ci(release): add automated release workflow with nx release

[shaharkazaz]

Summary

Replaces the manual local-dev/publish-all-libs.sh flow with a workflow_dispatch-triggered GitHub Actions pipeline that drives nx release end-to-end (version → publish → tag → changelog → GitHub release), plus a standalone actionlint workflow that lints workflow YAML on every relevant PR.

Publishing uses npm OIDC trusted publishing — no NPM_TOKEN secret, with provenance attestations generated automatically.

Release workflow (.github/workflows/release.yml)

Two jobs: a parallel gate (lint / test / e2e matrix) and a release job that runs only when the gate passes (needs: gate).

Inputs

Input	Type	Default	Notes
bump	choice	auto	auto infers from conventional commits; or patch / minor / major / prerelease
dry-run	boolean	false	Preview only — no commits, tags, or publish

Ordering (and why each constraint is load-bearing)

gate → version → build → publish → push (commit + tag) → changelog → push (changelog commit)

• version before build — nx release version bumps the source package.json files; ng-packagr then copies them into dist/ at build time. Building first would publish tarballs stamped with the previous version (instant npm registry rejection).
• publish before any push — a failed publish then leaves a clean rollback: the version commit and tag exist only on the runner, never on master.
• push (tag) before changelog — the changelog step creates the GitHub Release for releases/{version}; if that tag isn't on the remote yet, the API invents it at the old master HEAD.
• push (changelog commit) last — the changelog step commits CHANGELOG.md + per-project changelogs locally, so a final push lands them on master.

Auth (OIDC trusted publishing)

• Runs on Node 22 + npm 11 — trusted publishing requires npm ≥ 11.5.1 / Node ≥ 22.14, and Node 22 runners still bundle npm 10, hence the explicit npm install -g npm@11. (Node 24 isn't supported by Angular 18 yet.)
• No registry-url on setup-node, deliberately — it writes an _authToken=${NODE_AUTH_TOKEN} line into .npmrc that can shadow OIDC auth. npmjs is the default registry; trusted publishing needs no token config at all.
• Provenance attestations are emitted automatically — no --provenance flag.

Dry-run semantics

Gate, version preview, and a full build all run; publish / push / changelog are skipped (gated on !inputs.dry-run) rather than passed --dry-run. Reasons: a version dry-run leaves files untouched, so npm publish --dry-run would always collide with the already-published version, and the run summary would otherwise misreport the on-disk (current) version as the preview.

Prerelease dist-tag

bump: prerelease publishes under the next dist-tag, so latest (what npm i @jsverse/transloco resolves) never points at a prerelease. This makes prerelease the low-stakes path for the first real OIDC publish.

Changelog config (nx.json)

• New workspaceChangelog block writes the root CHANGELOG.md and creates one GitHub release per version; per-project changelogs preserved.
• Git options are configured per subcommand (version.git commits + tags, changelog.git commits) — top-level release.git is rejected when nx release is driven via individual subcommands, and the subcommand git defaults are all-false (so without this, no tag is ever created and the changelog commit is orphaned on the runner).

Publish target fix (nx.json)

nx release publish defaults packageRoot to the project root, i.e. it would have packed libs/* — the source dirs, whose manifests have no main / module / typings / exports (ng-packagr generates those into dist/libs/*/package.json). All 11 packages would have shipped broken. Fixed via targetDefaults:

"nx-release-publish": { "options": { "packageRoot": "dist/{projectRoot}" } }

Actionlint workflow (.github/workflows/actionlint.yml)

Pinned actionlint v1.7.12, cached at ~/bin/actionlint, installed only on cache miss. Runs on PR + push to master when files under .github/workflows/** or .github/actions/** change. Replaces the previous reviewdog.yml (removed in this PR) — reviewdog's diff-filtering only reported findings on lines the PR touched, which had been hiding a deprecation in its own workflow file; the raw runner lints every workflow file every time.

Bugs caught and fixed during development

Workflow YAML only fails at runtime, so each was caught by linting or local --dry-run rehearsal before it could fail a real release:

1. Empty-string '' choice option (actionlint) — invalid workflow_dispatch choice; switched to an explicit auto sentinel.
2. Broken \"-escaped node -p (shellcheck via actionlint) — replaced with a clean shell block.
3. inputs.dry-run != 'true' — boolean inputs are real booleans in expressions; comparing against the string 'true' makes GitHub coerce both to numbers (true→1, 'true'→NaN), so the guard was always-true and dry-runs would have pushed/released. Fixed to !inputs.dry-run.
4. Publish packed source dirs — the packageRoot fix above.
5. Build-before-version — would publish correctly-built tarballs stamped with the old version.
6. Top-level release.git rejected + no tag configured — would fail at the Version step on first run.
7. npm too old for OIDC — Node 20 / npm 10 fails trusted-publishing auth; bumped to Node 22 / npm 11.

