Skip to content

ci: add a v3 release workflow #3329

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
talkor wants to merge 82 commits into from
Closed

ci: add a v3 release workflow #3329

Show file tree
Hide file tree
Changes from 80 commits
Commits
Show all changes
82 commits
Select commit Hold shift + click to select a range
fd1c1c7
Add CLAUDE.md development guide
rivka-ungar Feb 25, 2026
853dd0d
feat: set up vibe4 migration infrastructure
rivka-ungar Feb 25, 2026
76e52d9
fix: resolve TypeScript build error in v3-to-v4 type-imports-migration
rivka-ungar Feb 25, 2026
3f46cbf
Merge branch 'master' into vibe4
rivka-ungar Feb 25, 2026
b69ab5a
chore: add vibe breaking change skill (#3258)
rivka-ungar Feb 25, 2026
57d9644
fix(Flex): remove stretch from justify prop (#3259)
rivka-ungar Feb 26, 2026
804190a
fix(Toggle): remove duplicate data-testid from Toggle internal elemen…
rivka-ungar Feb 26, 2026
dc031ba
chore: remove ThemeProvider alpha designation (#3277)
rivka-ungar Feb 26, 2026
ee9ba03
fix(Icon): props rename - remove "icon" prefix (#3256)
rivka-ungar Feb 26, 2026
1e37c32
fix(MenuItemIcon): remove deprecated label prop (#3262)
rivka-ungar Feb 26, 2026
76232a1
refactor: remove legacy DatePicker and moment.js dependency (#3278)
rivka-ungar Feb 26, 2026
bf9752a
fix(skill): use conventional commits for breaking change templates (#…
rivka-ungar Feb 26, 2026
b526203
refactor: remove old Dropdown (#3279)
rivka-ungar Feb 26, 2026
7040c08
refactor: remove legacy AttentionBox (#3281)
rivka-ungar Feb 26, 2026
58619c6
refactor: remove LegacyModal, promote new Modal to main export (#3282)
rivka-ungar Feb 26, 2026
1864120
feat: remove enums and static properties from Vibe components (#3283)
talkor Feb 27, 2026
413147e
feat(Chips): remove disableClickableBehavior prop
rivka-ungar Mar 1, 2026
253235d
fix: remove onClick and clickable from CustomSvgIcon (#3264)
rivka-ungar Mar 1, 2026
d425ea7
feat: make Steps finish button default on last step (#3275)
rivka-ungar Mar 1, 2026
6781ee5
fix(Clickable): remove string types from ariaHasPopup and tabIndex (#…
rivka-ungar Mar 1, 2026
0562c35
refactor: Rename LinearProgressBar to ProgressBar (#3272)
rivka-ungar Mar 1, 2026
bc98f26
fix(TextWithHighlight): remove tooltipPosition prop (#3274)
rivka-ungar Mar 1, 2026
52501bf
feat(MenuButton): default focusItemIndexOnMount to 0 for Menu childre…
rivka-ungar Mar 1, 2026
22f7f71
feat(Icon)!: default ariaHidden to true for decorative icons
rivka-ungar Mar 1, 2026
ec31b19
Revert "feat(Icon)!: default ariaHidden to true for decorative icons"
rivka-ungar Mar 1, 2026
f9364e8
feat(Dialog): replace legacy class-based Dialog with new floating-ui …
rivka-ungar Mar 2, 2026
9176948
feat(Tooltip): make TooltipProps extend DialogProps (#3292)
rivka-ungar Mar 2, 2026
30279bf
feat(Tipseen): remove TipseenImage in favor of TipseenMedia (#3293)
rivka-ungar Mar 2, 2026
cdcae41
chore(TableCellSkeleton): remove @supports fallback for aspect-ratio …
talkor Mar 2, 2026
dca47d6
feat(Link): remove @supports CSS block in favor of direct logical pro…
rivka-ungar Mar 2, 2026
fcb0bf0
feat(Dialog): change addKeyboardHideShowTriggersByDefault default to …
rivka-ungar Mar 2, 2026
ec10fb2
feat(Dialog): remove enableNestedDialogLayer, always use LayerProvide…
rivka-ungar Mar 2, 2026
5df39ae
feat(MenuItem): narrow children type to MenuChild only (not array) (#…
rivka-ungar Mar 3, 2026
deb39ea
chore: merge master into vibe4
rivka-ungar Mar 3, 2026
9158df3
chore: remove erroneously merged a11y-dialog and body-scroll-lock deps
rivka-ungar Mar 3, 2026
c3bdba8
fix: restore indentation in packages/core/package.json
rivka-ungar Mar 3, 2026
f4392c9
fix(ProgressBar): replace LinearProgressBar with ProgressBar in tests
rivka-ungar Mar 3, 2026
02d8431
fix(ProgressBar): replace LinearProgressBar with ProgressBar in docs …
rivka-ungar Mar 3, 2026
80dcdf3
feat(TextField): rename iconName prop to icon (#3270)
rivka-ungar Mar 3, 2026
872e7bf
feat: rename camelCase aria props to standard HTML aria-* attributes …
rivka-ungar Mar 3, 2026
92d182a
fix(VirtualizedGrid): correct itemRenderer return type to ReactElemen…
rivka-ungar Mar 3, 2026
f423be2
chore(MultiStepIndicator): update react-transition-group to use nodeR…
talkor Mar 3, 2026
0540786
feat(Toggle): remove noSpacing prop, auto-remove margin when labels a…
talkor Mar 3, 2026
9599a88
feat(useKeyEvent): change callback type from GenericEventCallback to …
rivka-ungar Mar 3, 2026
7e49637
feat(style): rename monday-ui-style package to @vibe/style (#3301)
talkor Mar 3, 2026
b7b3922
chore: replace CSS physical properties with logical properties (#3313)
talkor Mar 3, 2026
9ecc82f
chore(hooks): remove deprecated useMergeRefs hook (#3306)
talkor Mar 3, 2026
0f68dee
docs: add global box-sizing: border-box readme (#3315)
rivka-ungar Mar 3, 2026
e5695c0
feat(Icon): pass size prop to CustomSvgIcon for type="src" icons (#3314)
rivka-ungar Mar 3, 2026
10f2872
fix(TextField): replace iconsNames object prop with flat props (#3265)
rivka-ungar Mar 3, 2026
61d2da8
chore(types): remove VibeComponent type (#3305)
talkor Mar 3, 2026
05380b5
chore(useActiveDescendantListFocus): remove backwardCompatibilityCrea…
talkor Mar 3, 2026
e870562
feat(useListenFocusTriggers): remove from public API (#3304)
talkor Mar 4, 2026
d864c05
feat(VirtualizedList): remove deprecated getItemHeight and onVertical…
talkor Mar 5, 2026
10e8847
feat(style): use --placeholder-color token and reduce TextField paddi…
rivka-ungar Mar 5, 2026
1e1755b
chore: remove framer-motion, replace with react-transition-group + CS…
talkor Mar 5, 2026
8885f48
refactor(core): migrate JSX/JS files to TSX/TS, remove allowJs (#3318)
talkor Mar 5, 2026
b504327
feat(style): remove deprecated semantic spacing tokens (#3320)
rivka-ungar Mar 5, 2026
dbc964a
feat(codemod): add missing v3-to-v4 migration codemods (#3322)
rivka-ungar Mar 8, 2026
062758e
feat(mcp): add v4-migration analysis tool (#3323)
rivka-ungar Mar 8, 2026
5959d66
docs: Vibe 4 migration guide (#3321)
rivka-ungar Mar 8, 2026
012726e
Publish
rivka-ungar Mar 8, 2026
ac5a191
yarn lock
rivka-ungar Mar 8, 2026
f305f32
Publish
rivka-ungar Mar 8, 2026
f7ca751
docs: migration guide (#3324)
talkor Mar 9, 2026
fdc4dab
fix e2e
talkor Mar 10, 2026
5ce5987
chore: upgrade to TS 5 (#3325)
talkor Mar 11, 2026
71f526c
ci: add a v3 release workflow
talkor Mar 11, 2026
1ac7609
fix: add missing @vibe/style dependency to component packages (#3330)
rivka-ungar Mar 12, 2026
49187f2
feat(mcp): detect old vs new API usage for promoted components (#3326)
rivka-ungar Mar 12, 2026
3bc2c6b
fix: add missing @vibe/style dependency to @vibe/base (#3331)
rivka-ungar Mar 12, 2026
01832ac
Publish
rivka-ungar Mar 12, 2026
8c8df23
publish
rivka-ungar Mar 12, 2026
3e6ed76
chore: remove gitHead from package.json files
rivka-ungar Mar 12, 2026
36faa70
Merge branch 'master' into vibe4
rivka-ungar Mar 13, 2026
a457b8c
feat(dialog): default enableNestedDialogLayer to true (#3332)
rivka-ungar Mar 15, 2026
5ee54fe
add Menu
talkor Mar 15, 2026
b68de2f
fix(testkit): fix e2e locators broken by vibe4 changes (#3333)
rivka-ungar Mar 16, 2026
8074005
Merge branch 'vibe4' into v3-release-workflow
talkor Mar 16, 2026
5d04fb2
Merge branch 'master' into v3-release-workflow
talkor Mar 24, 2026
39c0646
lock
talkor Mar 24, 2026
39b4f99
Merge branch 'master' into v3-release-workflow
talkor Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions .github/workflows/release-v3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
name: Release v3 version

