch logic
duplicated in the release workflow (the dispatches array built with
github.rest.actions.createWorkflowDispatch and awaited via
Promise.all(dispatches)) should be extracted to a single reusable
implementation; refactor by moving the array construction and dispatch
invocation into a shared helper (e.g., a function like buildAndDispatchWorkflows
or an external composite action) and replace both occurrences (the normal
trigger step and the recovery step) to call that helper so downstream target
changes only need to be updated in one place.

---

142-154: Consider verifying all dispatched packages, not just @clerk/clerk-js.

The recovery only confirms @clerk/clerk-js was published to npm, but the dispatch sends clerkUiVersion and nextjsVersion as well. In an edge case where clerk-js published but ui/nextjs didn't, downstream repos would receive potentially unpublished versions.

If the publish step is atomic (all-or-nothing), this is fine. Otherwise, consider verifying @clerk/ui and @clerk/nextjs too, or document the assumption.

♻️ Optional: verify additional packages

+            // Verify all packages that will be dispatched
+            const packagesToVerify = [
+              '@clerk/clerk-js',
+              '@clerk/ui', 
+              '@clerk/nextjs'
+            ];
+            
+            for (const pkg of packagesToVerify) {
+              const localVersion = require(`./packages/${pkg.replace('@clerk/', '')}/package.json`).version;
+              try {
+                const npmVer = execSync(`npm view ${pkg}@${localVersion} version`, { encoding: 'utf8' }).trim();
+                if (npmVer !== localVersion) {
+                  console.log(`${pkg} version mismatch, skipping recovery`);
+                  return;
+                }
+              } catch {
+                console.log(`${pkg}@${localVersion} not found on npm, no recovery needed`);
+                return;
+              }
+            }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 142 - 154, The recovery logic
currently only validates npmVersion for `@clerk/clerk-js` using execSync and
clerkjsVersion; update it to also verify `@clerk/ui` and `@clerk/nextjs` (compare
their npm view version to clerkUiVersion and nextjsVersion respectively) before
returning success, and log which package mismatched (use npmVersionUi,
npmVersionNext or similar local vars) so the dispatch only proceeds if all three
published versions match; alternatively, if atomic publishing is guaranteed, add
a brief comment referencing that assumption next to the existing execSync/check
block.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 188-190: Replace the Promise.all usage so all items in the
dispatches array are awaited even if some fail: use
Promise.allSettled(dispatches) instead of Promise.all(dispatches), then iterate
the returned results to log individual failures (use core.error or core.warning
for rejected results) and call core.notice('Recovery dispatch completed
successfully') only if all settled results succeeded or adjust message to
reflect partial failures; update references in this block to the dispatches
identifier and the core.notice call accordingly.
- Around line 167-189: The dispatch logic duplicated in the release workflow
(the dispatches array built with github.rest.actions.createWorkflowDispatch and
awaited via Promise.all(dispatches)) should be extracted to a single reusable
implementation; refactor by moving the array construction and dispatch
invocation into a shared helper (e.g., a function like buildAndDispatchWorkflows
or an external composite action) and replace both occurrences (the normal
trigger step and the recovery step) to call that helper so downstream target
changes only need to be updated in one place.
- Around line 142-154: The recovery logic currently only validates npmVersion
for `@clerk/clerk-js` using execSync and clerkjsVersion; update it to also verify
`@clerk/ui` and `@clerk/nextjs` (compare their npm view version to clerkUiVersion
and nextjsVersion respectively) before returning success, and log which package
mismatched (use npmVersionUi, npmVersionNext or similar local vars) so the
dispatch only proceeds if all three published versions match; alternatively, if
atomic publishing is guaranteed, add a brief comment referencing that assumption
next to the existing execSync/check block.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: fa16279b-d0e3-4368-a06c-aaebf96222a1

📥 Commits

Reviewing files that changed from the base of the PR and between 38408d9 and ca254d9.

📒 Files selected for processing (2)

• .changeset/release-dispatch-recovery.md
• .github/workflows/release.yml

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

174-195: Consider extracting shared dispatch logic.

The dispatch array construction (lines 174-195) is nearly identical to the normal trigger step (lines 91-112). If downstream targets change, both locations must be updated.

