add continuous release workflow

[eluce2]

Summary by CodeRabbit

• Chores
  • Added an automated continuous release workflow to build and publish packages on pushes and pull requests, streamlining release delivery.
  • No direct user-facing changes in this release; functionality and public interfaces remain unchanged.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
proofkit-docs	Ready	Preview	Aug 16, 2025 6:17pm

[eluce2]

• add continuous release workflow #65 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[graphite-app]

There appears to be a typo in the filename: continuous-releast.yml should be continuous-release.yml. This could potentially cause issues if the workflow is referenced by name in other parts of the codebase or documentation. Consider correcting the spelling before merging.

Spotted by Diamond

Is this helpful? React 👍 or 👎 to let us know.

[pkg-pr-new]

Open in StackBlitz

@proofkit/better-auth

pnpm add https://pkg.pr.new/proofgeist/proofkit/@proofkit/better-auth@65

@proofkit/cli

pnpm add https://pkg.pr.new/proofgeist/proofkit/@proofkit/cli@65

create-proofkit

pnpm add https://pkg.pr.new/proofgeist/proofkit/create-proofkit@65

@proofkit/fmdapi

pnpm add https://pkg.pr.new/proofgeist/proofkit/@proofkit/fmdapi@65

@proofkit/typegen

pnpm add https://pkg.pr.new/proofgeist/proofkit/@proofkit/typegen@65

@proofkit/webviewer

pnpm add https://pkg.pr.new/proofgeist/proofkit/@proofkit/webviewer@65

commit: f109ac4

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds a GitHub Actions workflow "Publish Any Commit" that runs on push and pull_request, checks out the repo, enables corepack, sets up Node.js 22 with pnpm caching, runs pnpm install and pnpm build, then publishes packages with pnpm dlx pkg-pr-new publish './packages/*' --packageManager=pnpm.

Changes

Cohort / File(s)	Summary
CI/CD Workflow .github/workflows/continuous-release.yml	Adds a workflow named "Publish Any Commit" triggered on push and pull_request with a single ubuntu-latest job that: checks out code, enables corepack, sets up Node.js v22 with pnpm cache, runs pnpm install and pnpm build, and publishes packages via pnpm dlx pkg-pr-new publish './packages/*' --packageManager=pnpm.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Dev (push/pr)
  participant GH as GitHub Actions
  participant Runner as ubuntu-latest
  Dev->>GH: push / pull_request
  GH->>Runner: start job "build"
  Runner->>Runner: actions/checkout@v4
  Runner->>Runner: corepack enable
  Runner->>Runner: actions/setup-node@v4 (Node.js v22, pnpm cache)
  Runner->>Runner: pnpm install
  Runner->>Runner: pnpm build
  Runner->>Runner: pnpm dlx pkg-pr-new publish './packages/*' --packageManager=pnpm
  Runner->>GH: job completes

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e2799bf and f109ac4.

📒 Files selected for processing (1)

• .github/workflows/continuous-release.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/continuous-release.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build
• GitHub Check: build

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pkg.pr.new

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (6)

.github/workflows/continuous-releast.yml (6)

1-1: Typo in workflow filename ("continuous-releast.yml").

Recommend renaming the file to "continuous-release.yml" (or "continuous-release.yaml") to avoid confusion and improve discoverability.

---

2-2: Confirm intent to publish on every push and PR.

Running publish logic on both push and pull_request can spam preview publishes and comments on non-PR commits. If the goal is PR preview publishes (as pkg-pr-new typically does), restrict to pull_request (and optionally workflow_dispatch). If you truly want it on push, consider gating publish steps by event.

Option A (PR-only triggers):

-on: [push, pull_request]
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+  workflow_dispatch:

Option B (gate publish steps to PR events; see a concrete diff for lines 24–28 in a later comment).

---

12-17: Enable Corepack after setting up Node; tighten caching.

Small ordering nit: enable Corepack after actions/setup-node to match the configured Node version. Also consider pinning cache by pnpm-lock.yaml for more reliable cache hits.