on:
workflow_dispatch:

jobs:
validate-branch:
name: Validate Branch
runs-on: ubuntu-latest
steps:
- name: Ensure running on vibe3
if: github.ref != 'refs/heads/vibe3'
run: |
echo "::error::Release v3 workflow must be triggered from the vibe3 branch. Current branch: ${{ github.ref }}"
exit 1

notify-release-start:
Comment on lines +8 to +17

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 9 days ago

In general, fix this by adding an explicit permissions block that grants only the minimal scopes needed. You can set a restrictive permissions block at the workflow root (applies to all jobs) and then override it per job where additional permissions are necessary.

For this specific workflow:

  • Add a top-level permissions block after name: (or after on:) with the minimal sensible default, e.g. contents: read. This is safe for jobs that don’t need to modify the repo or PRs.
  • For validate-branch: it only checks github.ref and prints an error; it does not use GITHUB_TOKEN at all. It can either inherit contents: read or, more strictly, override with permissions: {} to disable the token entirely.
  • For notify-release-start: it calls an HTTP webhook using a secret and does not interact with the GitHub API; inheriting contents: read is fine, but it also could use permissions: {}. To keep the configuration simple, letting it inherit read-only is acceptable and still follows least-privilege relative to defaults.
  • For build and test: they are uses:-reusable workflows. Their inner permissions are defined in their own files; this file only needs enough permission for needs/outputs, which does not require extra scopes beyond read of repo metadata. Let them inherit contents: read.
  • For release: this job checks out the repository, creates versions and GitHub releases (lerna version --create-release github), and uses VIBE_GITHUB_TOKEN. Creating releases requires contents: write; it may also need pull-requests: write if it manipulates PRs (not visible here), but we can safely grant contents: write which covers creating tags and releases. So add a per-job permissions block with contents: write (and optionally other specific scopes if later required) overriding the read-only default.

All required changes are in .github/workflows/release-v3.yml:

  • Insert a root-level permissions: block (e.g., after the on: block) with contents: read.
  • Insert a permissions: {} block in the validate-branch job to fully disable GITHUB_TOKEN for that job.
  • Insert a permissions: block for the release job that sets contents: write.