This is acceptable for now given the workflow context, but consider extracting to a shared composite action or reusable script if the dispatch logic grows.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 174 - 195, The dispatches array
duplication should be consolidated so updates only occur in one place: extract
the shared creation logic around github.rest.actions.createWorkflowDispatch into
a reusable helper (e.g., a local function like makeDispatch(owner, repo,
workflow_id, ref, inputs) or move into a composite action/reusable script) and
replace both the array at lines where dispatches is built and the similar block
used for the normal trigger with calls to that helper; ensure the helper accepts
owner, repo, workflow_id, ref, and inputs (used for clerkjsVersion,
clerkUiVersion, nextjsVersion) and returns the createWorkflowDispatch call so
the code uses the single source of truth for all dispatch entries.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 138-141: The pre-release guard only checks clerkjsVersion; update
the logic around the if block that references clerkjsVersion to also inspect
clerkUiVersion for pre-release markers (e.g., a hyphen) and skip the recovery if
either version is a pre-release; adjust the console.log to indicate which
version(s) caused the skip (use the existing clerkjsVersion and clerkUiVersion
identifiers so the message shows the offending version(s)).

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 174-195: The dispatches array duplication should be consolidated
so updates only occur in one place: extract the shared creation logic around
github.rest.actions.createWorkflowDispatch into a reusable helper (e.g., a local
function like makeDispatch(owner, repo, workflow_id, ref, inputs) or move into a
composite action/reusable script) and replace both the array at lines where
dispatches is built and the similar block used for the normal trigger with calls
to that helper; ensure the helper accepts owner, repo, workflow_id, ref, and
inputs (used for clerkjsVersion, clerkUiVersion, nextjsVersion) and returns the
createWorkflowDispatch call so the code uses the single source of truth for all
dispatch entries.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: cabe833e-be70-41f9-93aa-1a98310b3cd7

📥 Commits

Reviewing files that changed from the base of the PR and between ca254d9 and 9a6a63f.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8027

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8027

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8027

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8027

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8027

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8027

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8027

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8027

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8027

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8027

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8027

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8027

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8027

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8027

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8027

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8027

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8027

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8027

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8027

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8027

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8027

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8027

commit: ce4cb24

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/release.yml (1)

139-142: ⚠️ Potential issue | 🟡 Minor

Pre-release check should also validate clerkUiVersion.

The current check only validates clerkjsVersion for pre-release markers. If clerkjsVersion is stable but clerkUiVersion is a pre-release (e.g., 1.0.0-canary.5), the recovery would proceed and dispatch with a pre-release UI version to downstream repos.

,

🐛 Proposed fix to check both versions

             // Only recover stable releases
-            if (clerkjsVersion.includes('-')) {
-              console.log(`Skipping recovery: ${clerkjsVersion} is a pre-release`);
+            if (clerkjsVersion.includes('-') || clerkUiVersion.includes('-')) {
+              console.log(`Skipping recovery: clerkjs=${clerkjsVersion}, ui=${clerkUiVersion} contains a pre-release`);
               return;
             }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 139 - 142, The current
pre-release guard only checks clerkjsVersion and can allow dispatch when
clerkUiVersion is a pre-release; update the pre-release check to validate both
clerkjsVersion and clerkUiVersion (e.g., test if either string includes '-' or
matches a pre-release semver pattern) before proceeding. If either
clerkjsVersion or clerkUiVersion is detected as a pre-release, log a clear
message naming the offending variable(s) and return to skip recovery/dispatch.
Ensure you reference and use the existing variables clerkjsVersion and
clerkUiVersion in the updated conditional and log.

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

175-197: Consider extracting duplicate dispatch logic into a reusable composite action or script.

The dispatch logic at lines 175-196 is nearly identical to lines 91-112. If downstream targets change (new repos, updated workflow names, different inputs), both locations require updates, risking divergence.

A reusable composite action or a shared script could centralize this logic.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 175 - 197, The dispatch creation
logic (the dispatches array built with
github.rest.actions.createWorkflowDispatch and awaited via
Promise.all(dispatches)) is duplicated; extract it into a single reusable unit
(either a composite GitHub Action or a shared script/JS module) that accepts an
array of target dispatch descriptors ({owner, repo, workflow_id, ref, inputs})
and performs the createWorkflowDispatch calls; replace both duplicated blocks in
release.yml with a single invocation of that composite/action or a step that
runs the shared script, passing the specific inputs (clerkjsVersion,
clerkUiVersion, nextjsVersion) so behavior and parameter names used by
github.rest.actions.createWorkflowDispatch remain identical.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 224-226: Replace the deprecated ::set-output usage by writing the
payload to the GitHub Actions output file: capture the node script output into
the payload variable as you already do (payload=$(node scripts/notify.mjs
"$PACKAGES" '${{ github.actor }}')), then append that payload into
$GITHUB_OUTPUT (for example echo "payload=$payload" >> $GITHUB_OUTPUT) instead
of using echo ::set-output; update the run block that defines PACKAGES and
payload to use the $GITHUB_OUTPUT mechanism and ensure multi-line payloads are
handled (heredoc or proper quoting) when invoking scripts/notify.mjs.

