ci(repo): add release pre-flight workflow (#7822)

jacekradko · web-flow · commit 6f76e39b8a84 · 2026-02-11T13:50:44.000-06:00
diff --git a/.changeset/changelog.js b/.changeset/changelog.js
@@ -1,6 +1,166 @@
-const { getInfo, getInfoFromPullRequest } = require('@changesets/get-github-info');
-
 const repo = 'clerk/javascript';
+const [owner, repoName] = repo.split('/');
+
+// Cache to avoid duplicate fetches for the same commit/PR
+const cache = new Map();
+
+// Simple concurrency limiter to avoid hitting GitHub secondary rate limits
+const MAX_CONCURRENT = 6;
+let active = 0;
+const queue = [];
+
+function withLimit(fn) {
+  return (...args) =>
+    new Promise((resolve, reject) => {
+      const run = async () => {
+        active++;
+        try {
+          resolve(await fn(...args));
+        } catch (e) {
+          reject(e);
+        } finally {
+          active--;
+          if (queue.length > 0) queue.shift()();
+        }
+      };
+      if (active < MAX_CONCURRENT) run();
+      else queue.push(run);
+    });
+}
+
+async function graphql(query) {
+  const token = process.env.GITHUB_TOKEN;
+  if (!token) {
+    throw new Error('GITHUB_TOKEN environment variable is required');
+  }
+
+  const res = await fetch('https://api.github.com/graphql', {
+    method: 'POST',
+    headers: {
+      Authorization: `Token ${token}`,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({ query }),
+  });
+
+  if (!res.ok) {
+    throw new Error(`GitHub API responded with ${res.status}: ${await res.text()}`);
+  }
+
+  const json = await res.json();
+  if (json.errors) {
+    throw new Error(`GitHub GraphQL error: ${JSON.stringify(json.errors, null, 2)}`);
+  }
+  if (!json.data) {
+    throw new Error(`Unexpected GitHub response: ${JSON.stringify(json)}`);
+  }
+  return json.data;
+}
+
+// Fetches commit info with a single small GraphQL query per commit
+const fetchCommitInfo = withLimit(async commit => {
+  const key = `commit:${commit}`;
+  if (cache.has(key)) return cache.get(key);
+
+  const data = await graphql(`query {
+    repository(owner: ${JSON.stringify(owner)}, name: ${JSON.stringify(repoName)}) {
+      object(expression: ${JSON.stringify(commit)}) {
+        ... on Commit {
+          commitUrl
+          associatedPullRequests(first: 50) {
+            nodes { number url mergedAt author { login url } }
+          }
+          author { user { login url } }
+        }
+      }
+    }
+  }`);
+
+  const obj = data.repository.object;
+  if (!obj) {
+    const result = {
+      user: null,
+      pull: null,
+      links: {
+        commit: `[\`${commit.slice(0, 7)}\`](https://github.com/${repo}/commit/${commit})`,
+        pull: null,
+        user: null,
+      },
+    };
+    cache.set(key, result);
+    return result;
+  }
+
+  let user = obj.author && obj.author.user ? obj.author.user : null;
+  const associatedPR =
+    obj.associatedPullRequests &&
+    obj.associatedPullRequests.nodes &&
+    obj.associatedPullRequests.nodes.length
+      ? obj.associatedPullRequests.nodes.sort((a, b) => {
+          if (a.mergedAt === null && b.mergedAt === null) return 0;
+          if (a.mergedAt === null) return 1;
+          if (b.mergedAt === null) return -1;
+          return new Date(b.mergedAt) - new Date(a.mergedAt);
+        })[0]
+      : null;
+
+  if (associatedPR && associatedPR.author) user = associatedPR.author;
+
+  const result = {
+    user: user ? user.login : null,
+    pull: associatedPR ? associatedPR.number : null,
+    links: {
+      commit: `[\`${commit.slice(0, 7)}\`](${obj.commitUrl})`,
+      pull: associatedPR ? `[#${associatedPR.number}](${associatedPR.url})` : null,
+      user: user ? `[@${user.login}](${user.url})` : null,
+    },
+  };
+  cache.set(key, result);
+  return result;
+});
+
+// Fetches pull request info with a single small GraphQL query per PR
+const fetchPullRequestInfo = withLimit(async pull => {
+  const key = `pull:${pull}`;
+  if (cache.has(key)) return cache.get(key);
+
+  const data = await graphql(`query {
+    repository(owner: ${JSON.stringify(owner)}, name: ${JSON.stringify(repoName)}) {
+      pullRequest(number: ${pull}) {
+        url
+        author { login url }
+        mergeCommit { commitUrl abbreviatedOid }
+      }
+    }
+  }`);
+
+  const pr = data.repository.pullRequest;
+  const user = pr && pr.author ? pr.author : null;
+  const mergeCommit = pr && pr.mergeCommit ? pr.mergeCommit : null;
+
+  const result = {
+    user: user ? user.login : null,
+    commit: mergeCommit ? mergeCommit.abbreviatedOid : null,
+    links: {
+      commit: mergeCommit
+        ? `[\`${mergeCommit.abbreviatedOid}\`](${mergeCommit.commitUrl})`
+        : null,
+      pull: `[#${pull}](https://github.com/${repo}/pull/${pull})`,
+      user: user ? `[@${user.login}](${user.url})` : null,
+    },
+  };
+  cache.set(key, result);
+  return result;
+});
+
+// Drop-in replacements for @changesets/get-github-info
+async function getInfo({ commit }) {
+  return fetchCommitInfo(commit);
+}
+
+async function getInfoFromPullRequest({ pull }) {
+  return fetchPullRequestInfo(pull);
+}
 