No new imports or external libraries are needed, as this is a YAML workflow configuration change only.

Suggested changeset 1
.github/workflows/release-v3.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release-v3.yml b/.github/workflows/release-v3.yml
--- a/.github/workflows/release-v3.yml
+++ b/.github/workflows/release-v3.yml
@@ -3,10 +3,14 @@
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   validate-branch:
     name: Validate Branch
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Ensure running on vibe3
         if: github.ref != 'refs/heads/vibe3'
@@ -57,6 +57,8 @@
     needs: [build, test]
     if: ${{ needs.build.outputs.has_changes == 'true' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     env:
       NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
     steps:
EOF
@@ -3,10 +3,14 @@
on:
workflow_dispatch:

permissions:
contents: read

jobs:
validate-branch:
name: Validate Branch
runs-on: ubuntu-latest
permissions: {}
steps:
- name: Ensure running on vibe3
if: github.ref != 'refs/heads/vibe3'
@@ -57,6 +57,8 @@
needs: [build, test]
if: ${{ needs.build.outputs.has_changes == 'true' }}
runs-on: ubuntu-latest
permissions:
contents: write
env:
NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Notify Slack - Release Started
needs: validate-branch
runs-on: ubuntu-latest
continue-on-error: true
steps:
- name: Send Slack notification
uses: fjogeleit/http-request-action@v1
with:
url: ${{ secrets.SLACK_DEV_TEAM_WEBHOOK_URL }}
method: "POST"
contentType: "application/json"
data: |
{
"event": "v3_release_started",
"actor": "${{ github.actor }}",
"commit_id": "${{ github.sha }}",
"workflow": "${{ github.workflow }}",
"run_url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
"commit_url": "${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}"
}

build:
Comment on lines +18 to +39

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 9 days ago

In general, to fix this issue you should explicitly declare a permissions: block in the workflow, granting only the minimal rights each job actually needs. Jobs that only read repository metadata (or do not use GITHUB_TOKEN at all, like a pure Slack webhook call) can safely be restricted to contents: read. Jobs that need to write releases or tags may need contents: write or other specific scopes, but that is outside the scope of the flagged line; we must not change functionality of other jobs.

For this specific alert on notify-release-start, the safest, non-breaking fix is to define explicit read-only permissions for that job only. The job does not check out code, does not push commits, and does not create releases or pull requests. Its steps all use only secrets and workflow context; therefore, giving it contents: read is sufficient and will not impact its behavior. We will add a permissions: block under the notify-release-start job with contents: read. We will leave the other jobs (validate-branch, build, test, release) unchanged, so they continue using the repo’s current defaults and therefore preserve existing behavior.

Concretely:

  • Edit .github/workflows/release-v3.yml.
  • Under jobs:, inside the notify-release-start: job, insert:
    permissions:
      contents: read

between needs: validate-branch and runs-on: ubuntu-latest. No imports or additional definitions are needed.

Suggested changeset 1
.github/workflows/release-v3.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release-v3.yml b/.github/workflows/release-v3.yml
--- a/.github/workflows/release-v3.yml
+++ b/.github/workflows/release-v3.yml
@@ -17,6 +17,8 @@
   notify-release-start:
     name: Notify Slack - Release Started
     needs: validate-branch
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:
EOF
@@ -17,6 +17,8 @@
notify-release-start:
name: Notify Slack - Release Started
needs: validate-branch
permissions:
contents: read
runs-on: ubuntu-latest
continue-on-error: true
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Build
needs: validate-branch
uses: ./.github/workflows/build-and-upload.yml
secrets:
npm_token: ${{ secrets.npm_token }}

test:
Comment on lines +40 to +46

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 9 days ago

In general, the fix is to add an explicit permissions block that grants only the minimal required scopes to each job or to the workflow as a whole. Non-mutating jobs should get read-only (or even contents: read only), and only the releasing job should receive write permissions needed to create tags, releases, or other changes.

