added support for npm prereleases

[imolorhe]

Fixes

Checks

• [ ] Ran yarn test-build
• [ ] Updated relevant documentations
• [ ] Updated matching config options in altair-static

Changes proposed in this pull request:

Summary by Sourcery

Add support for publishing prerelease npm packages from non-production workflows and document macOS code signing setup for releases.

CI:

• Extend reusable npm publish workflow to optionally publish prerelease packages with branch-based tags and invoke it from the PR master workflow in non-production mode.

Documentation:

• Document macOS code signing requirements and steps for exporting certificates for use in CI/CD pipelines.

Summary by CodeRabbit

• Chores

  • Added a production toggle with conditional publish vs dry-run and adjusted publish permissions.
  • Consolidated CI into a new central main workflow and removed several legacy workflows.
  • Pinned many CI actions, standardized credential handling (persist-credentials), and introduced explicit per-workflow secrets.
  • Tightened workspace release/dependency policies and added a Dependabot cooldown.

• Documentation

  • Expanded macOS app signing guidance and clarified Angular migration steps (signing content duplicated).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[sourcery-ai[bot]]

Reviewer's Guide

Adds support for publishing npm prereleases from CI by parameterizing the publish workflow with a production flag, wiring it into the PR workflow for non-production prerelease publishes, and expands DEV.md with macOS code signing instructions for Apple Developer distribution.

Flow diagram for npm publish production vs prerelease tagging

flowchart TD
  start["Start publish-npm job"] --> get_branch["Get branch name from github.head_ref or github.ref_name"]
  get_branch --> sanitize_branch["Sanitize branch name to SAFE_BRANCH_NAME using sed"]
  sanitize_branch --> check_production["Is inputs.production == true?"]

  check_production -->|Yes| publish_prod["Run: pnpm publish -r --no-git-checks --provenance"]
  check_production -->|No| publish_prerelease["Run: pnpm publish -r --no-git-checks --provenance --tag prerelease-SAFE_BRANCH_NAME"]

  publish_prod --> end_node["End job"]
  publish_prerelease --> end_node

File-Level Changes

Change	Details	Files
Parameterize npm publish workflow to support production vs prerelease publishing and tag prereleases by branch name.	Add a boolean production input to the reusable _publish-npm GitHub Actions workflow alongside the existing node_version input for both workflow_call input blocks. Wrap the pnpm publish step in a shell script that derives a safe branch name and conditionally adds a --tag flag when not publishing to production. Use a sanitized version of the current branch name in the prerelease npm dist-tag of the form prerelease-<branch> to isolate prereleases per branch.	.github/workflows/_publish-npm.yml
Wire prerelease npm publishing into the PR-to-master workflow.	Introduce a new npm job in pr-master that depends on vars and reuses the _publish-npm workflow. Configure the new job to pass through the resolved node_version from vars and to set production: false so PR builds publish as prereleases. Grant the reusable workflow the required contents and id-token write permissions and inherit repository secrets.	.github/workflows/pr-master.yml
Document macOS code signing setup for Apple notarization and CI usage.	Add instructions for enrolling in the Apple Developer Program and setting up required certificates via Xcode. Describe exporting the signing certificates to a .p12 file and capturing the associated password for CI/CD usage. Show how to base64-encode the .p12 file for use in CI variables such as MAC_CERTS and MAC_CERTS_PASSWORD.	DEV.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an issue from a review comment by replying to it. You can also reply to a review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull request title to generate a title at any time. You can also comment @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in the pull request body to generate a PR summary at any time exactly where you want it. You can also comment @sourcery-ai summary on the pull request to (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the pull request to resolve all Sourcery comments. Useful if you've already addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull request to dismiss all existing Sourcery reviews. Especially useful if you want to start fresh with a new review - don't forget to comment @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai[bot]]

[!NOTE]

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds a consolidated main CI workflow, a production-aware _publish-npm workflow, pins many GitHub Actions to specific commits, converts top-level permissions to empty objects, introduces new workflow inputs/secrets across deploy/publish workflows, deletes several legacy release workflows, updates pnpm workspace settings, and augments DEV.md with macOS signing and Angular guidance.

