Fix release workflow

[miguelg719]

why

Release workflow got corrupted on merging of Version Packages PRs after decoupling from browse

what changed

PR #1885 decoupled browse cli releases from the main changesets release by adding it to the ignore list in .changeset/config.json. After that, three PRs (#1905, #1906, #1935) merged with changeset files that exclusively target browse. Since changeset version skips ignored packages, these files produce no diff — causing changesets/action to fail with

"No commits between main and changeset-release/main" on every push to main, blocking all core package releases.

• Added a pre-check step to release.yml that reads the ignore list from .changeset/config.json and scans pending changeset files.
• If all pending changesets only target ignored packages, the changesets/action step is skipped.
• In that ignored-only case, the workflow falls back to changeset publish so already-versioned packages can still be published.
• When there are no changesets at all (post Version Packages merge), the action still runs normally to handle publishing.

test plan

[changeset-bot]

⚠️ No Changeset found

Latest commit: d7b37fc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cubic-dev-ai]

No issues found across 1 file

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

Architecture diagram

sequenceDiagram
    participant Runner as GHA Runner
    participant FS as Local Filesystem
    participant Check as NEW: check_changesets
    participant CSA as changesets/action@v1
    participant NPM as NPM Registry

    Runner->>Check: Run evaluation script
    Check->>FS: NEW: Read .changeset/config.json (ignore list)
    FS-->>Check: List of ignored packages
    Check->>FS: NEW: Read all .changeset/*.md files
    FS-->>Check: Changeset frontmatter (package names)

    Note over Check: Determine "should_run" logic

    alt NEW: No changesets found (HAS_ANY=false)
        Check-->>Runner: output "should_run=true"
        Note right of Check: Allows publishing after versioning PR merge
    else NEW: All changesets target ignored packages
        Check-->>Runner: output "should_run=false"
    else NEW: At least one actionable changeset found
        Check-->>Runner: output "should_run=true"
    end

    alt CHANGED: if should_run == true
        Runner->>CSA: Execute action
        CSA->>CSA: Determine mode (Version vs Publish)
        opt Publish Mode
            CSA->>NPM: pnpm run release
        end
        CSA-->>Runner: Step completed
    else should_run == false
        Note over Runner,CSA: Step Skipped (No-op)
    end

Loading

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/release.yml">

<violation number="1" location=".github/workflows/release.yml:89">
P1: `pnpm exec changeset publish` will fail to authenticate with npm. The workflow uses Trusted Publishing (OIDC), but `changeset publish` runs `npm publish` without `--provenance`, so the OIDC token exchange won't be triggered. Unlike the `changesets/action` wrapper (which may handle auth internally), this bare command has no npm credentials — only `GITHUB_TOKEN` is set, which doesn't authenticate with the npm registry.

If this step is meant as a safety net for publishing previously-versioned packages, it needs npm auth. Consider either setting `NODE_AUTH_TOKEN` or using the same `pnpm run release` command that the action uses.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}