The best minimal change here is:

  • Add a root-level permissions: contents: read so that all jobs default to read-only.
  • Add a job-level permissions block to the release job granting the write access it actually needs. Because lerna version --create-release github will create git tags and GitHub releases, we should grant contents: write and packages: write (for publishing) and pull-requests: write only if needed; nothing in the snippet shows PR modifications, so we can omit that. If your release process only needs repo contents and releases, contents: write is sufficient; including packages: write is a safe complement for publishing workflows, though npm publishing itself uses NODE_AUTH_TOKEN, not GITHUB_TOKEN.

Concretely:

  • In .github/workflows/release-v3.yml, insert a root-level permissions: block after the on: section so all jobs get contents: read by default.
  • In the release job definition, add a permissions: block setting contents: write (and optionally packages: write if your policy is to allow it there). No imports or external dependencies are required; this is purely a YAML configuration change.
Suggested changeset 1
.github/workflows/release-v3.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release-v3.yml b/.github/workflows/release-v3.yml
--- a/.github/workflows/release-v3.yml
+++ b/.github/workflows/release-v3.yml
@@ -3,6 +3,9 @@
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   validate-branch:
     name: Validate Branch
@@ -57,6 +60,8 @@
     needs: [build, test]
     if: ${{ needs.build.outputs.has_changes == 'true' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     env:
       NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
     steps:
EOF
@@ -3,6 +3,9 @@
on:
workflow_dispatch:

permissions:
contents: read

jobs:
validate-branch:
name: Validate Branch
@@ -57,6 +60,8 @@
needs: [build, test]
if: ${{ needs.build.outputs.has_changes == 'true' }}
runs-on: ubuntu-latest
permissions:
contents: write
env:
NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Test
needs: build
uses: ./.github/workflows/test.yml
with:
has_changes: ${{ needs.build.outputs.has_changes }}
secrets:
npm_token: ${{ secrets.npm_token }}

release:
Comment on lines +47 to +55

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 9 days ago

In general: Add an explicit permissions: block to the workflow to limit the default GITHUB_TOKEN permissions to read-only, and then selectively grant write permissions only to jobs that actually need them (here, the release job, which creates GitHub releases and likely needs contents: write and pull-requests: write).

Best concrete fix for this file:

  1. Add a root-level permissions: block near the top of .github/workflows/release-v3.yml, just after name: (before on:), to apply to all jobs by default:

    • Set contents: read as the baseline.
    • Optionally add other read-only scopes if needed in the future; based on the visible steps, read-only contents is sufficient for validate-branch, notify-release-start, build, and test.

  2. Add a job-level permissions: block to the release job because it:

    • Checks out code (uses contents permissions; read is sufficient for checkout).
    • Runs yarn lerna version ... --create-release github, which creates GitHub releases and possibly interacts with tags/releases via the GitHub API. This typically requires contents: write and often pull-requests: write when interacting with PR metadata.
    • To avoid breaking existing behavior, give release the necessary write scopes:
      • contents: write
      • pull-requests: write

  3. Leave test (and the other jobs) inheriting the new root-level minimal permissions: to satisfy CodeQL’s concern on the test job while keeping them least-privilege.

All needed changes are within .github/workflows/release-v3.yml; no imports or additional definitions are required.

Suggested changeset 1
.github/workflows/release-v3.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release-v3.yml b/.github/workflows/release-v3.yml
--- a/.github/workflows/release-v3.yml
+++ b/.github/workflows/release-v3.yml
@@ -1,5 +1,8 @@
 name: Release v3 version
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
 
@@ -57,6 +60,9 @@
     needs: [build, test]
     if: ${{ needs.build.outputs.has_changes == 'true' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     env:
       NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
     steps:
EOF
@@ -1,5 +1,8 @@
name: Release v3 version

permissions:
contents: read

on:
workflow_dispatch:

@@ -57,6 +60,9 @@
needs: [build, test]
if: ${{ needs.build.outputs.has_changes == 'true' }}
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
env:
NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Release
needs: [build, test]
if: ${{ needs.build.outputs.has_changes == 'true' }}
runs-on: ubuntu-latest
env:
NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.VIBE_GITHUB_TOKEN }}
fetch-depth: 0
- name: Run Setup
uses: ./.github/actions/setup
with:
npm_token: ${{ secrets.npm_token }}
- uses: ./.github/actions/git-creds
- uses: ./.github/actions/download-builds
- name: Generate new versions
run: yarn lerna version --exact --conventional-commits --message "Publish [skip ci]" -y --create-release github
env:
GH_TOKEN: ${{ secrets.VIBE_GITHUB_TOKEN }}
- run: yarn config set registry https://registry.npmjs.org/
- name: Setup .npmrc for publish
id: setup-npmrc
run: echo "//registry.npmjs.org/:_authToken=$NODE_AUTH_TOKEN" > .npmrc
- name: Publish to npm with v3 dist-tag
run: yarn lerna publish from-package --dist-tag v3 --dry-run -y
Comment on lines +81 to +82
Copy link
Copy Markdown
Contributor

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects bot Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Publish is dry-run 🐞 Bug ✓ Correctness

release-v3.yml runs yarn lerna publish ... --dry-run, so no packages are actually published even
though the workflow also bumps versions and creates a GitHub release, leaving the repo/releases
ahead of npm. This can produce a broken release state where consumers cannot install the released
versions.
Agent Prompt 
### Issue description
The v3 release workflow does not publish anything because it runs `yarn lerna publish ... --dry-run`, despite creating version bumps/GitHub releases.

### Issue Context
This can create GitHub tags/releases and bumped versions without corresponding npm artifacts.

### Fix Focus Areas
- .github/workflows/release-v3.yml[81-82]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

- name: Remove .npmrc
if: steps.setup-npmrc.outcome == 'success'
run: rm .npmrc
Comment on lines +56 to +85

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 9 days ago

To fix the problem, explicitly define permissions for the workflow so that GITHUB_TOKEN has only the minimal scopes required. Since this is a release workflow that creates GitHub releases and likely pushes tags/commits, the release job needs contents: write. The other jobs (validate-branch, notify-release-start, build, test) only read repository metadata and/or call sub‑workflows and external services; they can use contents: read or inherit a conservative default.

The simplest and safest change without altering functionality is:

  • Add a top-level permissions: block after name: (before on:) setting contents: read so all jobs default to read-only repo access.
  • Add a job-level permissions: block under the release job with contents: write to allow it to create tags/commits/releases as it already does via CLI tools and GitHub APIs.

No additional imports or dependencies are required; this is purely a YAML configuration change within .github/workflows/release-v3.yml.

Suggested changeset 1
.github/workflows/release-v3.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release-v3.yml b/.github/workflows/release-v3.yml
--- a/.github/workflows/release-v3.yml
+++ b/.github/workflows/release-v3.yml
@@ -1,5 +1,8 @@
 name: Release v3 version
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
 
@@ -57,6 +60,8 @@
     needs: [build, test]
     if: ${{ needs.build.outputs.has_changes == 'true' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     env:
       NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
     steps:
EOF
@@ -1,5 +1,8 @@
name: Release v3 version

permissions:
contents: read

on:
workflow_dispatch:

@@ -57,6 +60,8 @@
needs: [build, test]
if: ${{ needs.build.outputs.has_changes == 'true' }}
runs-on: ubuntu-latest
permissions:
contents: write
env:
NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
1 change: 0 additions & 1 deletion packages/core/src/components/Badge/Badge.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import { ComponentDefaultTestId, ComponentVibeId } from "../../tests/constants";
import { type BadgeAlignments, type BadgeAnchor, type BadgeType } from "./Badge.types";
import Indicator, { type IndicatorProps } from "./Indicator/Indicator";
import Counter, { type CounterProps } from "../Counter/Counter";

