sendbird · sf-tyler-jeong · May 13, 2026 · Apr 1, 2026 · Apr 2, 2026 · Apr 2, 2026
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -7,6 +7,7 @@ on:
   push:
     branches:
       - main
+      - release/**
 concurrency:
   group: build-and-test-${{ github.head_ref || github.ref_name }}
   cancel-in-progress: true
@@ -17,12 +18,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
-          node-version: '16.19.1'
+          node-version: '24'
           cache: 'yarn'
 
       - name: Install dependencies
@@ -43,4 +44,12 @@ jobs:
         if: ${{ success() }}
         timeout-minutes: 15
         run: |
-          yarn test --forceExit --runInBand
+          yarn test --forceExit --runInBand || {
+            if [ -f "./test-results/junit-report.xml" ]; then
+              echo "Tests failed. Retrying failed tests..."
+              node scripts/failed-test-retry.js
+            else
+              echo "Tests failed and no JUnit report found."
+              exit 1
+            fi
+          }
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -1,11 +1,18 @@
+name: Coverage Report
+
+# Manual trigger only. To restore PR comment trigger, replace workflow_dispatch with:
+# on:
+#   issue_comment:
+#     types: [created, edited]
+# And add this condition to the job:
+#   if: github.event.issue.pull_request && contains(github.event.comment.body, './coverage')
+
 on:
-  issue_comment:
-    types: [created, edited]
+  workflow_dispatch:
 
 jobs:
-    coverage:
-        runs-on: ubuntu-latest
-        if: github.event.issue.pull_request && contains(github.event.comment.body, './coverage')
-        steps:
-            - uses: actions/checkout@v3
-            - uses: ArtiomTr/jest-coverage-report-action@v2
+  coverage:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: ArtiomTr/jest-coverage-report-action@v2
diff --git a/.github/workflows/package-publish.yml b/.github/workflows/package-publish.yml
@@ -1,3 +1,12 @@
+# Manual publish workflow (typically for beta/RC releases).
+#
+# IMPORTANT: npm OIDC trusted publishing allows only one publisher
+# configuration per package. The default is set to release-workflow.yml.
+# Before dispatching this workflow:
+#   1. Open the package on npmjs.com → Settings → "Trusted publisher"
+#   2. Change the workflow filename to "package-publish.yml"
+#   3. Run this workflow
+#   4. Restore the workflow filename to "release-workflow.yml"
 name: Package build and publish
 
