ci: align lexicon npmjs publishing with SDK / changesets

[aspiers]

The SDK switched to a release process based on changesets, so switch this repo to the same approach for consistency and compatibility between the two.

Summary by CodeRabbit

• Chores
  • Adopted a changesets-based release configuration and added scripts to support versioning, prerelease, and publishing flows.
  • Removed legacy semantic-release automation and related release configs.
  • Added CI workflows for PR validation, beta prereleases, and stable releases to validate and publish packages.
  • Enabled weekly Dependabot updates for GitHub Actions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This PR replaces semantic-release with Changesets: adds a Changesets config and scripts, removes semantic-release configs and workflows, and introduces Changesets-based GitHub Actions workflows (release, release-beta, pr-check) plus Dependabot for workflow updates.

Changes

Cohort / File(s)	Summary
Changesets config & package updates ​.changeset/config.json, package.json	Add .changeset/config.json; add scripts changeset, version-packages, release; add devDependencies @changesets/cli and @changesets/changelog-github.
Removed Semantic Release workflows .github/workflows/create-prerelease-lexicon.yml, .github/workflows/create-release-lexicon.yml, .github/workflows/dryrun-release-ci-lexicon.yml	Delete three semantic-release GitHub Actions workflows (prerelease, release, dry-run PR validation).
Added Changesets-based workflows .github/workflows/release.yml, .github/workflows/release-beta.yml, .github/workflows/pr-check.yml	Add release and prerelease workflows using Changesets and a PR check that requires .changeset/*.md when lexicon/package files change.
Removed Semantic Release configs .releaserc.yaml, .releaserc.prerelease.yaml	Remove semantic-release plugin and branch/prerelease configurations.
Repo automation .github/dependabot.yml	Add Dependabot config to update GitHub Actions weekly.

Sequence Diagram(s)

%%{init: {"theme":"default","themeVariables":{"actorBorder":"#6B7280","actorBackground":"#F3F4F6","noteBackground":"#FEF3C7","sequenceNumber":"#9CA3AF"}}}%%
sequenceDiagram
    autonumber
    participant Dev as Developer
    participant GH as GitHub Actions
    participant Repo as Repository (Git)
    participant CS as Changesets (CLI/Action)
    participant NPM as NPM Registry

    Dev->>GH: trigger release.yml / release-beta.yml (workflow_dispatch)
    GH->>Repo: checkout (fetch-depth: 0)
    GH->>GH: setup Node.js, run npm ci, npm run check
    alt prerelease preparation
        GH->>Repo: ensure `.changeset/pre.json`, commit if missing
    end
    GH->>CS: run `changeset version` (create version commits)
    GH->>CS: run `changeset publish` (uses NPM_TOKEN / GITHUB_TOKEN)
    CS->>NPM: publish packages (beta or public)
    CS->>Repo: create/version commits (chore: release packages)
    GH->>Repo: push version commits
    GH->>Dev: output published package list / workflow result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: add npm publishing pipeline with GitHub Actions #42: Touches the same CI/release infra and configs; directly related migration from semantic-release to Changesets.

Poem

🐰 I hopped through commits with nimble feet,

Changesets snug in my basket, tidy and neat.
Workflows remixed, old releases retired,
New bumps and tags happily inspired. 🥕✨

Pre-merge checks

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: align lexicon npmjs publishing with SDK / changesets' accurately summarizes the main change—migrating from semantic-release to a changesets-based release process to match the SDK's approach.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Lexicon Documentation Sync	✅ Passed	PR modifies only CI/CD workflows and release configuration files, excluding lexicon documentation. No lexicon synchronization requirements apply.

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 40ec9d2 and 71765ee.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (11)

• .changeset/config.json
• .github/dependabot.yml
• .github/workflows/create-prerelease-lexicon.yml
• .github/workflows/create-release-lexicon.yml
• .github/workflows/dryrun-release-ci-lexicon.yml
• .github/workflows/pr-check.yml
• .github/workflows/release-beta.yml
• .github/workflows/release.yml
• .releaserc.prerelease.yaml
• .releaserc.yaml
• package.json

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

.github/workflows/release-beta.yml (1)

27-35: Document the prerelease mode exit strategy.