import { type IndicatorColor } from "./Indicator/Indicator.types";
import { type CounterColor } from "../Counter/Counter.types";
import styles from "./Badge.module.scss";
Expand Down
1 change: 0 additions & 1 deletion packages/core/src/components/Combobox/Combobox.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ import { ComponentDefaultTestId, getTestId } from "../../tests/test-ids-utils";
import Search from "../Search/Search";
import { Button } from "@vibe/button";
import { Text } from "@vibe/typography";

import { defaultFilter } from "./ComboboxService";
import { ComboboxItems } from "./components/ComboboxItems/ComboboxItems";
import { StickyCategoryHeader } from "./components/StickyCategoryHeader/StickyCategoryHeader";
Expand Down
1 change: 0 additions & 1 deletion packages/core/src/components/Counter/Counter.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ import React, { useCallback, useEffect, useMemo, useRef, useState } from "react"
import { CSSTransition, SwitchTransition } from "react-transition-group";
import useEventListener from "../../hooks/useEventListener";
import useAfterFirstRender from "../../hooks/useAfterFirstRender";

import { type CounterColor, type CounterSize, type CounterType } from "./Counter.types";
import { type VibeComponentProps } from "../../types";
import styles from "./Counter.module.scss";
Expand Down
1 change: 0 additions & 1 deletion packages/core/src/components/ListItem/ListItem.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ import { camelCase } from "es-toolkit";
import { getStyle, NOOP, useMergeRef } from "@vibe/shared";
import { Text } from "@vibe/typography";
import { SIZES, SELECTION_KEYS } from "../../constants";

import { type VibeComponentProps, type ElementContent } from "../../types";
import { useKeyEvent } from "../../hooks";

Expand Down
1 change: 0 additions & 1 deletion packages/core/src/components/ListItemIcon/ListItemIcon.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ import { useMergeRef, getStyle } from "@vibe/shared";
import { Icon, type SubIcon } from "@vibe/icon";
import { type ListItemElement } from "../ListItem";
import { type VibeComponentProps } from "../../types";

import styles from "./ListItemIcon.module.scss";
import { type ListItemIconMargin } from "./ListItemIcon.types";

Expand Down
1 change: 0 additions & 1 deletion packages/core/src/components/Menu/Menu/Menu.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ import { useAdjacentSelectableMenuIndex } from "./hooks/useAdjacentSelectableMen
import { useFocusWithin } from "../../../hooks/useFocusWithin";
import usePrevious from "../../../hooks/usePrevious";
import { type ElementContent, type VibeComponentProps } from "../../../types";

import { getTestId } from "../../../tests/test-ids-utils";
import { ComponentDefaultTestId, ComponentVibeId } from "../../../tests/constants";
import { useFocusOnMount } from "./hooks/useFocusOnMount";
Expand Down
12 changes: 12 additions & 0 deletions yarn.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6854,6 +6854,18 @@
es-toolkit "^1.39.10"
monday-ui-style "0.26.2"

"@vibe/typography@3.0.5":
version "3.0.5"
resolved "https://registry.yarnpkg.com/@vibe/typography/-/typography-3.0.5.tgz#d6cc582f24b15ea4bd5181b90f1a3f616f55292b"
integrity sha512-SRLWcFymgsdjagstUXWyUb8nYaQCKiaHi6/488MyjP5ssSXzP0/uJcQkd7c29fmZXxh5lg53xTEebPZrR7bmLA==
dependencies:
"@vibe/hooks" "3.0.3"
"@vibe/shared" "3.0.8"
"@vibe/tooltip" "3.0.5"
classnames "^2.5.1"
es-toolkit "^1.39.10"
monday-ui-style "0.26.2"

"@vitejs/plugin-react@^4.3.1":
version "4.5.2"
resolved "https://registry.npmjs.org/@vitejs/plugin-react/-/plugin-react-4.5.2.tgz"
Expand Down
Loading