Apply this diff:

-      - run: corepack enable
       - uses: actions/setup-node@v4
         with:
           node-version: 22
           cache: "pnpm"
+          cache-dependency-path: pnpm-lock.yaml
+
+      - run: corepack enable

---

18-23: LGTM: Install and build are straightforward.

Assuming a workspace with a proper build script, this is fine. Optionally add “CI=true” to fail on warnings if desired.

-      - name: Build
-        run: pnpm build
+      - name: Build
+        run: CI=true pnpm build

---

1-6: Add concurrency to auto-cancel superseded runs on the same ref/PR.

This keeps only the latest run active and saves minutes.

Apply this diff near the top (after “on” and before “jobs”):

 name: Publish Any Commit
 on: [push, pull_request]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
     runs-on: ubuntu-latest

---

24-28: Reduce duplication by publishing via a matrix.

Nice-to-have: make the five publish steps a matrix to keep DRY and easier to add/remove packages.

Here’s an example replacement for the publish steps:

    strategy:
      matrix:
        pkg:
          - path: ./packages/cli
            flags: --bin
          - path: ./packages/typegen
            flags: --bin
          - path: ./packages/fmdapi
            flags: ""
          - path: ./packages/webviewer
            flags: ""
          - path: ./packages/better-auth
            flags: ""
    steps:
      # ...checkout/setup/install/build...
      - if: ${{ github.event_name == 'pull_request' }}
        name: Publish ${{ matrix.pkg.path }}
        run: pnpm dlx pkg-pr-new publish '${{ matrix.pkg.path }}' ${{ matrix.pkg.flags }} --packageManager=pnpm

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9f9c0ae and bed8fa5.

📒 Files selected for processing (1)

• .github/workflows/continuous-releast.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build
• GitHub Check: build

🔇 Additional comments (1)

.github/workflows/continuous-releast.yml (1)

8-11: LGTM: Checkout step is standard.

actions/checkout@v4 with default settings is appropriate here.

[coderabbitai]

🛠️ Refactor suggestion

Set explicit GITHUB_TOKEN permissions required by pkg-pr-new.

pkg-pr-new typically needs to comment on PRs. The default GITHUB_TOKEN may be read-only; set minimal write permissions for pull-requests.

Apply this diff at the top-level (after “on”) to grant the least privileges needed:

 name: Publish Any Commit
 on: [push, pull_request]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   build:
     runs-on: ubuntu-latest

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	jobs:
	build:
	runs-on: ubuntu-latest
	name: Publish Any Commit
	on: [push, pull_request]
	permissions:
	contents: read
	pull-requests: write
	jobs:
	build:
	runs-on: ubuntu-latest
	# …other steps…

🤖 Prompt for AI Agents

In .github/workflows/continuous-releast.yml around lines 3-6, the workflow
doesn't set explicit GITHUB_TOKEN permissions required by pkg-pr-new; add a
top-level permissions section (immediately after the existing "on" key) that
grants the minimal write scope needed for commenting on PRs by setting
pull-requests: write (and keep other scopes read-only, e.g., contents: read if
your jobs need repo contents). Ensure this permissions block is top-level in the
workflow file so the GITHUB_TOKEN has the least privilege required for
pkg-pr-new to comment on pull requests.

[coderabbitai]

🛠️ Refactor suggestion

Gate preview publishes to PR events (avoid publishing on pushes).

If you keep on: [push, pull_request], at least restrict pkg-pr-new to PRs to prevent unnecessary runs and comments on non-PR commits.

Apply this diff:

-      - run: pnpm dlx pkg-pr-new publish './packages/cli' --bin --packageManager=pnpm
-      - run: pnpm dlx pkg-pr-new publish './packages/typegen' --bin --packageManager=pnpm
-      - run: pnpm dlx pkg-pr-new publish './packages/fmdapi' --packageManager=pnpm
-      - run: pnpm dlx pkg-pr-new publish './packages/webviewer' --packageManager=pnpm
-      - run: pnpm dlx pkg-pr-new publish './packages/better-auth' --packageManager=pnpm
+      - if: ${{ github.event_name == 'pull_request' }}
+        run: pnpm dlx pkg-pr-new publish './packages/cli' --bin --packageManager=pnpm
+      - if: ${{ github.event_name == 'pull_request' }}
+        run: pnpm dlx pkg-pr-new publish './packages/typegen' --bin --packageManager=pnpm
+      - if: ${{ github.event_name == 'pull_request' }}
+        run: pnpm dlx pkg-pr-new publish './packages/fmdapi' --packageManager=pnpm
+      - if: ${{ github.event_name == 'pull_request' }}
+        run: pnpm dlx pkg-pr-new publish './packages/webviewer' --packageManager=pnpm
+      - if: ${{ github.event_name == 'pull_request' }}
+        run: pnpm dlx pkg-pr-new publish './packages/better-auth' --packageManager=pnpm

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- run: pnpm dlx pkg-pr-new publish './packages/cli' --bin --packageManager=pnpm
	- run: pnpm dlx pkg-pr-new publish './packages/typegen' --bin --packageManager=pnpm
	- run: pnpm dlx pkg-pr-new publish './packages/fmdapi' --packageManager=pnpm
	- run: pnpm dlx pkg-pr-new publish './packages/webviewer' --packageManager=pnpm
	- run: pnpm dlx pkg-pr-new publish './packages/better-auth' --packageManager=pnpm
	- if: ${{ github.event_name == 'pull_request' }}
	run: pnpm dlx pkg-pr-new publish './packages/cli' --bin --packageManager=pnpm
	- if: ${{ github.event_name == 'pull_request' }}
	run: pnpm dlx pkg-pr-new publish './packages/typegen' --bin --packageManager=pnpm
	- if: ${{ github.event_name == 'pull_request' }}
	run: pnpm dlx pkg-pr-new publish './packages/fmdapi' --packageManager=pnpm
	- if: ${{ github.event_name == 'pull_request' }}
	run: pnpm dlx pkg-pr-new publish './packages/webviewer' --packageManager=pnpm
	- if: ${{ github.event_name == 'pull_request' }}
	run: pnpm dlx pkg-pr-new publish './packages/better-auth' --packageManager=pnpm

🤖 Prompt for AI Agents

In .github/workflows/continuous-releast.yml around lines 24 to 28, the
pkg-pr-new publish steps run on both push and pull_request events causing
unnecessary preview publishes and PR comments on non-PR commits; restrict those
steps to only run for PR events by adding a conditional to each publish job or
step such as an if: github.event_name == 'pull_request' (or equivalent
startsWith check) so the pnpm dlx pkg-pr-new commands execute only during
pull_request events, preventing publishes on pushes.

[graphite-app]

Both workflows currently share the same name "Publish Any Commit", which may create ambiguity in the GitHub Actions UI when viewing workflow runs. Consider renaming this workflow to something more descriptive like Publish Binary Packages to clearly differentiate its purpose from the other workflow that handles non-binary packages. This will make it easier to identify and monitor specific workflow runs at a glance.

Suggested change

	name: Publish Any Commit
	name: Publish Binary Packages

Spotted by Diamond

Is this helpful? React 👍 or 👎 to let us know.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (13)

.github/workflows/continuous-release.yml (6)

1-1: Give this workflow a distinct, descriptive name.

Both new workflows are named "Publish Any Commit," which is confusing in the Actions UI. Differentiate by scope.

-name: Publish Any Commit
+name: Continuous Release (packages)

---

2-2: Scope triggers to relevant branches/paths to reduce noise and cost.

Running on every push to any branch can be noisy and expensive. Recommend:

• Run previews on PRs.
• Optionally run on pushes to main.
• Add path filters to only run when relevant packages or lockfile change.

-on: [push, pull_request]
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'packages/fmdapi/**'
+      - 'packages/webviewer/**'
+      - 'packages/better-auth/**'
+      - 'pnpm-lock.yaml'
+      - '.github/workflows/continuous-release.yml'
+  push:
+    branches: [main]
+    paths:
+      - 'packages/fmdapi/**'
+      - 'packages/webviewer/**'
+      - 'packages/better-auth/**'
+      - 'pnpm-lock.yaml'
+      - '.github/workflows/continuous-release.yml'

---

4-7: Add least-privilege permissions and cancel in-progress duplicates.

