feat: promote npm edge tag to latest when prerelease is promoted

[AaronFeledy]

Problem

When a release is published as a prerelease, it gets tagged as edge on npm. Later, when the release is promoted to a full release in GitHub, the npm latest tag doesn't update because the workflow only triggered on published.

Solution

• Added released to the release workflow trigger types
• New lightweight promote job that only runs npm dist-tag add latest — no install, no lint, no tests, no re-publish
• Only fires on the released event (when a prerelease is promoted to full release)
• Existing deploy job is now explicitly gated to published events only (no behavior change)
• Uses TAG_NAME env var instead of direct interpolation to prevent script injection

Flow

1. Publish as prerelease → full pipeline runs, publishes with edge tag (unchanged)
2. Promote release → uncheck prerelease → promote job runs, points latest to that version (~15s)

The dist-tag add command is idempotent, so if both published and released fire on a fresh non-prerelease publish, the redundant promote is harmless.

---

Note

Low Risk
CI-only change that adjusts npm dist-tags and workflow triggers; main risk is accidentally retagging the wrong version if release metadata/tag parsing is incorrect.

Overview
Updates the release workflow to also trigger on GitHub release events of type released, and adds a lightweight promote job that runs npm dist-tag add ... latest to move a previously prereleased version from edge to npm latest.

The existing publish pipeline is now explicitly gated to only run on published events, avoiding reruns when a prerelease is later promoted.

^{Written by Cursor Bugbot for commit 0f63f2e. This will update automatically on new commits. Configure here.}

[netlify]

✅ Deploy Preview for lando-ruby ready!

Name	Link
🔨 Latest commit	0f63f2e
🔍 Latest deploy log	https://app.netlify.com/projects/lando-ruby/deploys/6997dba2d36d980007fe632a
😎 Deploy Preview	https://deploy-preview-66--lando-ruby.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 88 (🔴 down 3 from production) Accessibility: 98 (no change from production) Best Practices: 100 (no change from production) SEO: 100 (no change from production) PWA: - View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON. A Cloud Agent has been kicked off to fix the reported issue.}

[cursor]

Promote job races deploy and fails on fresh releases

Medium Severity

When a non-prerelease is published directly, GitHub fires both published and released events as separate workflow runs. The lightweight promote job (~15s) will attempt npm dist-tag add before the deploy job has finished publishing the package to npm. Since the version doesn't exist on the registry yet, the npm dist-tag add command will fail. The PR description assumes this is "harmless" due to idempotency, but dist-tag add on a non-existent version is an error, not a no-op, resulting in a failed workflow run.

 

[cursor]

Bugbot Autofix prepared fixes for 1 of the 1 bugs found in the latest run.

• ✅ Fixed: Promote job races deploy and fails on fresh releases
  • Added a check to verify the package version exists on npm before attempting dist-tag add, preventing failures when fresh releases trigger both published and released events simultaneously.

Or push these changes by commenting:

@cursor push 51cd6abf2c

Preview (51cd6abf2c)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,8 +22,14 @@
         run: |
           VERSION=$(echo "$TAG_NAME" | sed 's/^v//')
           PACKAGE=$(node -p "require('./package.json').name")
-          npm dist-tag add "$PACKAGE@$VERSION" latest
-          echo "::notice title=Promoted $VERSION to latest::The latest tag now points to $VERSION (was edge-only)"
+          
+          # Check if this version exists on npm (i.e., it's a promotion of an existing prerelease)
+          if npm view "$PACKAGE@$VERSION" version &>/dev/null; then
+            npm dist-tag add "$PACKAGE@$VERSION" latest
+            echo "::notice title=Promoted $VERSION to latest::The latest tag now points to $VERSION (was edge-only)"
+          else
+            echo "::notice title=Skipped promotion::Version $VERSION does not exist on npm yet (fresh release, not a promotion)"
+          fi
         env:
           TAG_NAME: ${{ github.event.release.tag_name }}
           NODE_AUTH_TOKEN: ${{secrets.NPM_DEPLOY_TOKEN}}