Right now, since we're using `npm publish` instead of `pnpm publish`,
the `^workspace:` specifier in our `package.json` file won't work.
We're also not publishing a `@mermaid-js/parser` package.
Instead, we can use `pnpm pack` to create a `.tgz` that `npm publish`
can upload.
We can also use `bundledDependencies` to include the
`@mermaid-js/parser` package, in case the latest preview version of
mermaid requires new changes to that package.
If we don't have the `id-token: write` permission, there's no way we can
accidentally write the NPM!
But we still need `packages: write` to write to GitHub Packages.
Currently, `npm publish` runs `pnpm docs:verify-version`, which might
possible fail if there are any `<MERMAID_RELEASE_VERSION>` placeholders
in our docs.
I've made a new environment variable, `ONLY_WARN_ON_VERIFY_ERROR`, that
can be used to disable this behaviour, allowing us to publish release
previews.
In a pull_request_target workflow, github.sha resolves to the base
branch HEAD (develop), not the PR head commit. This causes a
'fatal: bad object' error on fork PRs because the upstream develop
HEAD does not exist in the fork's cloned history. The script exits
immediately (set -e), the issues array is never populated, and every
fork PR touching pnpm-lock.yaml gets a blank 'Lockfile Validation
Failed' comment as a false positive.
Replace github.sha with github.event.pull_request.head.sha so the
diff correctly compares the PR base against the PR head.
The actions/checkout step above already uses pull_request.head.sha,
so this change also improves consistency.
GitHub does not expose repository variables (vars.*) to workflows
triggered by pull requests from forks. The previous logic required
E2E_SCOPE_BY_DIAGRAM == 'true' to enable scoping, which meant every
fork PR fell back to the full 5-container suite.
Flip the logic: scoping is now ON by default. The repository variable
acts as a kill-switch — set it to 'false' to disable scoping. When
the variable is unavailable (fork PRs) the expression evaluates to
'true', preserving scoped runs for external contributors.
Add IGNORABLE_PREFIXES and IGNORABLE_SUFFIXES to the e2e scope detection
script so that PRs touching only documentation, changesets, AI config, or
other non-rendering files skip e2e entirely instead of triggering the full
5-container Cypress suite.
Changes:
- Add SKIP sentinel return value to detectScope() for ignorable-only PRs
- Add ignorable file detection (docs, changesets, .claude/, assistant/, etc.)
- Update e2e.yml workflow to skip the e2e job when SKIP is returned
- Update local runner (run-e2e-scoped.ts) to handle SKIP
- Upgrade @argos-ci/cypress to ^6.3.3 for ARGOS_SUBSET support
- Add 9 new test cases covering docs-only, mixed, and skip scenarios
This was done by running
`npx prettier --write .github/workflows/release-preview-publish.yml`.
The autofix CI job doesn't push changes to the `.github` folder to
prevent an infinite loop.
Did some research into the CodeQL envvar-injection-critical guidance
(https://codeql.github.com/codeql-query-help/actions/actions-envvar-injection-critical/)
and wanted to add this additional change to prevent shell injection
through attacker-controllable values like ref names and workflow inputs,
and to prevent unexpected behavior from special characters in secret values.
Before: echo ${REF_NAME}
After: echo "${REF_NAME}"
Fixes a semantic merge conflict in
`packages/parser/tests/architecture.test.ts` due to the Langium v4
changing the `Architecture` value to `Architecture.$type`.
Conflicts:
package.json
pnpm-lock.yaml
Fixes conflicts due to the `import packageJson from './package.json'`
statements getting removed.
Conflicts:
packages/mermaid/src/diagrams/info/infoDb.ts
packages/mermaid/src/mermaidAPI.ts
Alois Klink
Per Brolin
renovate[bot]
pbrolin47
Simon Jackson
Ashish Jain
dagecko
darshanr0107
Sidharth Vinod
Shubham P
Sidharth Vinod
Alois Klink