The workflow enters beta prerelease mode but never exits it. Once .changeset/pre.json is created, the repository stays in prerelease mode indefinitely until manually exited with npx changeset pre exit.

Consider documenting when and how to exit prerelease mode, or add a separate workflow to handle exiting beta mode when ready to return to regular releases.

.github/workflows/pr-check.yml (1)

34-43: Consider making the grep pattern more robust.

The grep pattern on line 35 uses basic regex alternation (\|) which should work, but could be more explicit. Also, the pattern ^package.json will only match if package.json is at the root, which is correct but worth verifying.

🔎 More explicit alternative using extended regex

       - name: Check for changeset
         run: |
-          if git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -q "^lexicons/\|^types/\|^package.json"; then
+          if git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -qE "^(lexicons/|types/|package\.json)"; then
             if git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -q "^\.changeset/.*\.md$"; then
               echo "Changeset found"
             else
               echo "::warning::No changeset found. Run 'npm run changeset' if this PR includes user-facing changes."
             fi
           else
             echo "No package changes detected"
           fi

This uses -E for extended regex with clearer alternation syntax and properly escapes the dot in package.json.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d28e27b and 0c0642c.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (10)

• .changeset/config.json
• .github/workflows/create-prerelease-lexicon.yml
• .github/workflows/create-release-lexicon.yml
• .github/workflows/dryrun-release-ci-lexicon.yml
• .github/workflows/pr-check.yml
• .github/workflows/release-beta.yml
• .github/workflows/release.yml
• .releaserc.prerelease.yaml
• .releaserc.yaml
• package.json

💤 Files with no reviewable changes (5)

• .github/workflows/dryrun-release-ci-lexicon.yml
• .github/workflows/create-prerelease-lexicon.yml
• .releaserc.yaml
• .github/workflows/create-release-lexicon.yml
• .releaserc.prerelease.yaml

🧰 Additional context used

📓 Path-based instructions (1)

!(types)/**/*.{js,ts,tsx,json,md}

📄 CodeRabbit inference engine (AGENTS.md)

Run npm run format with Prettier before committing to ensure consistent code formatting

Files:

• .changeset/config.json
• .github/workflows/pr-check.yml
• .github/workflows/release-beta.yml
• package.json
• .github/workflows/release.yml

🧠 Learnings (7)

📓 Common learnings

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 34
File: lexicons/org/hypercerts/claim/evaluation.json:45-63
Timestamp: 2025-12-15T10:13:27.945Z
Learning: For the hypercerts-lexicon repository, CI automatically runs `npm run gen-api` and `npm run check` to regenerate TypeScript types and validate lexicon definitions, so manual reminders about running these commands are not needed in code reviews.

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 37
File: lexicons/org/hypercerts/funding/receipt.json:1-71
Timestamp: 2025-12-15T15:33:27.052Z
Learning: For the hypercerts-org/hypercerts-lexicon repository, do not comment on Prettier formatting issues in code reviews because they are already reported by the lint workflow, and duplicating the report adds noise to the review.

📚 Learning: 2025-12-11T15:44:24.397Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: coderabbit-custom-pre-merge-checks-unique-id-file-non-traceable-F7F2B60C-1728-4C9A-8889-4F2235E186CA.txt:0-0
Timestamp: 2025-12-11T15:44:24.397Z
Learning: Applies to lexicons/**/*.json : When adding, modifying, or deleting files in lexicons/**/*.json, update README.md to reflect changes (document new lexicons, update modified properties, remove deleted lexicons from documentation)

Applied to files:

• .changeset/config.json

📚 Learning: 2025-12-15T17:53:11.871Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.871Z
Learning: Applies to lexicons/**/*.json : Update `README.md` documentation when adding or modifying lexicon definitions

Applied to files:

• .changeset/config.json

📚 Learning: 2025-12-15T17:53:11.871Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.871Z
Learning: Applies to lexicons/**/*.json : Run `npm run check` before committing to validate lexicon syntax and ensure valid lexicon definitions

Applied to files:

• .github/workflows/pr-check.yml
• package.json

📚 Learning: 2025-12-15T10:13:27.945Z

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 34
File: lexicons/org/hypercerts/claim/evaluation.json:45-63
Timestamp: 2025-12-15T10:13:27.945Z
Learning: For the hypercerts-lexicon repository, CI automatically runs `npm run gen-api` and `npm run check` to regenerate TypeScript types and validate lexicon definitions, so manual reminders about running these commands are not needed in code reviews.

Applied to files:

• .github/workflows/pr-check.yml
• package.json

📚 Learning: 2025-12-15T17:53:11.871Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.871Z
Learning: Applies to !(types)/**/*.{js,ts,tsx,json,md} : Run `npm run format` with Prettier before committing to ensure consistent code formatting

Applied to files:

• package.json

📚 Learning: 2025-12-15T15:33:19.949Z

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 37
File: lexicons/org/hypercerts/funding/receipt.json:1-71
Timestamp: 2025-12-15T15:33:19.949Z
Learning: In the hypercerts-lexicon repository, do not comment on Prettier/formatting issues in code reviews since they are reported by the lint workflow. Do not duplicate the lint output in reviews to reduce noise; focus review comments on functional/semantic issues and other non-formatting concerns.

Applied to files:

• package.json

🔇 Additional comments (3)

package.json (2)

41-43: Changeset scripts are correctly configured.

The new changeset scripts are properly defined and integrate well with the existing workflow. The release script appropriately includes validation before publishing.

---

55-56: Both changeset dependency versions are current and secure.

@changesets/cli@^2.29.8 and @changesets/changelog-github@^0.5.2 are the latest stable versions as of December 2025. No changes needed.

.github/workflows/pr-check.yml (1)

1-43: PR validation workflow provides good guardrails.

The workflow appropriately validates both code quality (check + lint) and changeset presence, using warnings rather than hard failures for changeset checks. This strikes a good balance between enforcement and flexibility.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

.changeset/config.json (1)

2-2: Schema version discrepancy already flagged.

The previous review identified that the $schema references version 3.1.2 but the latest published version was 3.1.1. Please verify and update accordingly.

.github/workflows/release-beta.yml (1)

64-70: GITHUB_TOKEN branch protection concern already flagged.

The previous review noted that the default GITHUB_TOKEN cannot bypass branch protection rules. If main has protection enabled, this push will fail. Consider using a PAT with appropriate permissions or adding the GitHub Actions bot to the allowed bypass actors.

🧹 Nitpick comments (1)

.github/workflows/release-beta.yml (1)

41-49: Consider error handling if prerelease commit fails to push.

If the repository has branch protection on main, the commit at line 48 won't be pushed immediately (it happens later at line 70). However, if the workflow fails between line 48 and line 70, the local commit will be lost and the next run will re-enter prerelease mode, potentially creating duplicate commits.

Consider either:

1. Pushing the prerelease commit immediately after creating it, or
2. Checking for existing pre.json more robustly (e.g., via git status rather than just file existence)

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 92957b0 and b3a674a.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (11)

• .changeset/config.json
• .github/dependabot.yml
• .github/workflows/create-prerelease-lexicon.yml
• .github/workflows/create-release-lexicon.yml
• .github/workflows/dryrun-release-ci-lexicon.yml
• .github/workflows/pr-check.yml
• .github/workflows/release-beta.yml
• .github/workflows/release.yml
• .releaserc.prerelease.yaml
• .releaserc.yaml
• package.json

💤 Files with no reviewable changes (5)

• .github/workflows/create-prerelease-lexicon.yml
• .releaserc.yaml
• .github/workflows/dryrun-release-ci-lexicon.yml
• .releaserc.prerelease.yaml
• .github/workflows/create-release-lexicon.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/release.yml
• .github/workflows/pr-check.yml

🧰 Additional context used

📓 Path-based instructions (1)

!(types)/**/*.{js,ts,tsx,json,md}

📄 CodeRabbit inference engine (AGENTS.md)

Run npm run format with Prettier before committing to ensure consistent code formatting

Files:

• .github/dependabot.yml
• package.json
• .changeset/config.json
• .github/workflows/release-beta.yml

🧠 Learnings (6)

📓 Common learnings

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 34
File: lexicons/org/hypercerts/claim/evaluation.json:45-63
Timestamp: 2025-12-15T10:13:27.945Z
Learning: For the hypercerts-lexicon repository, CI automatically runs `npm run gen-api` and `npm run check` to regenerate TypeScript types and validate lexicon definitions, so manual reminders about running these commands are not needed in code reviews.

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 37
File: lexicons/org/hypercerts/funding/receipt.json:1-71
Timestamp: 2025-12-15T15:33:27.052Z
Learning: For the hypercerts-org/hypercerts-lexicon repository, do not comment on Prettier formatting issues in code reviews because they are already reported by the lint workflow, and duplicating the report adds noise to the review.

📚 Learning: 2025-12-15T10:13:27.945Z

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 34
File: lexicons/org/hypercerts/claim/evaluation.json:45-63
Timestamp: 2025-12-15T10:13:27.945Z
Learning: For the hypercerts-lexicon repository, CI automatically runs `npm run gen-api` and `npm run check` to regenerate TypeScript types and validate lexicon definitions, so manual reminders about running these commands are not needed in code reviews.

Applied to files:

• package.json

📚 Learning: 2025-12-15T17:53:11.871Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.871Z
Learning: Applies to lexicons/**/*.json : Run `npm run check` before committing to validate lexicon syntax and ensure valid lexicon definitions

Applied to files:

• package.json
• .github/workflows/release-beta.yml

📚 Learning: 2025-12-15T17:53:11.871Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.871Z
Learning: Applies to !(types)/**/*.{js,ts,tsx,json,md} : Run `npm run format` with Prettier before committing to ensure consistent code formatting

Applied to files:

• package.json

📚 Learning: 2025-12-15T15:33:19.949Z

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 37
File: lexicons/org/hypercerts/funding/receipt.json:1-71
Timestamp: 2025-12-15T15:33:19.949Z
Learning: In the hypercerts-lexicon repository, do not comment on Prettier/formatting issues in code reviews since they are reported by the lint workflow. Do not duplicate the lint output in reviews to reduce noise; focus review comments on functional/semantic issues and other non-formatting concerns.

Applied to files:

• package.json

📚 Learning: 2025-12-11T15:44:24.397Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: coderabbit-custom-pre-merge-checks-unique-id-file-non-traceable-F7F2B60C-1728-4C9A-8889-4F2235E186CA.txt:0-0
Timestamp: 2025-12-11T15:44:24.397Z
Learning: Applies to lexicons/**/*.json : When adding, modifying, or deleting files in lexicons/**/*.json, update README.md to reflect changes (document new lexicons, update modified properties, remove deleted lexicons from documentation)

Applied to files:

• .changeset/config.json

🔇 Additional comments (7)

.github/dependabot.yml (1)

1-7: LGTM!

Standard Dependabot configuration for GitHub Actions. Weekly interval and 10-PR limit are sensible defaults for keeping action dependencies up to date without overwhelming maintainers.

package.json (2)

40-43: LGTM! Well-structured release scripts.

The release script correctly chains npm run check before changeset publish, ensuring validation runs before publishing. The prepublishOnly hook provides an additional safety net for direct npm publish invocations.

---

55-56: Changeset package versions are current. Both @changesets/changelog-github (0.5.2) and @changesets/cli (2.29.8) are at their latest stable releases.

.changeset/config.json (1)

3-13: LGTM! Configuration aligns with the SDK's changeset setup.

The settings are appropriate:

• GitHub changelog integration with correct repository
• Public npm access for package publishing
• main as base branch matches workflow expectations
• updateInternalDependencies: "patch" is a safe default

.github/workflows/release-beta.yml (3)

1-10: LGTM! Well-structured workflow with appropriate concurrency control.

The workflow trigger, concurrency key, and commented rationale for future automatic triggers are clear and maintainable.

---

27-32: Good defensive check for manual dispatch.

This branch guard ensures the workflow only pushes version changes to main, even when triggered manually from other branches.

---

61-62: Validation now runs at line 39.

The previous concern about bypassing npm run check has been addressed—line 39 explicitly runs validation before the version and publish steps execute.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

.github/workflows/release.yml (1)

17-24: Consider SHA-pinning official GitHub actions for consistency.

While the changesets/action is correctly SHA-pinned (line 35), the official GitHub actions (actions/checkout@v4 and actions/setup-node@v4) use floating tags. Although GitHub's official actions are generally trustworthy, SHA-pinning all actions provides consistent supply-chain security across the workflow.

Example SHA pinning for GitHub actions

Find the latest commit SHAs from the respective releases pages:

• actions/checkout releases
• actions/setup-node releases

Then update to:

- uses: actions/checkout@<full-sha> # v4
- uses: actions/setup-node@<full-sha> # v4

Enable Dependabot for GitHub Actions to automate future updates.

.github/workflows/release-beta.yml (2)

50-58: Prerelease mode entry is correct but creates separate commit.

The idempotent check and commit of pre.json works correctly. However, this creates a separate commit from the version changes (which are committed later at line 80). Consider whether entering prerelease mode and versioning should be committed together.

Alternative: defer commit until after versioning

      - name: Enter prerelease mode (if not already)
        run: |
          if [ ! -f .changeset/pre.json ]; then
            npx changeset pre enter beta
-           git config user.name "github-actions[bot]"
-           git config user.email "github-actions[bot]@users.noreply.github.com"
-           git add .changeset/pre.json
-           git commit -m "chore: enter beta prerelease mode"
          fi

Then the final commit step (lines 75-81) will include both pre.json and version changes in a single commit. This is optional and depends on whether you prefer separate commits for clarity.

---

75-81: Final commit and push logic is correct.

The workflow properly commits and pushes version changes using the PAT-authenticated checkout. The conditional commit (git diff --staged --quiet || git commit) handles the case where versioning produces no changes.

For additional safety, consider explicitly staging expected files instead of using git add -A:

-         git add -A
+         git add package.json package-lock.json CHANGELOG.md .changeset/

This prevents accidentally committing unexpected files if the CI environment becomes dirty, though the clean checkout makes this unlikely.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b3a674a and 94a1364.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (11)

• .changeset/config.json
• .github/dependabot.yml
• .github/workflows/create-prerelease-lexicon.yml
• .github/workflows/create-release-lexicon.yml
• .github/workflows/dryrun-release-ci-lexicon.yml
• .github/workflows/pr-check.yml
• .github/workflows/release-beta.yml
• .github/workflows/release.yml
• .releaserc.prerelease.yaml
• .releaserc.yaml
• package.json

💤 Files with no reviewable changes (5)

• .releaserc.prerelease.yaml
• .releaserc.yaml
• .github/workflows/dryrun-release-ci-lexicon.yml
• .github/workflows/create-release-lexicon.yml
• .github/workflows/create-prerelease-lexicon.yml

🚧 Files skipped from review as they are similar to previous changes (3)

• .github/workflows/pr-check.yml
• .changeset/config.json
• .github/dependabot.yml

🧰 Additional context used

📓 Path-based instructions (1)

!(types)/**/*.{js,ts,tsx,json,md}

📄 CodeRabbit inference engine (AGENTS.md)

Run npm run format with Prettier before committing to ensure consistent code formatting

Files:

• .github/workflows/release-beta.yml
• package.json
• .github/workflows/release.yml

🧠 Learnings (5)

📓 Common learnings

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 34
File: lexicons/org/hypercerts/claim/evaluation.json:45-63
Timestamp: 2025-12-15T10:13:27.945Z
Learning: For the hypercerts-lexicon repository, CI automatically runs `npm run gen-api` and `npm run check` to regenerate TypeScript types and validate lexicon definitions, so manual reminders about running these commands are not needed in code reviews.

