Summary
The production-release.yml workflow publishes the package to NPM, GitHub Packages, and S3 without running lint or tests in any of its publish jobs. While build.yml runs tests on push events independently, there is no hard dependency between the two workflows, meaning untested code can be released.
Affected Files
.github/workflows/production-release.yml (lines 42-60, publish-npm job; lines 19-40, publish-github job).github/workflows/build.yml (independent workflow, no cross-workflow dependency)
Impact
Risk Level: Medium-High
Since capture-eye is a web component loaded via CDN (@latest tag) on third-party websites, publishing broken or untested code has amplified impact:
- A version bump pushed directly to
main (bypassing PR review) triggers production-release.yml without any test gate
- If
build.yml fails but version-check passes, the release proceeds — both workflows run independently
- The
purge-cdn-cache step (line 62-69) has continue-on-error: true, so even CDN purge failures don't halt the pipeline
- Published code reaches NPM + GitHub Packages + S3 + jsdelivr CDN simultaneously
Current Behavior
# production-release.yml publish-npm job (lines 42-60):
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- run: npm ci
- run: npm run build # Only build, no lint or test
- run: npm publish
Suggested Fix
Add lint and test steps to the publish jobs, or better, add a dedicated test job that all publish jobs depend on:
test:
needs: version-check
if: needs.version-check.outputs.changed == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
cache: 'npm'
- run: npm ci
- run: npm run lint
- run: npm run build
- run: npx playwright install
- run: npm run test
publish-github:
needs: [version-check, test] # Add test dependency
...
publish-npm:
needs: [version-check, test] # Add test dependency
...Also consider enabling branch protection rules on main to require the build.yml workflow to pass before merges.
Summary
The
production-release.ymlworkflow publishes the package to NPM, GitHub Packages, and S3 without running lint or tests in any of its publish jobs. Whilebuild.ymlruns tests on push events independently, there is no hard dependency between the two workflows, meaning untested code can be released.Affected Files
.github/workflows/production-release.yml(lines 42-60, publish-npm job; lines 19-40, publish-github job).github/workflows/build.yml(independent workflow, no cross-workflow dependency)Impact
Risk Level: Medium-High
Since
capture-eyeis a web component loaded via CDN (@latesttag) on third-party websites, publishing broken or untested code has amplified impact:main(bypassing PR review) triggersproduction-release.ymlwithout any test gatebuild.ymlfails but version-check passes, the release proceeds — both workflows run independentlypurge-cdn-cachestep (line 62-69) hascontinue-on-error: true, so even CDN purge failures don't halt the pipelineCurrent Behavior
Suggested Fix
Add lint and test steps to the publish jobs, or better, add a dedicated
testjob that all publish jobs depend on:Also consider enabling branch protection rules on
mainto require thebuild.ymlworkflow to pass before merges.