Changes

Cohort / File(s)	Summary
Orchestrator workflow \.github/workflows/main.yml	Adds a new main workflow coordinating vars, tests, docker, electron, tauri, npm, sites, translate, and release-related jobs with conditional logic, outputs, and secrets propagation.
Reusable NPM publish workflow \.github/workflows/_publish-npm.yml	Adds production boolean inputs to workflow_call and workflow_dispatch; sets top-level permissions: {} and job-level contents: write; pins actions to specific commits; adds registry-url to setup-node; updates npm update/verify steps; implements conditional publish flow (full publish when production: true, prerelease/alpha when false).
Deleted legacy release & PR workflows \.github/workflows/pr-master.yml, \.github/workflows/master.yml, \.github/workflows/post-release.yml, \.github/workflows/release.yml	Removes these workflows entirely, deleting their triggers, jobs, and steps.
Deploy pages & sites (pins & secrets) \.github/workflows/__deploy-pages.yml, \.github/workflows/_deploy-sites.yml	Adds Cloudflare secrets as workflow inputs, sets permissions: {}, replaces some GITHUB_TOKEN usage with secrets.github_token, maps explicit secrets into jobs, adds persist-credentials: false to checkout, and pins actions to commit SHAs.
Publish helpers (electron/tauri/docker/tests/codeql/etc.) \.github/workflows/_publish-electron.yml, \.github/workflows/_publish-tauri.yml, \.github/workflows/_push-docker.yml, \.github/workflows/_tests.yml, \.github/workflows/codeql-analysis.yml, \.github/workflows/experimental-release.yml, \.github/workflows/firebase-hosting-merge.yml, \.github/workflows/firebase-hosting-pull-request.yml	Standardizes public workflow secrets/inputs, converts top-level permissions to {}, pins many actions to exact commit SHAs, adds persist-credentials: false on checkouts, normalizes quoting/case for secrets and cache keys, and adds small outputs (e.g., commit timestamp).
PNPM workspace configuration pnpm-workspace.yaml	Adds catalog keys: minimumReleaseAge: 1440, trustPolicy: no-downgrade, strictDepBuilds: true, onlyBuiltDependencies: [], ignoredBuiltDependencies: [].
Dependabot schedule tweak \.github/dependabot.yml	Adds cooldown block with default-days: 7 to throttle Dependabot updates.
Developer documentation DEV.md	Adds duplicated "Signing MacOS app" instructions and expands "Updating angular" with explicit yarn ng update and migration steps.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Developer (push/dispatch/PR)
  participant GH as GitHub Actions
  participant Main as "main" workflow
  participant Publish as "_publish-npm" workflow
  participant NPM as npm Registry

  Dev->>GH: push / pull_request / workflow_dispatch
  GH->>Main: trigger `main` workflow
  Main->>Publish: call `_publish-npm` (inputs: production, node_version, secrets)
  Publish->>Publish: setup-node (registry-url), update npm, verify auth (npm whoami)
  alt production = true
    Publish->>NPM: pnpm publish -r --no-git-checks --provenance --access public
  else production = false
    Publish->>Publish: bump prerelease using git short SHA
    Publish->>NPM: pnpm publish --tag alpha
  end
  NPM-->>Publish: auth/publish response
  Publish-->>Main: return status & outputs
  Main-->>GH: finalize workflow status

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Review focus:
  • .github/workflows/_publish-npm.yml — conditional publish flow, npm auth/verify sequence, flags (--provenance, access/tag logic).
  • \.github/workflows/main.yml — ensure removed workflows' responsibilities are covered, check conditional job triggers and output wiring.
  • Pinned action SHAs and persist-credentials: false impacts across checkout steps.
  • pnpm-workspace.yaml changes for release/dep build behavior.

Possibly related PRs

• altair-graphql/altair#2892 — Overlaps edits to _publish-npm.yml (npm provenance and publish behavior).
• altair-graphql/altair#2927 — Related changes to publishing permissions and contents: write in publish jobs.
• altair-graphql/altair#2907 — Related edits to Cloudflare Pages/site deployment workflows and secret inputs.

Poem

🐰
I hopped through YAML lanes and flipped a publish bit,
I pinned each action tight and tucked the secrets in a kit,
I stitched a main pipeline and swept the old paths clear,
Signed Macs and nudged Angular — then nibbled carrots near,
The CI hums, I twitch my nose — the rabbit’s tiny cheer. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'added support for npm prereleases' directly matches the main objective: adding npm prerelease publishing capability. It is concise, specific, and highlights the primary change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• [ ] Create PR with unit tests
• [ ] Post copyable unit tests in a comment
• [ ] Commit unit tests in branch imolorhe/npm-prereleases

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist[bot]]

Summary of Changes

Hello @imolorhe, I'm Gemini Code Assist[^1]! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces comprehensive documentation for the process of signing and notarizing Electron applications for macOS. It outlines the necessary steps from Apple Developer Program enrollment and certificate generation using Xcode, to exporting and securely utilizing these certificates within a CI/CD environment. The added content aims to guide developers through the secure distribution of macOS applications. Please note that the content of this PR is unrelated to the stated title 'added support for npm prereleases'.

Highlights

• Documentation for macOS Electron App Signing: Added a new, detailed section to DEV.md outlining the complete process for notarizing and signing Electron applications for macOS.
• Certificate Generation and Export: The documentation now includes steps for enrolling in the Apple Developer Program, generating necessary certificates (Mac Installer Distribution, Developer ID Application, Developer ID Installer) using Xcode, and exporting them from Keychain Access as a .p12 file.
• CI/CD Integration Guidance: Instructions are provided on how to use the exported .p12 file and its password within a CI/CD pipeline, including base64 commands for encoding the certificate.
• Discrepancy with PR Title: It is important to note that the changes in this pull request, which focus on macOS Electron app signing documentation, do not align with the pull request title 'added support for npm prereleases'. The title appears to be incorrect for the content provided.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/_publish-npm.yml
  • .github/workflows/pr-master.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with :thumbsup: and :thumbsdown: on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

[^1]: Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

[github-actions[bot]]

Visit the preview URL for this PR (updated for commit f051cdf):

https://altair-gql--pr2959-imolorhe-npm-prerele-lmzykl0h.web.app

_{(expires Thu, 18 Dec 2025 18:40:19 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: 02d6323d75a99e532a38922862e269d63351a6cf}

[github-advanced-security[bot]]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.