📚 Learning: 2025-12-15T17:53:11.871Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.871Z
Learning: Applies to lexicons/**/*.json : Run `npm run check` before committing to validate lexicon syntax and ensure valid lexicon definitions

Applied to files:

• .github/workflows/release-beta.yml
• package.json

📚 Learning: 2025-12-15T17:53:11.871Z

Learnt from: CR
Repo: hypercerts-org/hypercerts-lexicon PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-15T17:53:11.871Z
Learning: Applies to !(types)/**/*.{js,ts,tsx,json,md} : Run `npm run format` with Prettier before committing to ensure consistent code formatting

Applied to files:

• package.json

📚 Learning: 2025-12-15T10:13:27.945Z

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 34
File: lexicons/org/hypercerts/claim/evaluation.json:45-63
Timestamp: 2025-12-15T10:13:27.945Z
Learning: For the hypercerts-lexicon repository, CI automatically runs `npm run gen-api` and `npm run check` to regenerate TypeScript types and validate lexicon definitions, so manual reminders about running these commands are not needed in code reviews.

Applied to files:

• package.json

📚 Learning: 2025-12-15T15:33:19.949Z

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 37
File: lexicons/org/hypercerts/funding/receipt.json:1-71
Timestamp: 2025-12-15T15:33:19.949Z
Learning: In the hypercerts-lexicon repository, do not comment on Prettier/formatting issues in code reviews since they are reported by the lint workflow. Do not duplicate the lint output in reviews to reduce noise; focus review comments on functional/semantic issues and other non-formatting concerns.

Applied to files:

• package.json

🔇 Additional comments (8)

package.json (1)

40-43: Well-structured changesets integration with validation safety nets.

The scripts provide a clear release workflow: prepublishOnly ensures validation runs before any manual publish, while the release script explicitly chains npm run check before changeset publish for CI pipelines. This dual approach provides good defense-in-depth.

.github/workflows/release.yml (3)

11-14: Appropriate permissions for changesets release workflow.

The id-token: write permission enables npm provenance attestation, which is a recommended security practice for published packages. The other permissions are necessary for the changesets action to create version PRs and manage releases.

---

28-31: Proper NPM authentication configuration.

The workflow correctly creates .npmrc with the authentication token. Ensure the NPM_TOKEN secret is configured in the repository settings with an npm access token that has publish permissions for the @hypercerts-org scope.

---

33-46: Changesets action properly configured with SHA pinning.

The action is correctly SHA-pinned (addressing previous security concerns) and configured with appropriate commands. The publish: npm run release ensures validation runs before publishing, and the conditional logging provides useful feedback when packages are published.

.github/workflows/release-beta.yml (4)

20-26: Excellent fail-fast check for required secret.

The explicit check for RELEASE_PAT with a clear error message is a best practice. This provides immediate, actionable feedback if the workflow is run without proper configuration.

---

27-31: Proper PAT configuration for branch protection bypass.

The checkout step correctly uses the RELEASE_PAT to authenticate git operations, allowing the workflow to commit and push version changes even when branch protection rules are enabled. The inline comment helpfully documents this intent.

---

60-63: Version packages step properly configured.

The GITHUB_TOKEN is correctly provided to enable changelog generation with PR links when using @changesets/changelog-github.

---

70-73: Publish step correctly uses npm run release for validation.

Using npm run release ensures consistency with the regular release workflow and validates generated types before publishing. Note that validation also runs at line 48 before versioning, so the second validation (embedded in line 73) provides defense-in-depth but may be redundant if lexicons don't change during versioning.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/release.yml (2)

17-17: Consider SHA-pinning all actions for consistency and security.

You addressed the supply-chain risk for changesets/action by pinning to a full SHA (line 35), but actions/checkout@v4 and actions/setup-node@v4 still use floating tags. For consistency and maximum security—especially in a release workflow with write permissions and access to NPM_TOKEN—pin these actions to their full commit SHAs as well.