Security

Concern	Mitigation
Cross-branch releases	Real releases are master-only (github.ref guard on both jobs); dry-runs may be dispatched from any branch — side-effect-free by construction (every mutating step gated on !inputs.dry-run), making the pipeline testable from a PR branch
Concurrent releases	concurrency: { group: release-${{ github.ref }}, cancel-in-progress: false } — real releases serialize; a branch dry-run never queue-blocks a real release
Token leakage	OIDC trusted publishing — no static npm token; no registry-url token line in .npmrc; gate checkouts use persist-credentials: false
Tampered tarball	Provenance attestations link tarball → workflow run → commit
Expression injection in shell	All ${{ ... }} interpolations routed through env:, never inlined into run:
Over-broad CI perms	Only contents: write (commit/tag/release) + id-token: write (OIDC). No packages: write.
Runaway publish	15-minute gate / 30-minute release job timeouts
Workflow YAML drift	actionlint workflow on every PR touching .github/

Pre-flight before first non-dry run

• npm trusted publishing configured on npmjs.org for @jsverse/*, pointed at this repo + release.yml
• Branch protection on master restricts who can dispatch workflows (or attach a GH Environment with required reviewers)
• Sanity-check the auto-inferred bump: git log releases/8.3.0..HEAD --oneline
• Run the workflow once with dry-run: true as the first real test

Test plan

• Open this PR — actionlint workflow runs and passes
• After merge: dispatch on master with dry-run: true, bump: auto — verify gate legs run in parallel, the inferred bump matches expectation (should be patch), build succeeds, and publish/push/changelog are skipped with no side effects
• Dispatch with dry-run: true, bump: patch — verify the override path previews a patch bump
• First real run with bump: prerelease, dry-run: false — verify OIDC publish + provenance land on the next dist-tag (e.g. 8.3.1-0), GH release created, tag releases/X.Y.Z on master, root CHANGELOG.md updated — a low-stakes rehearsal that never touches latest

Follow-ups (intentionally out of scope)

• schematics-core sync — libs/schematics-core/ is copied into libs/transloco/schematics-core/ and libs/transloco-schematics/schematics-core/ via a manual gitignored script (local-dev/sync-schematics-core.sh), not wired into any build target. With automated releases, drift could ship silently. Follow-up: move it to a tracked scripts/ location, run before build in ci.yml + release.yml, add a pre-commit drift guard.
• Bump pre-existing workflow actions — ci.yml, deploy-demo-app.yml, stale-issues.yml, and the step-setup composite still use older majors (checkout@v4, setup-node@v4, stale@v9, configure-pages@v5, upload-pages-artifact@v3, deploy-pages@v4). Single chore PR. The workflows added here are already on latest majors.
• Action SHA pinning — all workflows use floating major tags. Hardening: pin to commit SHAs plus a Dependabot config for github-actions (none exists today — pins without automated bumps rot silently).
• Retire local-dev/publish-all-libs.sh — kept as an emergency manual fallback for now.

[coderabbitai]

Too much diff to scan? Review this PR in Change Stack to start with the highest-impact changes.

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a Release GitHub Actions workflow (manual dispatch) that computes an Nx version, optionally publishes packages, pushes commit/tags, generates changelog/GitHub release, and writes a run summary; adds an actionlint workflow for workflow files; updates nx.json to point the workspace changelog to CHANGELOG.md.

Changes

Release Automation Workflow

Layer / File(s)	Summary
Workflow trigger and environment preparation .github/workflows/release.yml	Defines workflow_dispatch inputs (bump, dry-run), permissions and concurrency; checks out full repo with tags/history; sets up Node.js 20 (npm cache/registry), runs npm ci, sets git identity, and runs lint/test/build validation.
Version computation .github/workflows/release.yml	Constructs --dry-run from inputs and runs npx nx release version with an optional explicit bump argument; reads version from ./libs/transloco/package.json into a step output.
Publish step .github/workflows/release.yml	Runs npx nx release publish --access public --verbose with NPM provenance enabled and conditional --dry-run.
Push tags and changelog .github/workflows/release.yml	When not a dry run, pushes the release commit and tags to master, then runs npx nx release changelog <version> to generate changelog and create the GitHub release.
Execution summary & nx config .github/workflows/release.yml, nx.json	Always writes a formatted run report (version or n/a, bump, dry-run, ref, actor) to $GITHUB_STEP_SUMMARY; adds release.workspaceChangelog in nx.json pointing to CHANGELOG.md with createRelease: \"github\".

