Skip to content

ci(release): fix melos release automation with scoped publishing #1316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
grdsdev merged 2 commits into from
Feb 24, 2026
Merged

ci(release): fix melos release automation with scoped publishing #1316

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
909d1a5
ci(release): fix melos release automation with scoped publishing
grdsdev Feb 24, 2026
9c12be6
ci(release): use fixed-string awk matching for CHANGELOG extraction
grdsdev Feb 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 41 additions & 13 deletions .github/workflows/release-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,26 @@ name: Publish Packages

on:
workflow_dispatch:
inputs:
package-name:
description: 'Name of the package to publish'
required: true
type: string
package-version:
description: 'Version to publish (without v prefix, e.g. 2.18.0)'
required: true
type: string

concurrency:
group: release-publish-${{ inputs.package-name }}
cancel-in-progress: false

permissions:
contents: write
id-token: write

jobs:
publish-packages:
publish-package:
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
Expand All @@ -18,34 +31,49 @@ jobs:
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}

- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
ref: ${{ inputs.package-name }}-v${{ inputs.package-version }}

- name: Setup Flutter
uses: subosito/flutter-action@v2
with:
cache: true

- name: Publish to pub.dev
- name: Bootstrap with Melos
uses: bluefireteam/melos-action@v3
with:
publish: true

- name: Publish dry run
run: melos publish --scope ${{ inputs.package-name }} --dry-run

- name: Publish to pub.dev
run: melos publish --scope ${{ inputs.package-name }}
Comment on lines +49 to +53
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

melos publish --no-dry-run flag CI interactive mode

💡 Result:

melos publish --no-dry-run only disables Melos’s default dry-run; it doesn’t add a “yes / non-interactive” mode, so it can still block in CI on the underlying publish confirmation prompt. [1]

Melos publishes by running pub publish internally. [2] For CI/non-interactive publishing, use dart pub publish --force (skips the confirmation prompt) [3] and run it per-package via melos exec, for example:

# Publish only packages whose current version is NOT on pub.dev
melos exec --no-published -- dart pub publish --force

Melos supports --published/--no-published as package filters. [4]

Sources: [1] [2] [3] [4]

🌐 Web query:

melos publish default behavior dry run CLI documentation

💡 Result:

melos publish defaults to a dry run: it validates what would be published but does not publish anything unless you explicitly disable dry-run. [1]

From the CLI docs:

  • melos publish → dry-run enabled by default (--dry-run defaults to true). [2]
  • To actually publish: melos publish --no-dry-run. [1][2]
  • You can also spell it explicitly as melos publish --dry-run (same as the default). [2]

Docs locations: the publish command reference and the Automated Releases guide. [2][1]

🏁 Script executed:

# Search for melos usage patterns in the repository
fd -type f -name "*.yml" -o -name "*.yaml" | head -20

Repository: supabase/supabase-flutter

Length of output: 239

The "Publish to pub.dev" step will not actually publish without --no-dry-run.

melos publish defaults to dry-run mode and will not publish anything without the explicit --no-dry-run flag. Line 53 will execute a dry-run instead of publishing to pub.dev, defeating the purpose of the workflow.

Additionally, passing ${{ inputs.package-name }} directly into run: is a shell-injection surface. The GitHub Actions hardening pattern is to pass inputs via environment variables.

Suggested fix 
      - name: Publish dry run
-        run: melos publish --scope ${{ inputs.package-name }} --dry-run
+        env:
+          PACKAGE_NAME: ${{ inputs.package-name }}
+        run: melos publish --scope "$PACKAGE_NAME" --dry-run

      - name: Publish to pub.dev
-        run: melos publish --scope ${{ inputs.package-name }}
+        env:
+          PACKAGE_NAME: ${{ inputs.package-name }}
+        run: melos publish --scope "$PACKAGE_NAME" --no-dry-run
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-publish.yml around lines 49 - 53, In the "Publish
to pub.dev" GitHub Actions step, melos publish currently runs as a dry-run
because it lacks the explicit --no-dry-run flag and also injects ${{
inputs.package-name }} directly into the run line; update the step named
"Publish to pub.dev" to add the --no-dry-run flag to the melos publish
invocation (melos publish --scope <pkg> --no-dry-run) and avoid shell injection
by passing the input via an environment variable (e.g., set PACKAGE_NAME: ${{
inputs.package-name }} in env and reference that env var in the run command) so
melos actually publishes and the input is safely provided.


- name: Extract CHANGELOG section
id: changelog
run: |
VERSION="${{ inputs.package-version }}"
PACKAGE="${{ inputs.package-name }}"
HEADER="## ${VERSION}"
CHANGELOG_CONTENT=$(awk -v header="$HEADER" 'index($0,header)==1{flag=1;next} /^## /{flag=0} flag' "packages/${PACKAGE}/CHANGELOG.md")
echo "changelog<<EOF" >> $GITHUB_OUTPUT
echo "${CHANGELOG_CONTENT}" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT

- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.ref_name }}
name: Release ${{ github.ref_name }}
tag_name: ${{ inputs.package-name }}-v${{ inputs.package-version }}
name: ${{ inputs.package-name }} v${{ inputs.package-version }}
body: |
## Package Release

Released package: ${{ github.ref_name }}

See the package CHANGELOG for detailed changes.
${{ steps.changelog.outputs.changelog }}

---
*This release was created automatically by the Publish Packages workflow.*
Published to pub.dev: https://pub.dev/packages/${{ inputs.package-name }}/versions/${{ inputs.package-version }}
draft: false
prerelease: false
prerelease: ${{ contains(inputs.package-version, '-') }}
env:
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
10 changes: 7 additions & 3 deletions .github/workflows/release-tag.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,13 @@ jobs:
uses: bluefireteam/melos-action@v3
with:
tag: true
- run: |
- name: Trigger publish workflows
run: |
melos exec -c 1 --no-published --no-private --order-dependents -- \
gh workflow run release-publish.yml \
--ref \$MELOS_PACKAGE_NAME-v\$MELOS_PACKAGE_VERSION
bash -c "gh workflow run release-publish.yml \
--ref \$MELOS_PACKAGE_NAME-v\$MELOS_PACKAGE_VERSION \
--field package-name=\$MELOS_PACKAGE_NAME \
--field package-version=\$MELOS_PACKAGE_VERSION && \
sleep 30"
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}