Helps security posture and avoids redundant runs on rapid pushes to the same ref.

 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
+    env:
+      CI: true

---

12-17: Tighten Node setup and caching for stability.

• Prefer 22.x over 22 to get the latest compatible patch.
• Enable check-latest to get freshest patch.
• Explicitly set cache-dependency-path for pnpm lockfile.

   - uses: actions/setup-node@v4
     with:
-      node-version: 22
-      cache: "pnpm"
+      node-version: 22.x
+      check-latest: true
+      cache: pnpm
+      cache-dependency-path: pnpm-lock.yaml

---

18-23: Make installs reproducible and faster.

Use frozen lockfile and prefer offline cache; keep build as-is unless workspace scripts require -r.

   - name: Install dependencies
-    run: pnpm install
+    run: pnpm install --frozen-lockfile --prefer-offline

---

24-24: Gate pkg-pr-new publishing to PRs; confirm intent vs. “continuous release.”

pkg-pr-new is typically for PR preview packages, not production releases. If that’s intended, only run this on pull_request. If you actually want continuous npm releases on main, a separate step with npm publish and provenance would be needed.

-  - run: pnpm dlx pkg-pr-new publish './packages/fmdapi' "./packages/webviewer" "./packages/better-auth" --packageManager=pnpm
+  - if: github.event_name == 'pull_request'
+    run: pnpm dlx pkg-pr-new publish './packages/fmdapi' './packages/webviewer' './packages/better-auth' --packageManager=pnpm

If you do want a real release on main pushes, I can sketch a follow-up job/step with npm provenance and scoped permissions.

.github/workflows/continuous-release-bin.yml (7)

1-1: Differentiate this workflow’s name from the other one.

Avoid identical names in the Actions list.

-name: Publish Any Commit
+name: Continuous Release (binaries)

---

2-2: Constrain triggers to relevant events/paths.

Mirror the packages workflow: PR-only for preview publishes; optional push to main; path filters for CLI/typegen and lockfile.

-on: [push, pull_request]
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'packages/cli/**'
+      - 'packages/typegen/**'
+      - 'pnpm-lock.yaml'
+      - '.github/workflows/continuous-release-bin.yml'
+  push:
+    branches: [main]
+    paths:
+      - 'packages/cli/**'
+      - 'packages/typegen/**'
+      - 'pnpm-lock.yaml'
+      - '.github/workflows/continuous-release-bin.yml'

---

4-7: Add least-privilege permissions, concurrency, and CI env.

Same rationale as the other workflow.

 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
+    env:
+      CI: true

---

12-17: Align Node setup and caching.

Use 22.x, check-latest, and cache-dependency-path.

   - uses: actions/setup-node@v4
     with:
-      node-version: 22
-      cache: "pnpm"
+      node-version: 22.x
+      check-latest: true
+      cache: pnpm
+      cache-dependency-path: pnpm-lock.yaml

---

18-23: Use frozen lockfile and offline preference.

   - name: Install dependencies
-    run: pnpm install
+    run: pnpm install --frozen-lockfile --prefer-offline

---

24-24: Limit pkg-pr-new binary publishes to PRs and confirm intent.

Previews on PRs are fine; for true “continuous releases,” you’d use npm publish on main with appropriate permissions and tokens.

-  - run: pnpm dlx pkg-pr-new publish './packages/cli' './packages/typegen' --bin --packageManager=pnpm
+  - if: github.event_name == 'pull_request'
+    run: pnpm dlx pkg-pr-new publish './packages/cli' './packages/typegen' --bin --packageManager=pnpm

---

4-24: Consider deduplicating these two workflows with a matrix or a reusable workflow.

Both files share 95% of steps. You can:

• Use a matrix over package paths and a flag indicating binaries vs. libraries; or
• Extract a reusable workflow that accepts inputs (package list, bin flag) and call it twice.

This reduces drift and maintenance overhead.

I can draft a reusable workflow with inputs for package globs and a bin boolean if you want to go that route.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between bed8fa5 and a3f092c.