Actionlint Workflow

Layer / File(s)	Summary
Actionlint job .github/workflows/actionlint.yml	Adds an actionlint workflow triggered on push/pull_request limited to .github/workflows/** and .github/actions/**, caches/installs actionlint v1.7.12, updates GITHUB_PATH, and runs actionlint -color.

Fun fact: "transloco" is about translations—learn a word: in Japanese, "translation" is 翻訳 (honyaku).

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci(release): add automated release workflow with nx release' accurately and specifically describes the main change—adding an automated release workflow using nx release.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description comprehensively covers all required template sections with detailed explanations of changes, security considerations, and test plans.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/release-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@jsverse/transloco

npm i https://pkg.pr.new/jsverse/transloco/@jsverse/transloco@924

@jsverse/transloco-locale

npm i https://pkg.pr.new/jsverse/transloco/@jsverse/transloco-locale@924

@jsverse/transloco-messageformat

npm i https://pkg.pr.new/jsverse/transloco/@jsverse/transloco-messageformat@924

@jsverse/transloco-optimize

npm i https://pkg.pr.new/jsverse/transloco/@jsverse/transloco-optimize@924

@jsverse/transloco-persist-lang

npm i https://pkg.pr.new/jsverse/transloco/@jsverse/transloco-persist-lang@924

@jsverse/transloco-persist-translations

npm i https://pkg.pr.new/jsverse/transloco/@jsverse/transloco-persist-translations@924

@jsverse/transloco-preload-langs

npm i https://pkg.pr.new/jsverse/transloco/@jsverse/transloco-preload-langs@924

@jsverse/transloco-schematics

npm i https://pkg.pr.new/jsverse/transloco/@jsverse/transloco-schematics@924

@jsverse/transloco-scoped-libs

npm i https://pkg.pr.new/jsverse/transloco/@jsverse/transloco-scoped-libs@924

@jsverse/transloco-utils

npm i https://pkg.pr.new/jsverse/transloco/@jsverse/transloco-utils@924

@jsverse/transloco-validator

npm i https://pkg.pr.new/jsverse/transloco/@jsverse/transloco-validator@924

commit: c34cfa3

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

38-38: ⚖️ Poor tradeoff

Consider pinning action to commit SHA for supply-chain security.

Using tag references (e.g., @v4) rather than commit SHAs makes the workflow vulnerable to tag manipulation attacks. For a security-sensitive release workflow, pinning to immutable commit SHAs is recommended.

🔐 Optional SHA pinning

-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

Apply the same pattern to line 45 (setup-node). You can use tools like pin-github-action or Dependabot to maintain pinned SHAs.

Fun fact: The word "security" comes from Latin securus (se- "without" + cura "care"). In Japanese, it's セキュリティ (sekyuriti), a direct loanword! 🔐

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 38, Replace mutable tag refs with
immutable commit SHAs: update the uses: entry "actions/checkout@v4" to the
corresponding commit SHA (e.g., actions/checkout@<commit-sha>) and do the same
for the "actions/setup-node@vX" reference on the other line; locate these by the
literal strings "actions/checkout@v4" and "actions/setup-node" in the workflow,
fetch the correct pinned commit SHAs from the actions' GitHub repos (or use a
tool like pin-github-action/Dependabot), and update the workflow to use the full
commit SHAs to prevent tag manipulation.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 37-42: Update the checkout action (uses: actions/checkout@v4) to
add persist-credentials: false so the GITHUB_TOKEN is not persisted to the
workspace; then adjust the later push step that performs git push to use an
explicit token (e.g., a PAT from secrets) or perform a separate checkout
configured with credentials so pushes still work without relying on the
persisted GITHUB_TOKEN.
- Around line 78-80: The GitHub Actions step "Read version" (id: version) uses a
run line with improperly escaped double quotes causing shell parsing errors;
replace the current node -p invocation so the JS string is quoted safely (e.g.,
use single quotes around the node expression or wrap the whole run value as a
YAML block) to avoid backslashes—update the run for the "Read version" step to
call node -p with proper single-quoting of
"require('./libs/transloco/package.json').version" or convert the run to a
multiline/| block so no shell-escaping is necessary.
- Around line 11-12: Replace the invalid empty choice option by changing the
input from a choice to a string: remove the "options:" block that contains "-
''" and switch the input declaration to "type: string" (locate the "options"
entry in the workflow diff), then update the Version step's validation logic
(the step named "Version") to explicitly validate allowed values (e.g., via a
conditional or regex check) so only valid release values are accepted.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Line 38: Replace mutable tag refs with immutable commit SHAs: update the uses:
entry "actions/checkout@v4" to the corresponding commit SHA (e.g.,
actions/checkout@<commit-sha>) and do the same for the "actions/setup-node@vX"
reference on the other line; locate these by the literal strings
"actions/checkout@v4" and "actions/setup-node" in the workflow, fetch the
correct pinned commit SHAs from the actions' GitHub repos (or use a tool like
pin-github-action/Dependabot), and update the workflow to use the full commit
SHAs to prevent tag manipulation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 78646dfd-22b2-40c2-9d4b-f283c47f4a27

📥 Commits

Reviewing files that changed from the base of the PR and between 82ae7bb and 80319b2.

📒 Files selected for processing (2)

• .github/workflows/release.yml
• nx.json

[cubic-dev-ai]

2 issues found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/release.yml">

<violation number="1" location=".github/workflows/release.yml:12">
P1: GitHub Actions `type: choice` inputs do not permit empty strings in the `options` list. This causes actionlint to fail with `string should not be empty [syntax-check]`. Switch to `type: string` with a `default: ''` instead, and validate the input value in the Version step to ensure only `patch|minor|major|prerelease` are accepted.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/actionlint.yml:
- Line 23: Update the actions/checkout@v4 step to disable credential persistence
by adding a with: block that sets persist-credentials: false; locate the
checkout usage (the line containing "uses: actions/checkout@v4") and add the
with: mapping under that step so the workflow only checks out repo contents
without persisting credentials.
- Line 23: Replace the floating action refs by pinning actions/checkout@v4 and
actions/cache@v4 to their immutable commit SHAs (e.g.,
actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac and the full commit
SHA for the v4 of actions/cache) and add the persist-credentials: false option
to the checkout step (ensure the checkout step containing actions/checkout is
updated to include the persist-credentials: false key).

In @.github/workflows/release.yml:
- Around line 81-85: In the "Read version" step, avoid reading the on-disk
package.json when this run is a dry-run: detect the dry-run flag (e.g., check
the workflow input or env like github.event.inputs.dry-run or a DRY_RUN variable
set earlier) and if it's a dry-run, set VERSION to a clear placeholder (for
example "preview" or "dry-run") and echo that to GITHUB_OUTPUT; otherwise
preserve the existing node -p require(...) behavior. Ensure you still write
"value=$VERSION" to GITHUB_OUTPUT in both branches so downstream steps consume
the placeholder during previews.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 89c529aa-ec7b-4748-8c53-4f1005a1a5ee

📥 Commits

Reviewing files that changed from the base of the PR and between 80319b2 and ff7f026.

📒 Files selected for processing (2)

• .github/workflows/actionlint.yml
• .github/workflows/release.yml

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.yml (1)

97-102: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix dry-run guards to use inputs['dry-run'] (string) comparison

workflow_dispatch boolean inputs are exposed to expressions as strings ('true'/'false'), and the hyphenated key dry-run must be accessed via bracket notation; update both if: guards accordingly to reliably prevent push/release during dry-run.

🔧 Proposed fix

       - name: Push commit and tag
-        if: ${{ inputs.dry-run != 'true' }}
+        if: ${{ inputs['dry-run'] == 'false' }}
         run: git push --follow-tags origin HEAD:master

       - name: Changelog and GitHub release
-        if: ${{ inputs.dry-run != 'true' }}
+        if: ${{ inputs['dry-run'] == 'false' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: npx nx release changelog ${{ steps.version.outputs.value }} --verbose

Transloco fun fact: when using lazy-loaded scopes, translations load asynchronously—calling translate/selectTranslate before the scope is triggered can temporarily yield missing-key results.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 97 - 102, The conditional guards
using inputs.dry-run are invalid because the hyphenated input must be accessed
with bracket notation and inputs are strings; update both if: expressions (the
one guarding the git push step "git push --follow-tags origin HEAD:master" and
the step titled "Changelog and GitHub release") to use inputs['dry-run'] and
compare against the string 'true' (e.g., if: ${{ inputs['dry-run'] != 'true' }})
so the push/release steps are correctly skipped during a dry-run.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/release.yml:
- Around line 97-102: The conditional guards using inputs.dry-run are invalid
because the hyphenated input must be accessed with bracket notation and inputs
are strings; update both if: expressions (the one guarding the git push step
"git push --follow-tags origin HEAD:master" and the step titled "Changelog and
GitHub release") to use inputs['dry-run'] and compare against the string 'true'
(e.g., if: ${{ inputs['dry-run'] != 'true' }}) so the push/release steps are
correctly skipped during a dry-run.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 63da4080-5c66-4d90-bf02-737041fd5682

📥 Commits

Reviewing files that changed from the base of the PR and between ff7f026 and 574c5e8.

📒 Files selected for processing (2)

• .github/workflows/actionlint.yml
• .github/workflows/release.yml