feat: add NPM preview release workflow and fix CI permissions

[paulbalaji]

Summary

• