Closed
Conversation
- Add VIBE4_CHANGELOG.md for tracking breaking changes - Add VIBE4_MIGRATION_GUIDE.md with comprehensive migration documentation - Create v3-to-v4 migration structure in codemod package - Update CLI to support --migration v4 - Add helper script for generating component migrations - Set up enum mapping template for string literal conversions This provides the foundation for implementing individual breaking changes and their corresponding codemods as development progresses. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix broken codemod infrastructure that was causing build failures. ISSUE: - type-imports-migration.ts had TypeScript errors accessing .name property - path.value.id can be Identifier OR TSQualifiedName - TSQualifiedName doesn't have .name property, causing TS2339 errors - Build failures blocked all v4 codemod development SOLUTION: - Convert to safe no-op until actual type migrations are identified for v4 - Satisfies codemod CLI infrastructure requirements - Removes TypeScript compilation errors - Documents TODO structure for future type migrations This is general v4 infrastructure, not specific to any breaking change. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
#3266) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…3280) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Rivka Ungar <rivkaun@monday.com> Co-authored-by: vibe-bot <vibe@monday.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
#3290) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Icons are now hidden from screen readers by default (ariaHidden=true),
aligning with the common pattern that most icons are decorative. Consumers
must explicitly set ariaHidden={false} for meaningful icons with labels.
- Default ariaHidden to true in Icon and CustomSvgIcon
- Remove auto-detection fallback in useIconScreenReaderAccessProps
- Fix internal consumer (TableHeaderCell) and story files
- Add codemod to migrate Icon elements with label but no ariaHidden
- Update migration guide and MCP example
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This reverts commit 22f7f71.
…implementation (#3285) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…3294) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…perties (#3295) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Review Summary by QodoAdd v3 release workflow with validation and publishing
WalkthroughsDescription• Add v3 release workflow triggered manually from vibe3 branch • Validate branch, notify Slack, build and test before release • Generate versions using Lerna with conventional commits • Publish packages to npm with v3 dist-tag Diagramflowchart LR
A["Workflow Dispatch"] --> B["Validate Branch"]
B --> C["Notify Slack"]
B --> D["Build"]
D --> E["Test"]
E --> F["Release"]
F --> G["Generate Versions"]
G --> H["Publish to npm"]
File Changes1. .github/workflows/release-v3.yml
|
Contributor
Code Review by Qodo
1. Publish is dry-run
|
![qodo-free-for-open-source-projects[bot]](https://avatars.githubusercontent.com/in/1068000?s=60&v=4){kind=small}
Comment on lines
+81
to
+82
| - name: Publish to npm with v3 dist-tag | ||
| run: yarn lerna publish from-package --dist-tag v3 --dry-run -y |
Contributor
There was a problem hiding this comment.
1. Publish is dry-run 🐞 Bug ✓ Correctness
release-v3.yml runs yarn lerna publish ... --dry-run, so no packages are actually published even though the workflow also bumps versions and creates a GitHub release, leaving the repo/releases ahead of npm. This can produce a broken release state where consumers cannot install the released versions.
Agent Prompt
### Issue description
The v3 release workflow does not publish anything because it runs `yarn lerna publish ... --dry-run`, despite creating version bumps/GitHub releases.
### Issue Context
This can create GitHub tags/releases and bumped versions without corresponding npm artifacts.
### Fix Focus Areas
- .github/workflows/release-v3.yml[81-82]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
- @vibe/base@4.0.0-alpha.2 - @vibe/codemod@4.0.0-alpha.2 - @vibe/button@4.0.0-alpha.2 - @vibe/clickable@4.0.0-alpha.2 - @vibe/dialog@4.0.0-alpha.2 - @vibe/icon@4.0.0-alpha.2 - @vibe/icon-button@4.0.0-alpha.2 - @vibe/layer@4.0.0-alpha.2 - @vibe/layout@4.0.0-alpha.2 - @vibe/loader@4.0.0-alpha.2 - @vibe/tooltip@4.0.0-alpha.2 - @vibe/typography@4.0.0-alpha.2 - @vibe/config@4.0.0-alpha.2 - @vibe/core@4.0.0-alpha.2 - @vibe/docs@4.0.0-alpha.2 - @vibe/hooks@4.0.0-alpha.2 - @vibe/icons@4.0.0-alpha.2 - @vibe/mcp@4.0.0-alpha.2 - @vibe/shared@4.0.0-alpha.2 - vibe-storybook-components@4.0.0-alpha.2 - @vibe/style@4.0.0-alpha.2 - @vibe/testkit@4.0.0-alpha.2
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Contributor
|
Persistent review updated to latest commit 8074005 |
Contributor
|
Persistent review updated to latest commit 5d04fb2 |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+8
to
+17
| name: Validate Branch | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Ensure running on vibe3 | ||
| if: github.ref != 'refs/heads/vibe3' | ||
| run: | | ||
| echo "::error::Release v3 workflow must be triggered from the vibe3 branch. Current branch: ${{ github.ref }}" | ||
| exit 1 | ||
|
|
||
| notify-release-start: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
In general, fix this by adding an explicit permissions block that grants only the minimal scopes needed. You can set a restrictive permissions block at the workflow root (applies to all jobs) and then override it per job where additional permissions are necessary.
For this specific workflow:
- Add a top-level
permissionsblock aftername:(or afteron:) with the minimal sensible default, e.g.contents: read. This is safe for jobs that don’t need to modify the repo or PRs. - For
validate-branch: it only checksgithub.refand prints an error; it does not useGITHUB_TOKENat all. It can either inheritcontents: reador, more strictly, override withpermissions: {}to disable the token entirely. - For
notify-release-start: it calls an HTTP webhook using a secret and does not interact with the GitHub API; inheritingcontents: readis fine, but it also could usepermissions: {}. To keep the configuration simple, letting it inherit read-only is acceptable and still follows least-privilege relative to defaults. - For
buildandtest: they areuses:-reusable workflows. Their inner permissions are defined in their own files; this file only needs enough permission for needs/outputs, which does not require extra scopes beyond read of repo metadata. Let them inheritcontents: read. - For
release: this job checks out the repository, creates versions and GitHub releases (lerna version --create-release github), and usesVIBE_GITHUB_TOKEN. Creating releases requirescontents: write; it may also needpull-requests: writeif it manipulates PRs (not visible here), but we can safely grantcontents: writewhich covers creating tags and releases. So add a per-jobpermissionsblock withcontents: write(and optionally other specific scopes if later required) overriding the read-only default.
All required changes are in .github/workflows/release-v3.yml:
- Insert a root-level
permissions:block (e.g., after theon:block) withcontents: read. - Insert a
permissions: {}block in thevalidate-branchjob to fully disableGITHUB_TOKENfor that job. - Insert a
permissions:block for thereleasejob that setscontents: write.
No new imports or external libraries are needed, as this is a YAML workflow configuration change only.
Suggested changeset
1
.github/workflows/release-v3.yml
| @@ -3,10 +3,14 @@ | ||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| validate-branch: | ||
| name: Validate Branch | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| steps: | ||
| - name: Ensure running on vibe3 | ||
| if: github.ref != 'refs/heads/vibe3' | ||
| @@ -57,6 +57,8 @@ | ||
| needs: [build, test] | ||
| if: ${{ needs.build.outputs.has_changes == 'true' }} | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.npm_token }} | ||
| steps: |
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines
+18
to
+39
| name: Notify Slack - Release Started | ||
| needs: validate-branch | ||
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
| steps: | ||
| - name: Send Slack notification | ||
| uses: fjogeleit/http-request-action@v1 | ||
| with: | ||
| url: ${{ secrets.SLACK_DEV_TEAM_WEBHOOK_URL }} | ||
| method: "POST" | ||
| contentType: "application/json" | ||
| data: | | ||
| { | ||
| "event": "v3_release_started", | ||
| "actor": "${{ github.actor }}", | ||
| "commit_id": "${{ github.sha }}", | ||
| "workflow": "${{ github.workflow }}", | ||
| "run_url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", | ||
| "commit_url": "${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}" | ||
| } | ||
|
|
||
| build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
In general, to fix this issue you should explicitly declare a permissions: block in the workflow, granting only the minimal rights each job actually needs. Jobs that only read repository metadata (or do not use GITHUB_TOKEN at all, like a pure Slack webhook call) can safely be restricted to contents: read. Jobs that need to write releases or tags may need contents: write or other specific scopes, but that is outside the scope of the flagged line; we must not change functionality of other jobs.
For this specific alert on notify-release-start, the safest, non-breaking fix is to define explicit read-only permissions for that job only. The job does not check out code, does not push commits, and does not create releases or pull requests. Its steps all use only secrets and workflow context; therefore, giving it contents: read is sufficient and will not impact its behavior. We will add a permissions: block under the notify-release-start job with contents: read. We will leave the other jobs (validate-branch, build, test, release) unchanged, so they continue using the repo’s current defaults and therefore preserve existing behavior.
Concretely:
- Edit
.github/workflows/release-v3.yml. - Under
jobs:, inside thenotify-release-start:job, insert:
permissions:
contents: readbetween needs: validate-branch and runs-on: ubuntu-latest. No imports or additional definitions are needed.
Suggested changeset
1
.github/workflows/release-v3.yml
| @@ -17,6 +17,8 @@ | ||
| notify-release-start: | ||
| name: Notify Slack - Release Started | ||
| needs: validate-branch | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
| steps: |
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines
+40
to
+46
| name: Build | ||
| needs: validate-branch | ||
| uses: ./.github/workflows/build-and-upload.yml | ||
| secrets: | ||
| npm_token: ${{ secrets.npm_token }} | ||
|
|
||
| test: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
In general, the fix is to add an explicit permissions block that grants only the minimal required scopes to each job or to the workflow as a whole. Non-mutating jobs should get read-only (or even contents: read only), and only the releasing job should receive write permissions needed to create tags, releases, or other changes.
The best minimal change here is:
- Add a root-level
permissions: contents: readso that all jobs default to read-only. - Add a job-level
permissionsblock to thereleasejob granting the write access it actually needs. Becauselerna version --create-release githubwill create git tags and GitHub releases, we should grantcontents: writeandpackages: write(for publishing) andpull-requests: writeonly if needed; nothing in the snippet shows PR modifications, so we can omit that. If your release process only needs repo contents and releases,contents: writeis sufficient; includingpackages: writeis a safe complement for publishing workflows, though npm publishing itself usesNODE_AUTH_TOKEN, notGITHUB_TOKEN.
Concretely:
- In
.github/workflows/release-v3.yml, insert a root-levelpermissions:block after theon:section so all jobs getcontents: readby default. - In the
releasejob definition, add apermissions:block settingcontents: write(and optionallypackages: writeif your policy is to allow it there). No imports or external dependencies are required; this is purely a YAML configuration change.
Suggested changeset
1
.github/workflows/release-v3.yml
| @@ -3,6 +3,9 @@ | ||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| validate-branch: | ||
| name: Validate Branch | ||
| @@ -57,6 +60,8 @@ | ||
| needs: [build, test] | ||
| if: ${{ needs.build.outputs.has_changes == 'true' }} | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.npm_token }} | ||
| steps: |
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines
+47
to
+55
| name: Test | ||
| needs: build | ||
| uses: ./.github/workflows/test.yml | ||
| with: | ||
| has_changes: ${{ needs.build.outputs.has_changes }} | ||
| secrets: | ||
| npm_token: ${{ secrets.npm_token }} | ||
|
|
||
| release: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
In general: Add an explicit permissions: block to the workflow to limit the default GITHUB_TOKEN permissions to read-only, and then selectively grant write permissions only to jobs that actually need them (here, the release job, which creates GitHub releases and likely needs contents: write and pull-requests: write).
Best concrete fix for this file:
-
Add a root-level
permissions:block near the top of.github/workflows/release-v3.yml, just aftername:(beforeon:), to apply to all jobs by default:- Set
contents: readas the baseline. - Optionally add other read-only scopes if needed in the future; based on the visible steps, read-only
contentsis sufficient forvalidate-branch,notify-release-start,build, andtest.
- Set
-
Add a job-level
permissions:block to thereleasejob because it:- Checks out code (uses
contentspermissions;readis sufficient for checkout). - Runs
yarn lerna version ... --create-release github, which creates GitHub releases and possibly interacts with tags/releases via the GitHub API. This typically requirescontents: writeand oftenpull-requests: writewhen interacting with PR metadata. - To avoid breaking existing behavior, give
releasethe necessary write scopes:contents: writepull-requests: write
- Checks out code (uses
-
Leave
test(and the other jobs) inheriting the new root-level minimalpermissions:to satisfy CodeQL’s concern on thetestjob while keeping them least-privilege.