---

Duplicate comments:
In @.github/workflows/release.yml:
- Around line 139-142: The current pre-release guard only checks clerkjsVersion
and can allow dispatch when clerkUiVersion is a pre-release; update the
pre-release check to validate both clerkjsVersion and clerkUiVersion (e.g., test
if either string includes '-' or matches a pre-release semver pattern) before
proceeding. If either clerkjsVersion or clerkUiVersion is detected as a
pre-release, log a clear message naming the offending variable(s) and return to
skip recovery/dispatch. Ensure you reference and use the existing variables
clerkjsVersion and clerkUiVersion in the updated conditional and log.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 175-197: The dispatch creation logic (the dispatches array built
with github.rest.actions.createWorkflowDispatch and awaited via
Promise.all(dispatches)) is duplicated; extract it into a single reusable unit
(either a composite GitHub Action or a shared script/JS module) that accepts an
array of target dispatch descriptors ({owner, repo, workflow_id, ref, inputs})
and performs the createWorkflowDispatch calls; replace both duplicated blocks in
release.yml with a single invocation of that composite/action or a step that
runs the shared script, passing the specific inputs (clerkjsVersion,
clerkUiVersion, nextjsVersion) so behavior and parameter names used by
github.rest.actions.createWorkflowDispatch remain identical.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 2659668d-c8f3-4ae6-9406-179d8f157552

📥 Commits

Reviewing files that changed from the base of the PR and between 9a6a63f and 80aab84.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

.github/workflows/release.yml (1)

138-141: ⚠️ Potential issue | 🟡 Minor

Pre-release check should also validate clerkUiVersion.

This issue was flagged in a previous review but remains unaddressed. The current check only validates clerkjsVersion for pre-release markers. If clerkjsVersion is stable but clerkUiVersion is a pre-release (e.g., 1.0.0-canary.5), recovery would proceed and dispatch with a pre-release UI version.

🐛 Proposed fix to check both versions

             // Only recover stable releases
-            if (clerkjsVersion.includes('-')) {
-              console.log(`Skipping recovery: ${clerkjsVersion} is a pre-release`);
+            if (clerkjsVersion.includes('-') || clerkUiVersion.includes('-')) {
+              console.log(`Skipping recovery: clerkjs=${clerkjsVersion}, ui=${clerkUiVersion} contains a pre-release`);
               return;
             }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 138 - 141, The pre-release guard
only checks clerkjsVersion and can allow dispatch when clerkUiVersion is a
pre-release; update the conditional that references clerkjsVersion to also check
clerkUiVersion (both clerkjsVersion.includes('-') ||
clerkUiVersion.includes('-')) and log which version caused the skip (e.g.,
include clerkjsVersion and clerkUiVersion in the console message) so recovery is
skipped whenever either package is a pre-release.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Line 76: The workflow contains an unused step identifier `id: trigger` that
isn't referenced elsewhere; either remove the `id: trigger` line from the step
definition to avoid dead identifiers or add a brief inline comment next to `id:
trigger` explaining its intended future use for readability and maintainability
so reviewers understand why it remains present.
- Around line 166-170: Move the pre-mode check (variable preMode created via
require("fs").existsSync("./.changeset/pre.json")) to run before any calls to
isPublished() so we skip npm/network queries when in pre-mode; specifically,
relocate the block that sets preMode and calls core.warning("Changeset in
pre-mode, skipping recovery dispatch") and return to execute immediately at the
start of the workflow logic (before any isPublished() checks), ensuring the
early return prevents the subsequent npm publication checks from running.

---

Duplicate comments:
In @.github/workflows/release.yml:
- Around line 138-141: The pre-release guard only checks clerkjsVersion and can
allow dispatch when clerkUiVersion is a pre-release; update the conditional that
references clerkjsVersion to also check clerkUiVersion (both
clerkjsVersion.includes('-') || clerkUiVersion.includes('-')) and log which
version caused the skip (e.g., include clerkjsVersion and clerkUiVersion in the
console message) so recovery is skipped whenever either package is a
pre-release.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: a3384b25-b97d-426f-8c3b-f90cdde54127

📥 Commits

Reviewing files that changed from the base of the PR and between 80aab84 and 740d5a8.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[jacekradko]

Superseded by #8102 which combines this recovery step with the Promise.allSettled fix for dispatch resilience.