🔎 Example of SHA-pinned actions

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@<full-commit-sha> # v4.x.x
        with:
          fetch-depth: 0
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@<full-commit-sha> # v4.x.x
        with:
          node-version: 20
          cache: "npm"
          registry-url: "https://registry.npmjs.org"

Find the SHAs from the official GitHub Actions repositories' release/tag pages. Dependabot (already configured per .github/dependabot.yml) can automate future updates.

Also applies to: 20-20

---

11-14: Explicitly enable npm provenance or clarify the id-token permission.

You grant id-token: write permission (line 14), which is typically used for npm provenance. However, provenance is not explicitly enabled in the workflow. To ensure packages are published with provenance signatures, set the NPM_CONFIG_PROVENANCE environment variable:

🔎 Proposed addition for provenance

      - name: Create Release Pull Request or Publish
        id: changesets
        uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3
        with:
          publish: npm run release
          version: npm run version-packages
          title: "chore: release packages"
          commit: "chore: release packages"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+         NPM_CONFIG_PROVENANCE: true

If provenance is not needed, consider removing the id-token: write permission to follow the principle of least privilege.

Also applies to: 33-42

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 94a1364 and 40ec9d2.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (11)

• .changeset/config.json
• .github/dependabot.yml
• .github/workflows/create-prerelease-lexicon.yml
• .github/workflows/create-release-lexicon.yml
• .github/workflows/dryrun-release-ci-lexicon.yml
• .github/workflows/pr-check.yml
• .github/workflows/release-beta.yml
• .github/workflows/release.yml
• .releaserc.prerelease.yaml
• .releaserc.yaml
• package.json

💤 Files with no reviewable changes (5)

• .releaserc.yaml
• .github/workflows/create-release-lexicon.yml
• .github/workflows/dryrun-release-ci-lexicon.yml
• .releaserc.prerelease.yaml
• .github/workflows/create-prerelease-lexicon.yml

🚧 Files skipped from review as they are similar to previous changes (5)

• package.json
• .changeset/config.json
• .github/workflows/pr-check.yml
• .github/dependabot.yml
• .github/workflows/release-beta.yml

🧰 Additional context used

📓 Path-based instructions (1)

!(types)/**/*.{js,ts,tsx,json,md}

📄 CodeRabbit inference engine (AGENTS.md)

Run npm run format with Prettier before committing to ensure consistent code formatting

Files:

• .github/workflows/release.yml

🧠 Learnings (1)

📓 Common learnings

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 34
File: lexicons/org/hypercerts/claim/evaluation.json:45-63
Timestamp: 2025-12-15T10:13:27.945Z
Learning: For the hypercerts-lexicon repository, CI automatically runs `npm run gen-api` and `npm run check` to regenerate TypeScript types and validate lexicon definitions, so manual reminders about running these commands are not needed in code reviews.

Learnt from: aspiers
Repo: hypercerts-org/hypercerts-lexicon PR: 37
File: lexicons/org/hypercerts/funding/receipt.json:1-71
Timestamp: 2025-12-15T15:33:27.052Z
Learning: For the hypercerts-org/hypercerts-lexicon repository, do not comment on Prettier formatting issues in code reviews because they are already reported by the lint workflow, and duplicating the report adds noise to the review.

🔇 Additional comments (1)

.github/workflows/release.yml (1)

1-46: Excellent release workflow setup with Changesets integration!

The workflow is well-structured and follows best practices:

✅ Properly scoped permissions (contents, pull-requests, id-token)
✅ Concurrency control prevents conflicting releases
✅ Validation step (npm run check) before publishing
✅ Full git history fetched for changelog generation
✅ SHA-pinned changesets/action (addressing the previous security concern)
✅ Clear logging of published packages
✅ Aligns with PR objectives (consistency with SDK)

The workflow appropriately uses workflow_dispatch for manual, controlled releases, and the Changesets configuration (publish, version commands, commit messages) follows the standard pattern.