All needed changes are within .github/workflows/release-v3.yml; no imports or additional definitions are required.
Suggested changeset
1
.github/workflows/release-v3.yml
| @@ -1,5 +1,8 @@ | ||
| name: Release v3 version | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| @@ -57,6 +60,9 @@ | ||
| needs: [build, test] | ||
| if: ${{ needs.build.outputs.has_changes == 'true' }} | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.npm_token }} | ||
| steps: |
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines
+56
to
+85
| name: Release | ||
| needs: [build, test] | ||
| if: ${{ needs.build.outputs.has_changes == 'true' }} | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.npm_token }} | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| token: ${{ secrets.VIBE_GITHUB_TOKEN }} | ||
| fetch-depth: 0 | ||
| - name: Run Setup | ||
| uses: ./.github/actions/setup | ||
| with: | ||
| npm_token: ${{ secrets.npm_token }} | ||
| - uses: ./.github/actions/git-creds | ||
| - uses: ./.github/actions/download-builds | ||
| - name: Generate new versions | ||
| run: yarn lerna version --exact --conventional-commits --message "Publish [skip ci]" -y --create-release github | ||
| env: | ||
| GH_TOKEN: ${{ secrets.VIBE_GITHUB_TOKEN }} | ||
| - run: yarn config set registry https://registry.npmjs.org/ | ||
| - name: Setup .npmrc for publish | ||
| id: setup-npmrc | ||
| run: echo "//registry.npmjs.org/:_authToken=$NODE_AUTH_TOKEN" > .npmrc | ||
| - name: Publish to npm with v3 dist-tag | ||
| run: yarn lerna publish from-package --dist-tag v3 --dry-run -y | ||
| - name: Remove .npmrc | ||
| if: steps.setup-npmrc.outcome == 'success' | ||
| run: rm .npmrc |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 days ago
To fix the problem, explicitly define permissions for the workflow so that GITHUB_TOKEN has only the minimal scopes required. Since this is a release workflow that creates GitHub releases and likely pushes tags/commits, the release job needs contents: write. The other jobs (validate-branch, notify-release-start, build, test) only read repository metadata and/or call sub‑workflows and external services; they can use contents: read or inherit a conservative default.
The simplest and safest change without altering functionality is:
- Add a top-level
permissions:block aftername:(beforeon:) settingcontents: readso all jobs default to read-only repo access. - Add a job-level
permissions:block under thereleasejob withcontents: writeto allow it to create tags/commits/releases as it already does via CLI tools and GitHub APIs.
No additional imports or dependencies are required; this is purely a YAML configuration change within .github/workflows/release-v3.yml.
Suggested changeset
1
.github/workflows/release-v3.yml
| @@ -1,5 +1,8 @@ | ||
| name: Release v3 version | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| @@ -57,6 +60,8 @@ | ||
| needs: [build, test] | ||
| if: ${{ needs.build.outputs.has_changes == 'true' }} | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.npm_token }} | ||
| steps: |
Copilot is powered by AI and may make mistakes. Always verify output.
Contributor
|
Persistent review updated to latest commit 39c0646 |
Contributor
|
📦 Bundle Size Analysis ✅ No bundle size changes detected. Unchanged Components
📊 Summary:
|
Contributor
|
Persistent review updated to latest commit 39b4f99 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
https://monday.monday.com/boards/10027056258/pulses/10027056856
PR Type
Enhancement, Other
Description
Add v3 release workflow for automated publishing
Remove unnecessary blank lines across component files
Implement branch validation and Slack notifications
Configure npm publishing with v3 dist-tag
Diagram Walkthrough
File Walkthrough
release-v3.yml
Add v3 release workflow automation.github/workflows/release-v3.yml
Badge.tsx
Remove blank line in importspackages/core/src/components/Badge/Badge.tsx
Combobox.tsx
Remove blank line in importspackages/core/src/components/Combobox/Combobox.tsx
Counter.tsx
Remove blank line in importspackages/core/src/components/Counter/Counter.tsx
ListItem.tsx
Remove blank line in importspackages/core/src/components/ListItem/ListItem.tsx
ListItemIcon.tsx
Remove blank line in importspackages/core/src/components/ListItemIcon/ListItemIcon.tsx
Menu.tsx
Remove blank line in importspackages/core/src/components/Menu/Menu/Menu.tsx