 on:
@@ -19,19 +28,86 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+    env:
+      SKIP_REST: '' # Set to 'true' when npm_tag is provided
+      VERSION: ${{ github.event.inputs.version }}
+      NPM_TAG: ${{ github.event.inputs.npm_tag }}
+      TAG_SUFFIX: ${{ github.event.inputs.tag_suffix }}
+      BRANCH_NAME: ${{ github.ref_name }}
     steps:
-      - uses: actions/checkout@v4
+      - name: Validate dispatch inputs
+        run: |
+          # VERSION must be stable X.Y.Z. Prerelease versions are built up via
+          # npm_tag (+ optional tag_suffix), e.g., 3.18.0 + beta + 0 => 3.18.0-beta-0.
+          if ! printf '%s' "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "Invalid version: '$VERSION' (expected stable X.Y.Z; use npm_tag for prerelease)"
+            exit 1
+          fi
+          if [ -n "$NPM_TAG" ]; then
+            if ! printf '%s' "$NPM_TAG" | grep -qE '^[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*$'; then
+              echo "Invalid npm_tag: '$NPM_TAG'"
+              exit 1
+            fi
+            if [ "$NPM_TAG" = "latest" ]; then
+              echo "npm_tag 'latest' is not allowed; leave npm_tag empty for a stable publish."
+              exit 1
+            fi
+          fi
+          if [ -n "$TAG_SUFFIX" ]; then
+            if ! printf '%s' "$TAG_SUFFIX" | grep -qE '^[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*$'; then
+              echo "Invalid tag_suffix: '$TAG_SUFFIX'"
+              exit 1
+            fi
+            if [ -z "$NPM_TAG" ]; then
+              echo "tag_suffix requires npm_tag. Provide npm_tag (e.g., beta) or remove tag_suffix."
+              exit 1
+            fi
+          fi
+          # npm rejects dist-tags that can be parsed as a semver version or range
+          # (e.g. 1.0, v1.4, 1.x, 1.2.x, 1.2.3-beta). The simplest way to cover
+          # all of these is to forbid leading digits and a leading v/V.
+          if [ -n "$NPM_TAG" ] && printf '%s' "$NPM_TAG" | grep -qE '^([0-9]|[vV])'; then
+            echo "npm_tag '$NPM_TAG' starts with a digit or v/V; npm rejects such dist-tags (interpreted as a semver version/range)."
+            exit 1
+          fi
+          # Validate the constructed npm version against semver 2.0 (catches things like
+          # beta.01 → 3.18.0-beta.01, which is rejected by the spec for leading zeros)
+          candidate_version="$VERSION"
+          if [ -n "$NPM_TAG" ]; then
+            if [ -z "$TAG_SUFFIX" ]; then
+              candidate_version="$VERSION-$NPM_TAG"
+            else
+              candidate_version="$VERSION-$NPM_TAG-$TAG_SUFFIX"
+            fi
+          fi
+          semver_re='^(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*)?$'
+          if ! printf '%s' "$candidate_version" | grep -qE "$semver_re"; then
+            echo "Constructed npm version '$candidate_version' is not valid semver 2.0."
+            exit 1
+          fi
+      - name: Validate dispatch ref matches release branch
+        run: |
+          expected="release/v$VERSION"
+          if [ "$BRANCH_NAME" != "$expected" ]; then
+            echo "Dispatched from '$BRANCH_NAME' but version input is $VERSION."
+            echo "Re-dispatch this workflow with the correct ref ($expected) selected in the GitHub Actions UI."
+            exit 1
+          fi
+      - uses: actions/checkout@v6
         with:
           token: ${{ secrets.SDK_GH_BOT1_TOKEN }}
           fetch-depth: 0
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
-          node-version: 18.x
+          node-version: '24'
           cache: 'yarn'
       - name: Check if the release branch exists
         run: |
           set -x
-          branch_name="release/v${{ github.event.inputs.version }}"
+          branch_name="release/v$VERSION"
           if ! git ls-remote --exit-code --heads origin "$branch_name" > /dev/null; then
             echo "Branch $branch_name does not exist. Make sure to create the branch and create a Jira ticket with pr-comment-bot."
             exit 1
@@ -42,10 +118,10 @@ jobs:
       - name: Update version in package.json if npm_tag is provided
         if: ${{ github.event.inputs.npm_tag }}
         run: |
-          if [ -z "${{ github.event.inputs.tag_suffix }}" ]; then
-            npm_version="${{ github.event.inputs.version }}-${{ github.event.inputs.npm_tag }}"
+          if [ -z "$TAG_SUFFIX" ]; then
+            npm_version="$VERSION-$NPM_TAG"
           else
-            npm_version="${{ github.event.inputs.version }}-${{ github.event.inputs.npm_tag }}-${{ github.event.inputs.tag_suffix }}"
+            npm_version="$VERSION-$NPM_TAG-$TAG_SUFFIX"
           fi
           jq --arg npm_version "$npm_version" '.version = $npm_version' package.json > package.json.tmp && mv package.json.tmp package.json
       - name: Set environments
@@ -54,16 +130,15 @@ jobs:
           git config --global user.email "sha.sdk_deployment@sendbird.com"
       - name: Install and Build
         run: |
-          yarn install
+          yarn install --immutable
           yarn build
       - name: Publish to npm
         run: |
           cd ./dist
-          echo "//registry.npmjs.org/:_authToken=${{ secrets.npm_token }}" > .npmrc
-          if [ -z "${{ github.event.inputs.npm_tag }}" ]; then
-            npm publish --access=public
+          if [ -z "$NPM_TAG" ]; then
+            npm publish --access=public --provenance
           else
-            npm publish --tag ${{ github.event.inputs.npm_tag }} --access=public
+            npm publish --tag "$NPM_TAG" --access=public --provenance
             echo "npm_tag is provided; Skipping the rest of the steps."
             echo "SKIP_REST=true" >> $GITHUB_ENV
           fi
@@ -99,5 +174,5 @@ jobs:
       - name: Tag new target and push to origin
         if: env.SKIP_REST != 'true'
         run: |
-          git tag v${{ github.event.inputs.version }}
-          git push origin v${{ github.event.inputs.version }}
+          git tag "v$VERSION"
+          git push origin "v$VERSION"
diff --git a/.github/workflows/pr-comment-bot.yml b/.github/workflows/pr-comment-bot.yml
@@ -8,7 +8,7 @@ jobs:
     if : ${{ github.event.issue.pull_request}}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: sendbird/release-automation-action@latest
         with:
           gh_token: ${{ secrets.SDK_GH_BOT1_TOKEN }}

diff --git a/.github/workflows/prepare-changelog.yml b/.github/workflows/prepare-changelog.yml
@@ -0,0 +1,71 @@
+name: Prepare CHANGELOG
+
+on:
+  push:
+    branches:
+      - 'release/v*'
+    paths:
+      - 'CHANGELOG_DRAFT.md'
+      - 'package.json'
+
+concurrency:
+  group: prepare-changelog-${{ github.ref_name }}
+  cancel-in-progress: false
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    env:
+      BRANCH_NAME: ${{ github.ref_name }}
+      BOT_EMAIL: 'sha.sdk_deployment@sendbird.com'
+      BOT_NAME: 'sendbird-sdk-deployment'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          token: ${{ secrets.SDK_GH_BOT1_TOKEN }}
+          fetch-depth: 2
+          ref: ${{ github.ref_name }}
+
+      - name: Skip if last commit was made by the release bot
+        id: skip-bot
+        run: |
+          last_author=$(git log -1 --pretty=%ae)
+          if [ "$last_author" = "$BOT_EMAIL" ]; then
+            echo "Last commit author is the release bot ($BOT_EMAIL); skipping."
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Setup Node.js
+        if: steps.skip-bot.outputs.skip != 'true'
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+
+      - name: Update CHANGELOG.md
+        if: steps.skip-bot.outputs.skip != 'true'
+        run: |
+          VERSION="${BRANCH_NAME#release/v}"
+          DATE=$(date -u '+%b %d %Y' | tr '[:lower:]' '[:upper:]')
+          export VERSION DATE
+          node scripts/update-changelog.js
+
+      - name: Commit and push CHANGELOG.md
+        if: steps.skip-bot.outputs.skip != 'true'
+        run: |
+          if git diff --quiet CHANGELOG.md; then
+            echo "CHANGELOG.md unchanged; nothing to commit."
+            exit 0
+          fi
+          VERSION="${BRANCH_NAME#release/v}"
+          git config user.email "$BOT_EMAIL"
+          git config user.name "$BOT_NAME"
+          git add CHANGELOG.md
+          git commit -m "chore: prepare CHANGELOG.md for v${VERSION}"
+          git push origin "$BRANCH_NAME"