feat(ci): add pkg.pr.new preview releases

[jtomaszewski]

Summary

• Add preview package releases using pkg.pr.new
• Triggers on pull requests and workflow_dispatch
• Builds all packages and publishes preview versions

Setup Required

The pkg.pr.new GitHub App needs to be installed on this repository for the workflow to work.

Test plan

• Verify workflow runs on this PR
• Install pkg.pr.new app and re-run workflow
• Check pkg.pr.new publishes preview packages correctly

🤖 Generated with Claude Code

Summary by CodeRabbit

Chores

• Configured automated preview publishing on pull requests for streamlined development workflow and easier testing of changes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

A new GitHub Actions workflow is introduced to automate preview builds and publication. The workflow triggers on pull requests and manual dispatch, sets up a Node.js 22.x environment, builds all packages using Yarn and Nx, and publishes preview versions using pkg-pr-new.

Changes

Cohort / File(s)	Summary
New GitHub Actions Workflow \.github/workflows/publish-preview\.yml	Introduces automated preview build and publication workflow triggered on PR and manual dispatch, configures environment variables (NX_BRANCH, NX_RUN_GROUP), builds all packages via nx, and publishes previews using pkg-pr-new

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify workflow trigger conditions and event filters are appropriate
• Confirm environment variable configuration matches intended CI/CD setup
• Check build and publish commands are correct for the project structure

Poem

🐰 A workflow takes flight, new previews in sight,
With each pull request, we build what is best,
Node's setup so bright, packages unite,
Publishing fast, no more manual test! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: introducing a new GitHub Actions workflow that enables preview package releases using pkg.pr.new.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 21d77ce

Command	Status	Duration	Result
nx run-many --target=lint --all	✅ Succeeded	<1s	View ↗
nx run-many --target=e2e --all	✅ Succeeded	<1s	View ↗
nx run-many --target=build --all	✅ Succeeded	1s	View ↗
nx run workspace:version	✅ Succeeded	<1s	View ↗
nx run-many --target=test --all	✅ Succeeded	1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-12-08 08:32:27 UTC

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4c5a767 and 21d77ce.

📒 Files selected for processing (1)

• .github/workflows/publish-preview.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: federation-e2e-test
• GitHub Check: Analyze

🔇 Additional comments (1)

.github/workflows/publish-preview.yml (1)

31-31: Verify that the build output creates the expected dist/packages directory structure.

The publish command uses glob pattern './dist/packages/*'. While pkg-pr-new does support standard glob patterns (via tinyglobby), the glob will silently match nothing if the build output doesn't create dist/packages or if the directory structure differs. Confirm the build step produces packages in this location and that the glob pattern correctly targets the expected output files.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat .github/workflows/publish-preview.yml

Repository: TriPSs/nestjs-query

Length of output: 182

---

🌐 Web query:

GitHub Actions github.event.number workflow_dispatch availability

💡 Result:

Short answer: No — github.event.number is not provided for workflow_dispatch. The workflow_dispatch webhook/payload contains inputs, ref, repository, sender, workflow, etc., but it has no top-level "number" field (that field appears on events like pull_request or issues). See the workflow_dispatch payload spec and an example payload. [1][2]

If you need an identifier in workflow_dispatch, pass it as an input (or include it in repository_dispatch client_payload) and read it via github.event.inputs or github.event.client_payload. To inspect what your run received, echo toJSON(github.event). [1][3]

Sources:

1. GitHub webhook events & payloads — workflow_dispatch payload. [1]
2. Example workflow_dispatch payload (sample). [2]
3. Docs / tips: view full event via toJSON(github.event). [1]

---

Clarify trigger intent and add conditional execution or input parameter.

The workflow triggers on both pull_request and workflow_dispatch, but the environment variable setup assumes a PR context. The github.event.number is only defined for pull request events; on manual dispatch, it will be undefined, causing the Nx cache key NX_BRANCH to be empty and potentially breaking the build cache behavior.

Choose one of the following approaches:

Option 1: If manual dispatch is intentional, provide a fallback:

 env:
-  NX_BRANCH: ${{ github.event.number }}
+  NX_BRANCH: ${{ github.event.number || github.ref_name }}
   NX_RUN_GROUP: ${{ github.run_id }}

Option 2: If publishing previews should only happen on PRs, remove workflow_dispatch:

 on:
   pull_request:
-  workflow_dispatch:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	on:
	pull_request:
	workflow_dispatch:
	on:
	pull_request:

🤖 Prompt for AI Agents

.github/workflows/publish-preview.yml lines 3-5: the workflow triggers on both
pull_request and workflow_dispatch but later assumes a PR context
(github.event.number), which is undefined for manual runs; either restrict the
trigger to PRs or add a robust fallback/conditional for manual dispatch. Fix by
choosing one: (a) if previews should only run for PRs, remove workflow_dispatch
so only pull_request triggers the workflow; (b) if manual dispatch must remain,
add a guard and fallback values: ensure any variables that rely on
github.event.number (like NX_BRANCH/NX_PR_NUMBER) gracefully fall back to inputs
or to github.ref/github.head_ref, add a workflow_dispatch input for branch/PR
number and use an if condition on jobs/steps to run PR-specific steps only when
github.event_name == 'pull_request' (or when the input is provided), and update
the cache key generation to use the fallback branch variable so NX_BRANCH is
never empty.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Check for pkg-pr-new usage in the codebase
find . -type f \( -name "*.yml" -o -name "*.yaml" -o -name "*.json" -o -name "*.md" \) | head -20 | xargs grep -l "pkg-pr-new" 2>/dev/null || echo "No matches found in main files"

Repository: TriPSs/nestjs-query

Length of output: 182

---

🏁 Script executed:

# List all workflow files to see patterns
ls -la .github/workflows/ 2>/dev/null || echo "No workflows directory found"

Repository: TriPSs/nestjs-query

Length of output: 182

---

🏁 Script executed:

# Check other workflows for permissions declarations
find .github/workflows -name "*.yml" -o -name "*.yaml" | head -10 | xargs grep -B5 -A2 "permissions:" 2>/dev/null || echo "No permissions declarations found"

Repository: TriPSs/nestjs-query

Length of output: 182

---

🏁 Script executed:

# Check package.json for pkg-pr-new
cat package.json 2>/dev/null | grep -A5 -B5 "pkg-pr-new" || echo "Not found in package.json"

Repository: TriPSs/nestjs-query

Length of output: 182

---

🏁 Script executed:

# Check if there's any documentation about pkg-pr-new setup
find . -name "*.md" -type f | xargs grep -l "pkg-pr-new" 2>/dev/null || echo "No markdown documentation found"

Repository: TriPSs/nestjs-query

Length of output: 182

---

🌐 Web query:

pkg-pr-new npm package requirements authentication GITHUB_TOKEN permissions

💡 Result:

Short answer — pkg.pr.new uses a GitHub App + the workflow GITHUB_TOKEN. Required auth/permissions are:

• Install the pkg.pr.new GitHub App on the repo (pkg.pr.new expects the App to be installed). [1]
• In your workflow use the repository GITHUB_TOKEN for actions (GITHUB_TOKEN is an installation token and is the recommended auth for workflows). You may also use a PAT or GitHub App token only if you need wider access. [3][4]

Common minimal permissions to grant the workflow (examples supported by the repo + GitHub docs):

• contents: read — read commits / repo files. [2][3]
• pull-requests (or pull_requests): read + write — read PR state and create/edit PR comments. The pkg.pr.new app needs to read and write PR comments. [2]
• issues: write — if you want pkg.pr.new to post/update comments on PRs/issues (repo README/issue discusses comment behaviour). [1][2]
• checks: read — to show check/run status badges if used. [2]

Example permissions block (put in your workflow if you want explicit minimal permissions):
permissions:
contents: read
pull-requests: write
issues: write
checks: read

References

• pkg.pr.new README / usage (install GitHub App, workflow usage). [1]
• pkg.pr.new issue discussing exact App permissions (reads commits, reads/writes PR comments, avoids contents: write). [2]
• GitHub docs: GITHUB_TOKEN behavior and how to set workflow permissions. [3][4]

If you want, tell me the exact workflow you’re using and I’ll produce a ready-to-copy permissions block.

---

Add explicit permissions for pkg-pr-new workflow.

The workflow does not declare explicit permissions. The pkg-pr-new tool requires the GitHub App to be installed on the repository and specific token scopes to function correctly. The workflow should declare explicit permissions rather than relying on default token scopes.

Add the following permissions block at the job level:

  publish-preview:
    runs-on: ubuntu-latest
+   permissions:
+     contents: read
+     pull-requests: write
+     issues: write
    steps:

Ensure the pkg.pr.new GitHub App is installed on the repository (see https://github.com/apps/pkg-pr-new). The workflow will use the default GITHUB_TOKEN, which is sufficient for pkg-pr-new's operations once the App is installed.

🤖 Prompt for AI Agents

In .github/workflows/publish-preview.yml around lines 12 to 31, the job lacks
explicit permissions required by the pkg-pr-new GitHub App; add a permissions
block at the publish-preview job level granting at minimum contents: write and
pull-requests: write (so the workflow uses GITHUB_TOKEN with the correct scopes
for pkg-pr-new), and optionally set id-token: write if your environment needs
OIDC; ensure the pkg-pr-new GitHub App is installed on the repository so the App
can operate with these permissions.

[jtomaszewski]

I closed to verify first whether it works - and it works ( fullstackhouse#2 ).

Reopening then. It's so that a PR can be quickly tested in a real app environment - without one needing to npm publish manually to some fork.