📒 Files selected for processing (2)

• .github/workflows/continuous-release-bin.yml (1 hunks)
• .github/workflows/continuous-release.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: build
• GitHub Check: build
• GitHub Check: build
• GitHub Check: build

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

.github/workflows/continuous-release.yml (5)

9-11: Fetch full history for tools that diff commits (safer for monorepos and release tooling)

Some release tools need history to compute changed packages. Depth 0 prevents subtle failures.

       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0

---

12-17: Enable corepack after installing Node and set registry/cache details

Enabling corepack after setup-node ensures the shims come from the configured Node version. Adding registry-url and cache-dependency-path makes publishing and caching more reliable.

-      - run: corepack enable
       - uses: actions/setup-node@v4
         with:
           node-version: 22
-          cache: "pnpm"
+          cache: "pnpm"
+          cache-dependency-path: pnpm-lock.yaml
+          registry-url: 'https://registry.npmjs.org'
+      - run: corepack enable

---

18-22: Make installs reproducible

Lockfile-respecting installs reduce CI flakiness and accidental version drifts.

       - name: Install dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile

If this is a workspace, consider driving builds from the root script: pnpm -w build.

---

5-7: Prevent overlapping publishes on rapid pushes

Concurrency avoids double-publishes and “version already exists” races on main.

   build:
     runs-on: ubuntu-latest
+    concurrency:
+      group: publish-${{ github.ref }}
+      cancel-in-progress: true

---

1-2: Optionally narrow triggers and support tag releases

Current triggers are fine, but narrowing reduces noise and allows tag-based releases.

-name: Publish Any Commit
-on: [push, pull_request]
+name: Publish Any Commit
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  pull_request:

If you keep PR trigger, the publish step is already gated to main by the earlier change.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a3f092c and a039a78.

📒 Files selected for processing (1)

• .github/workflows/continuous-release.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build
• GitHub Check: build

[coderabbitai]

⚠️ Potential issue

Block publishing on PRs and wire up npm auth to avoid broken checks and failed publishes

As written, the publish step runs on pull_request where secrets aren’t available, causing failures and red PR checks. Also, publishing needs an npm token and registry config.

Apply this diff to gate publishes to main pushes and provide auth env for pkg-pr-new:

       - name: Build
         run: pnpm build
-      - run: pnpm dlx pkg-pr-new publish --compact './packages/*' --packageManager=pnpm
+      - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+        env:
+          # Required for publish (pkg-pr-new reads NPM_TOKEN/NODE_AUTH_TOKEN)
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: pnpm dlx pkg-pr-new publish --compact './packages/*' --packageManager=pnpm

Note: Ensure a repository secret NPM_TOKEN is set with publish permissions on your registry. If you intend preview publishes on PRs, we can instead guard by repo-owner and add a separate preview step. Want me to draft that?

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Build
	run: pnpm build
	- run: pnpm dlx pkg-pr-new publish --compact './packages/*' --packageManager=pnpm
	- name: Build
	run: pnpm build
	- if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
	env:
	# Required for publish (pkg-pr-new reads NPM_TOKEN/NODE_AUTH_TOKEN)
	NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
	run: pnpm dlx pkg-pr-new publish --compact './packages/*' --packageManager=pnpm

[graphite-app]

The publish step needs authentication for the package registry before it can successfully publish packages. Consider adding a step like:

- name: Setup npm authentication
  run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc

Also, the current workflow triggers on all pushes and pull requests, which could lead to unintended package publications. It would be safer to add conditions to restrict when publishing occurs:

- name: Publish packages
  if: github.event_name == 'push' && github.ref == 'refs/heads/main'
  run: pnpm dlx pkg-pr-new publish './packages/*' --packageManager=pnpm

This ensures packages are only published from the main branch when changes are pushed directly.

Suggested change

	- run: pnpm dlx pkg-pr-new publish './packages/*' --packageManager=pnpm
	- name: Setup npm authentication
	run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
	- name: Publish packages
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	run: pnpm dlx pkg-pr-new publish './packages/*' --packageManager=pnpm

Spotted by Diamond

Is this helpful? React 👍 or 👎 to let us know.