feat(ci): add pkg.pr.new preview releases #415

coderabbitai · 2025-12-08T08:11:32Z

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat .github/workflows/publish-preview.yml

Repository: TriPSs/nestjs-query

Length of output: 182

🌐 Web query:

GitHub Actions github.event.number workflow_dispatch availability

💡 Result:

Short answer: No — github.event.number is not provided for workflow_dispatch. The workflow_dispatch webhook/payload contains inputs, ref, repository, sender, workflow, etc., but it has no top-level "number" field (that field appears on events like pull_request or issues). See the workflow_dispatch payload spec and an example payload. [1][2]

If you need an identifier in workflow_dispatch, pass it as an input (or include it in repository_dispatch client_payload) and read it via github.event.inputs or github.event.client_payload. To inspect what your run received, echo toJSON(github.event). [1][3]

Sources:

GitHub webhook events & payloads — workflow_dispatch payload. [1]

Example workflow_dispatch payload (sample). [2]

Docs / tips: view full event via toJSON(github.event). [1]

Clarify trigger intent and add conditional execution or input parameter.

The workflow triggers on both pull_request and workflow_dispatch, but the environment variable setup assumes a PR context. The github.event.number is only defined for pull request events; on manual dispatch, it will be undefined, causing the Nx cache key NX_BRANCH to be empty and potentially breaking the build cache behavior.

Choose one of the following approaches:

Option 1: If manual dispatch is intentional, provide a fallback:

env: - NX_BRANCH: ${{ github.event.number }} + NX_BRANCH: ${{ github.event.number || github.ref_name }} NX_RUN_GROUP: ${{ github.run_id }}

Option 2: If publishing previews should only happen on PRs, remove workflow_dispatch:

on: pull_request: - workflow_dispatch:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

on:

pull_request:

workflow_dispatch:

on:

pull_request:

🤖 Prompt for AI Agents

.github/workflows/publish-preview.yml lines 3-5: the workflow triggers on both pull_request and workflow_dispatch but later assumes a PR context (github.event.number), which is undefined for manual runs; either restrict the trigger to PRs or add a robust fallback/conditional for manual dispatch. Fix by choosing one: (a) if previews should only run for PRs, remove workflow_dispatch so only pull_request triggers the workflow; (b) if manual dispatch must remain, add a guard and fallback values: ensure any variables that rely on github.event.number (like NX_BRANCH/NX_PR_NUMBER) gracefully fall back to inputs or to github.ref/github.head_ref, add a workflow_dispatch input for branch/PR number and use an if condition on jobs/steps to run PR-specific steps only when github.event_name == 'pull_request' (or when the input is provided), and update the cache key generation to use the fallback branch variable so NX_BRANCH is never empty.

coderabbitai · 2025-12-08T08:11:32Z

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Check for pkg-pr-new usage in the codebase find . -type f $ -name "*.yml" -o -name "*.yaml" -o -name "*.json" -o -name "*.md" $ | head -20 | xargs grep -l "pkg-pr-new" 2>/dev/null || echo "No matches found in main files"

Repository: TriPSs/nestjs-query

Length of output: 182

🏁 Script executed:

# List all workflow files to see patterns ls -la .github/workflows/ 2>/dev/null || echo "No workflows directory found"

Repository: TriPSs/nestjs-query

Length of output: 182

🏁 Script executed:

# Check other workflows for permissions declarations find .github/workflows -name "*.yml" -o -name "*.yaml" | head -10 | xargs grep -B5 -A2 "permissions:" 2>/dev/null || echo "No permissions declarations found"

Repository: TriPSs/nestjs-query

Length of output: 182

🏁 Script executed:

# Check package.json for pkg-pr-new cat package.json 2>/dev/null | grep -A5 -B5 "pkg-pr-new" || echo "Not found in package.json"

Repository: TriPSs/nestjs-query

Length of output: 182

🏁 Script executed:

# Check if there's any documentation about pkg-pr-new setup find . -name "*.md" -type f | xargs grep -l "pkg-pr-new" 2>/dev/null || echo "No markdown documentation found"

Repository: TriPSs/nestjs-query

Length of output: 182

🌐 Web query:

pkg-pr-new npm package requirements authentication GITHUB_TOKEN permissions

💡 Result:

Short answer — pkg.pr.new uses a GitHub App + the workflow GITHUB_TOKEN. Required auth/permissions are:

Install the pkg.pr.new GitHub App on the repo (pkg.pr.new expects the App to be installed). [1]

In your workflow use the repository GITHUB_TOKEN for actions (GITHUB_TOKEN is an installation token and is the recommended auth for workflows). You may also use a PAT or GitHub App token only if you need wider access. [3][4]

Common minimal permissions to grant the workflow (examples supported by the repo + GitHub docs):

contents: read — read commits / repo files. [2][3]

pull-requests (or pull_requests): read + write — read PR state and create/edit PR comments. The pkg.pr.new app needs to read and write PR comments. [2]

issues: write — if you want pkg.pr.new to post/update comments on PRs/issues (repo README/issue discusses comment behaviour). [1][2]

checks: read — to show check/run status badges if used. [2]

Example permissions block (put in your workflow if you want explicit minimal permissions):
permissions:
contents: read
pull-requests: write
issues: write
checks: read

References

pkg.pr.new README / usage (install GitHub App, workflow usage). [1]

pkg.pr.new issue discussing exact App permissions (reads commits, reads/writes PR comments, avoids contents: write). [2]

GitHub docs: GITHUB_TOKEN behavior and how to set workflow permissions. [3][4]

If you want, tell me the exact workflow you’re using and I’ll produce a ready-to-copy permissions block.

Add explicit permissions for pkg-pr-new workflow.

The workflow does not declare explicit permissions. The pkg-pr-new tool requires the GitHub App to be installed on the repository and specific token scopes to function correctly. The workflow should declare explicit permissions rather than relying on default token scopes.

Add the following permissions block at the job level:

publish-preview: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + issues: write steps:

Ensure the pkg.pr.new GitHub App is installed on the repository (see https://github.com/apps/pkg-pr-new). The workflow will use the default GITHUB_TOKEN, which is sufficient for pkg-pr-new's operations once the App is installed.

🤖 Prompt for AI Agents

In .github/workflows/publish-preview.yml around lines 12 to 31, the job lacks explicit permissions required by the pkg-pr-new GitHub App; add a permissions block at the publish-preview job level granting at minimum contents: write and pull-requests: write (so the workflow uses GITHUB_TOKEN with the correct scopes for pkg-pr-new), and optionally set id-token: write if your environment needs OIDC; ensure the pkg-pr-new GitHub App is installed on the repository so the App can operate with these permissions.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(ci): add pkg.pr.new preview releases #415

Diff view

Diff view

There are no files selected for viewing

coderabbitai bot Dec 8, 2025

Uh oh!

coderabbitai bot Dec 8, 2025

Uh oh!

Uh oh!

feat(ci): add pkg.pr.new preview releases #415

Are you sure you want to change the base?

feat(ci): add pkg.pr.new preview releases #415

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai bot Dec 8, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Dec 8, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!