ops(release) : Simplify release publishing

[luanvdw]

Summary

• Replace the prepare-then-publish flow with a single Publish CLI workflow that owns official beta and main dev releases.
• Publish official betas to @prisma/cli@latest, publish every successful main build to @prisma/cli@dev, and publish same-repo PR previews through pkg.pr.new.
• Stop committing release-version bump PRs by injecting the publish version into the staged package at publish time.
• Move release version resolution into a tested script used by the workflows.
• Update docs and package metadata for the @preview -> primary @prisma/cli transition.

Operational Notes

• PR preview publishing is best-effort until the pkg.pr.new GitHub App is installed for this repository.
• After pkg.pr.new is installed, set the repository variable CLI_PR_PREVIEW_REQUIRED=true to make preview publish failures block CI.
• Current CodeQL timeout appears to be GitHub/GHAS infrastructure noise: CodeQL reports no new alerts in changed code.

Validation

• pnpm --filter @prisma/cli exec vitest run tests/resolve-cli-version.test.ts tests/publish-prep.test.ts
• pnpm --filter @prisma/cli test (rerun outside sandbox for localhost-binding auth callback tests)
• pnpm --filter @prisma/cli build
• node scripts/resolve-cli-version.mjs dev --sha abcdef1234567890 --run-number 123 --run-attempt 2
• node scripts/resolve-cli-version.mjs pr --sha f1110dd704a9382c429b --pr-number 43
• node scripts/resolve-cli-version.mjs next-beta --latest 3.0.0-beta.0
• workflow YAML parse
• staged package dry-run and tarball smoke install from the earlier PR pass

[coderabbitai]

Warning

Review limit reached

@luanvdw, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 24 minutes and 46 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: cb3901db-d6b6-424c-9d35-7aff35d218af

📥 Commits

Reviewing files that changed from the base of the PR and between f1110dd and 225034b.

📒 Files selected for processing (9)

• .github/workflows/preview-cli-package.yml
• .github/workflows/publish-cli.yml
• CONTRIBUTING.md
• README.md
• docs/architecture/adrs/0001-preview-package-and-publishing.md
• docs/architecture/adrs/0002-workflow-command-model.md
• docs/product/command-spec.md
• packages/cli/tests/resolve-cli-version.test.ts
• scripts/resolve-cli-version.mjs

Walkthrough

This PR restructures the Prisma CLI release process from a "preview" phase to an official "beta" phase. It replaces the manual prepare-cli-release workflow with automated CI-driven publishing that computes the next beta version from npm's latest dist-tag, publishes to the latest channel, and adds a new PR-triggered preview workflow. The publish script is enhanced to accept an explicit version override, and all documentation is updated to reflect the new "beta" terminology and three-channel distribution model (official beta, dev, and PR previews).

Changes

Publishing Workflow and Version Management

Layer / File(s)	Summary
CLI publish script version override support scripts/prepare-cli-publish.mjs, packages/cli/tests/publish-prep.test.ts	stageCliPublishPackage() now accepts options.publishVersion to override the manifest version. New parseCliArgs() helper parses output directory and supports --version <value> / --version=<value> CLI arguments, with fallback to CLI_PUBLISH_VERSION environment variable.
Publish CLI workflow restructure .github/workflows/publish-cli.yml	Renamed from "Release CLI" to "Publish CLI". Adds push trigger for automatic dev-channel publishing on main, alongside manual workflow_dispatch for official beta releases. Dev mode computes 3.0.0-dev...sha... versions. Official mode resolves the next 3.0.0-beta.N by reading npm's dist-tags.latest and incrementing the minor beta number. Both modes pass the computed version to the publish script and publish to npm with appropriate dist-tags (dev or latest).
PR preview workflow for same-repo PRs .github/workflows/preview-cli-package.yml, package.json	New workflow triggered on PR open/synchronize/reopen that computes a 3.0.0-pr.<pr#>.sha<shortSHA> version string, runs tests/build, stages the package, and publishes to pkg.pr.new with best-effort retry. Gated by repo ownership check. Adds pkg-pr-new dev dependency.
Publish-prep tests for version injection packages/cli/tests/publish-prep.test.ts	Local createTempCwd() replaces shared helper. Test metadata updated to 3.0.0-development with "Beta" description. New test case verifies injected publishVersion overrides the staged manifest.
CLI package version and metadata packages/cli/package.json	Version bumped from 3.0.0-alpha.14 to 3.0.0-development. Description updated to "Beta of the unified Prisma CLI".

Documentation and Branding: Preview to Beta

Layer / File(s)	Summary
Architecture ADRs and overview docs/architecture/adrs/0001-preview-package-and-publishing.md, docs/architecture/adrs/0002-workflow-command-model.md, docs/architecture/adrs/README.md, docs/architecture/overview.md, docs/architecture/package-structure.md	ADR 0001 retitled to "Package Channels And Publishing"; rewritten to document latest dist-tag for official beta releases, CI-injected versioning, and three-channel model (@prisma/cli beta, @prisma/cli@dev, PR previews). ADR 0002 updated to reference "beta implementation". ADR index row updated with new package selection rules. Constraints section renamed "Public Preview Constraints" → "Public Beta Constraints".
Product documentation: command spec and resource model docs/product/command-spec.md, docs/product/resource-model.md	Command spec updated to describe public beta surface. Example prisma-cli version output shows 3.0.0-beta.0. CLI package references changed from preview to beta. Resource model updated to reference beta command model for app selection, environment variables, and schema/database scoping. Beta-specific constraint added: package must not redefine project/branch in a way that complicates future workflows.
Glossary and terminology updates docs/reference/glossary.md	Glossary definitions for Schema and Database updated to reference beta package. Package-terminology section restructured: removed single Preview package, added Beta package, Dev package, and PR preview package. Terminology alignment table updated to prefer @prisma/cli and @prisma/cli@dev naming; @prisma/cli@preview avoidance line removed.
Main README and contributing guide README.md, CONTRIBUTING.md	README install example changed from @prisma/cli@preview to plain @prisma/cli. Command-model and community guidance updated to "public beta". Publishing section rewritten to describe Publish CLI workflow, version handling via CI, release channels (latest, @prisma/cli@dev, PR previews), and dry-run checklist. CONTRIBUTING.md replaces "Package Preview" with "Package Channels" section documenting dist-tags, same-repo PR behavior, and pkg.pr.new GitHub App requirement.
Example applications and package documentation packages/cli/README.md, examples/hello-world/*, examples/next-smoke/*	CLI package README installs without @preview tag, uses "Beta" branding. hello-world example removes @preview pin, updates validation to "beta build flow", changes server message to "Hello from the Prisma CLI beta!". next-smoke example metadata and README updated to reference CLI beta.
Security policy documentation SECURITY.md	New file defining security reporting policy: no public GitHub issues, report to security@prisma.io with affected versions, reproduction, and impact; disclosure and remediation coordinated through security channel.

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main operational change: simplifying the release publishing process by consolidating multiple workflows into a single 'Publish CLI' workflow.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description clearly outlines the changes: replacing prepare-then-publish with a single workflow, updating release channels, stopping version bump PRs, and updating documentation for preview-to-beta transition.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ops/cli-release-flow

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch ops/cli-release-flow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/architecture/adrs/0002-workflow-command-model.md (1)

21-27: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Resolve command-group contract mismatch with command spec.