 const getDependencyReleaseLine = async (changesets, dependenciesUpdated) => {
   if (dependenciesUpdated.length === 0) return '';
@@ -10,7 +170,6 @@ const getDependencyReleaseLine = async (changesets, dependenciesUpdated) => {
       changesets.map(async cs => {
         if (cs.commit) {
           let { links } = await getInfo({
-            repo,
             commit: cs.commit,
           });
           return links.commit;
@@ -54,7 +213,6 @@ const getReleaseLine = async (changeset, type, options) => {
   const links = await (async () => {
     if (prFromSummary !== undefined) {
       let { links } = await getInfoFromPullRequest({
-        repo,
         pull: prFromSummary,
       });
       if (commitFromSummary) {
@@ -68,7 +226,6 @@ const getReleaseLine = async (changeset, type, options) => {
     const commitToFetchFrom = commitFromSummary || changeset.commit;
     if (commitToFetchFrom) {
       let { links } = await getInfo({
-        repo,
         commit: commitToFetchFrom,
       });
       return links;
diff --git a/.changeset/wacky-worms-hope.md b/.changeset/wacky-worms-hope.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/.github/workflows/release-preflight.yml b/.github/workflows/release-preflight.yml
@@ -0,0 +1,81 @@
+name: Release Preflight
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+
+concurrency:
+  group: release-preflight-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  rehearse:
+    name: Release Preflight
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 100
+          fetch-tags: false
+          filter: 'blob:none'
+          show-progress: false
+
+      - name: Fetch main branch for changeset comparison
+        run: git fetch origin main:refs/remotes/origin/main --depth=100
+
+      - name: Setup
+        uses: ./.github/actions/init
+        with:
+          turbo-team: ''
+          turbo-token: ''
+
+      # 1) Validate changesets against base branch
+      - name: Changeset status
+        run: pnpm changeset status --output .changeset-status.json
+
+      # 2) Build (same path as production releases)
+      - name: Build
+        run: pnpm build
+
+      # 3) Version packages (uses existing script: changeset version + lockfile update)
+      - name: Version packages (preflight)
+        run: pnpm version-packages
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
+      # 4) Fail on unexpected file changes after versioning
+      - name: Post-version diff guard
+        run: |
+          UNEXPECTED=$(git diff --name-only | grep -Ev '^(\.changeset/|package\.json$|pnpm-lock\.yaml$|packages/.*/package\.json$|packages/.*/CHANGELOG\.md$)' || true)
+          if [ -n "$UNEXPECTED" ]; then
+            echo "::error::Unexpected files changed after versioning:"
+            echo "$UNEXPECTED"
+            exit 1
+          fi
+
+      # 5) Simulate publish by packing all public packages
+      - name: Pack public packages
+        run: |
+          mkdir -p .release-artifacts
+          pnpm -r exec -- sh -c '
+            if [ "$(node -p "Boolean(require(\"./package.json\").private)")" = "true" ]; then
+              echo "Skipping private package: $(node -p "require(\"./package.json\").name")"
+            else
+              npm pack --json
+            fi
+          ' > .release-artifacts/pack-output.json 2>&1
+
+      - name: Upload preflight artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-preflight-artifacts
+          path: |
+            .changeset-status.json
+            .release-artifacts/pack-output.json
diff --git a/.gitignore b/.gitignore
@@ -89,6 +89,10 @@ sessions.pem
 # Verdaccio
 .verdaccio
 
+# Release preflight
+.changeset-status.json
+.release-artifacts/
+
 # Workflow Outputs
 /packages/*/*.tgz
 /packages/*/tsconfig*.vitest-temp.json
diff --git a/package.json b/package.json
@@ -33,6 +33,7 @@
     "release:canary": "changeset publish --tag canary --no-git-tag",
     "release:canary-core3": "changeset publish --tag canary-core3 --no-git-tag",
     "release:snapshot": "changeset publish --tag snapshot --no-git-tag",
+    "release:status": "changeset status --output .changeset-status.json",
     "release:verdaccio": "if [ \"$(npm config get registry)\" = \"https://registry.npmjs.org/\" ]; then echo 'Error: Using default registry' && exit 1; else TURBO_CONCURRENCY=1 pnpm build && changeset publish --no-git-tag; fi",
     "test": "FORCE_COLOR=1 turbo test --concurrency=${TURBO_CONCURRENCY:-80%}",
     "test:cache:clear": "FORCE_COLOR=1 turbo test:cache:clear --continue --concurrency=${TURBO_CONCURRENCY:-80%}",
