refactor: migrate release flow to release-please#517
Closed
petar-omni wants to merge 1 commit into
Closed
Conversation
|
📝 WalkthroughWalkthroughThis PR migrates the release workflow from Changesets to release-please, pins development tool versions (Node 24.15.0, pnpm 10.33.2), updates CI workflows to use explicit mise installation with version pinning, and introduces AWS Amplify deployment configuration with environment variable injection and website artifact publishing. ChangesRelease and CI infrastructure modernization
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 25-31: The CI step "Install mise" currently uses an unverified
curl | sh which is a supply-chain risk; replace that pattern in the "Install
mise" job by either (1) using a pinned GitHub Action (pin a specific commit SHA)
that installs mise, or (2) downloading the mise binary and its published
checksum and verifying the checksum before executing/installing, or (3) invoking
mise's official installer/wrapper that performs integrity checks; update the
step to stop piping remote scripts to sh and ensure the installer source is
pinned and checksum-verified (refer to the "Install mise" step and the use of
mise install in the diff).
In @.github/workflows/release.yml:
- Around line 31-37: The "Install mise" step is insecure because it pipes a
remote installer via curl into sh; replace this with the official mise GitHub
Action pinned to an exact commit SHA (avoid runtime network install). Remove the
curl ... | sh block and instead add a uses: entry like uses:
<owner>/mise-action@<commit-sha> (pin to a commit SHA), pass the MISE_VERSION
via action inputs or env if supported, and ensure any required PATH changes or
setup are done via the action's documented outputs/steps rather than appending
to GITHUB_PATH manually; update the step name "Install mise" and the job that
writes releases/uses OIDC to use the pinned action.
In `@amplify.yml`:
- Line 6: Replace the unsafe “curl https://mise.run | MISE_VERSION=v2026.5.6 sh”
pattern by downloading the installer to a local file, verifying its
checksum/signature, and only then executing it; specifically, change the entry
that references the curl pipe command (the line containing "curl
https://mise.run | MISE_VERSION=v2026.5.6 sh") so the pipeline: (1) downloads
the installer to a temp file, (2) fetches or embeds the expected checksum or
signature and verifies the downloaded file, and (3) executes the installer only
if verification succeeds, failing the build with a clear error if verification
fails.
- Around line 11-13: The three echo lines write potentially empty VITE variables
into packages/widget/.env and append each time; change to a fail-fast check that
validates VITE_YIELDS_API_URL, VITE_API_URL, and VITE_API_KEY are set and
non-empty (exit non-zero with a clear error if any are missing), and then
rewrite (overwrite) packages/widget/.env deterministically instead of appending
so the file isn’t duplicated; locate the echo usages for VITE_YIELDS_API_URL,
VITE_API_URL, and VITE_API_KEY and replace them with a pre-check+single
overwrite sequence that fails on missing values and writes the three variables
atomically to .env.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f1ec88aa-4c00-4f19-8417-f083113c7fa6
⛔ Files ignored due to path filters (2)
mise.lockis excluded by!**/*.lockpnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (12)
.changeset/README.md.changeset/config.json.github/workflows/ci.yml.github/workflows/release.yml.gitignore.release-please-manifest.jsonamplify.ymlmise.tomlpackage.jsonrelease-please-config.jsonturbo.jsonvercel.json
💤 Files with no reviewable changes (3)
- vercel.json
- .changeset/config.json
- .changeset/README.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit
Chores
Configuration