This ADR says the beta includes only auth, project, branch, and app, but docs/product/command-spec.md includes git in-scope for beta. Keep one canonical set to avoid contradictory contributor guidance.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/architecture/adrs/0002-workflow-command-model.md` around lines 21 - 27,
The ADR currently lists beta command groups as `auth`, `project`, `branch`, and
`app` but the command spec (`docs/product/command-spec.md`) also lists `git`;
pick one canonical source and make them consistent: either add `git` to the beta
groups in 0002-workflow-command-model.md (updating the bullet list and any
descriptive text) or remove `git` from the beta scope in command-spec.md; also
add a short line to the chosen canonical document indicating "This file is
authoritative for beta command group scope" so future contributors know which
source to update.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/preview-cli-package.yml:
- Around line 67-69: The summary always prints "- Package checks: passed"
unconditionally; change the echo to reflect the actual outcome of the
package-check step (use the step output/outcome instead of a hardcoded "passed")
so the summary shows real status (e.g., reference the package check step's name
like steps.package_checks.outcome or its outputs) and update the line that
currently echoes "- Package checks: passed" to conditionally print the actual
outcome or a failure message using the step outcome variable.
- Around line 23-25: Update the GitHub Actions checkout step that uses
actions/checkout@v5 to explicitly set persist-credentials: false; in the
workflow block where the step currently only specifies ref: ${{
github.event.pull_request.head.sha }}, add the key persist-credentials: false to
prevent the checked-out PR code from receiving push credentials.
- Around line 23-31: Update the workflow to pin the three GitHub Actions to
immutable commit SHAs instead of floating tags for actions/checkout,
pnpm/action-setup and actions/setup-node (replace the tag references in the
corresponding uses lines with their commit SHA values), set persist-credentials:
false on the actions/checkout step to avoid leaving credentials persisted, and
change the "Summarize PR preview publish" step so its output reflects real
success/failure (use a conditional or pass a status variable from earlier steps
rather than always printing "Package checks: passed")—target the
actions/checkout step, the pnpm/action-setup and actions/setup-node uses, and
the "Summarize PR preview publish" step to implement these changes.

In @.github/workflows/publish-cli.yml:
- Around line 28-34: Replace the floating major-version tags with pinned commit
SHAs for each GitHub Action used: update actions/checkout@v5,
pnpm/action-setup@v5, and actions/setup-node@v6 (and their second occurrences
later in the file) to their corresponding immutable commit SHA references;
locate the action usages by the identifiers "actions/checkout",
"pnpm/action-setup", and "actions/setup-node" and substitute "`@vX`" with the
specific full SHA (e.g., "@<full-commit-sha>") to ensure immutable,
supply-chain-safe references.
- Around line 28-29: Add the persist-credentials: false option to both uses:
actions/checkout@v5 steps in the publish-cli.yml workflow (the two checkout
occurrences) so Git credentials are not left writable in the workspace; locate
the two steps that reference "uses: actions/checkout@v5" and add the
persist-credentials: false key under each checkout step's configuration.

---

Outside diff comments:
In `@docs/architecture/adrs/0002-workflow-command-model.md`:
- Around line 21-27: The ADR currently lists beta command groups as `auth`,
`project`, `branch`, and `app` but the command spec
(`docs/product/command-spec.md`) also lists `git`; pick one canonical source and
make them consistent: either add `git` to the beta groups in
0002-workflow-command-model.md (updating the bullet list and any descriptive
text) or remove `git` from the beta scope in command-spec.md; also add a short
line to the chosen canonical document indicating "This file is authoritative for
beta command group scope" so future contributors know which source to update.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 69f543ed-9de2-4fe8-b96c-97f988b55a03

📥 Commits

Reviewing files that changed from the base of the PR and between 64bc9e2 and f1110dd.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (23)

• .github/workflows/prepare-cli-release.yml
• .github/workflows/preview-cli-package.yml
• .github/workflows/publish-cli.yml
• CONTRIBUTING.md
• README.md
• SECURITY.md
• docs/architecture/adrs/0001-preview-package-and-publishing.md
• docs/architecture/adrs/0002-workflow-command-model.md
• docs/architecture/adrs/README.md
• docs/architecture/overview.md
• docs/architecture/package-structure.md
• docs/product/command-spec.md
• docs/product/resource-model.md
• docs/reference/glossary.md
• examples/hello-world/README.md
• examples/hello-world/server.ts
• examples/next-smoke/README.md
• examples/next-smoke/app/layout.tsx
• package.json
• packages/cli/README.md
• packages/cli/package.json
• packages/cli/tests/publish-prep.test.ts
• scripts/prepare-cli-publish.mjs

💤 Files with no reviewable changes (1)

• .github/workflows/prepare-cli-release.yml