ci(selfhost): pin sentry release cli

[JSONbored]

Motivation

• Remove a CI/CD supply-chain risk where unpinned npx @sentry/cli@latest was executed during the self-host release flow before the Docker runtime-prebuilt image build, which allowed a floating npm executable to modify the built dist/server.mjs that is later copied into the image.

Description

• Replace floating invocations of npx -y @sentry/cli@latest in .github/workflows/release-selfhost.yml with a pinned, exact invocation using @sentry/[email protected] via npx -y --package @sentry/[email protected] sentry-cli and reuse that command for release creation, commit association, source-map injection, upload, and finalization.

Testing

• git diff --check was run and passed locally.
• npm run actionlint was attempted but the environment could not reach GitHub for the official setup and the WASM fallback reported an unrelated custom runner-label warning, so actionlint could not be fully validated in this environment.

---

Codex Task

[gittensory-orb]

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

_{Review updated: 2026-06-29 15:17:29 UTC}

1 file · 1 AI reviewer · 1 blocker · readiness 68/100 · CI green · dirty

⏸️ Suggested Action - Manual Review

• Maintainer test expectations unmet — Add or update tests, or attach passing validation output that satisfies the maintainer's test expectations.

Review summary
This PR removes the floating Sentry CLI invocation from the self-host release workflow and uses an exact `@​sentry/cli@​2.58.2` package for release creation, commit association, source-map injection/upload, and finalization. The Bash array form in the upload step is valid on the default Ubuntu runner shell, and the separate finalize step is also pinned. The main remaining issue is maintainability: the pinned package/version is duplicated and the existing workflow test does not lock the new no-`@​latest` invariant.

Nits — 5 non-blocking

• nit: `.github/workflows/release-selfhost.yml:75` and `.github/workflows/release-selfhost.yml:126` duplicate the exact Sentry CLI package/version, so the next bump can drift between upload and finalize.
• nit: `test/unit/selfhost-sentry-release.test.ts` does not assert that `.github/workflows/release-selfhost.yml` contains no `@​sentry/cli@​latest`, leaving the supply-chain regression this PR fixes unguarded.
• In `.github/workflows/release-selfhost.yml`, define the pinned package once as a workflow/job env value such as `SENTRY_CLI_PACKAGE: '@​sentry/cli@​2.58.2'` and use `npx -y --package "$SENTRY_CLI_PACKAGE" sentry-cli` in both Sentry steps.
• Extend `test/unit/selfhost-sentry-release.test.ts` to assert the release workflow does not contain `@​sentry/cli@​latest` and does contain the exact pinned `--package @​sentry/cli@​2.58.2 sentry-cli` invocation.
• Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.

Concerns raised — review before merging

• Maintainer test expectations unmet — Add or update tests, or attach passing validation output that satisfies the maintainer's test expectations.

Signal	Result	Evidence
Code review	❌ 1 blocker	1 reviewer
Linked issue	⚠️ Missing	No linked issue or no-issue rationale found.
Related work	⚠️ 2 scoped overlaps	Top overlaps are listed below; lower-confidence bulk is hidden.
Review load	❌ 8/20	Readiness component derived from cached public PR metadata and labels; size label size:XS.
Validation evidence	✅ 25/25	PR body includes validation/test evidence.
Open PR queue	❌ 3/10	24 open PR(s), 11 likely reviewable, 13 unlinked.
Contributor context	✅ Confirmed Gittensor contributor	JSONbored; Gittensor profile; 74 PR(s), 280 issue(s).
Gate result	❌ Blocking	Repo-configured hard blocker found.

Review context

• Author: JSONbored
• Role context: owner (maintainer lane)
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: not available
• Official Gittensor activity: 74 PR(s), 280 issue(s).
• Related work: Titles/paths share 8 meaningful terms. (PR #1679, PR #1690)
• Related work: Titles/paths share 6 meaningful terms. (PR #1693, PR #1716)

Contributor next steps

• Treat this as maintainer-lane context rather than normal contributor-lane activity.
• Explain no-issue PR.
• Review top overlaps.
• Add scope summary.
• Expect slower review.
• No action.
• Link the issue being solved, or explicitly explain why this is a no-issue PR.
• Check active issues and PRs before submitting.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
• Open PR queue = repo-wide review pressure; it is not a PR quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

_{🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed}

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

• Re-run Gittensory review

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.58%. Comparing base (73c021e) to head (3e336f4).
⚠️ Report is 5 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1741   +/-   ##
=======================================
  Coverage   95.58%   95.58%           
=======================================
  Files         204      204           
  Lines       22316    22316           
  Branches     8067     8067           
=======================================
  Hits        21331    21331           
  Misses        408      408           
  Partials      577      577           

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.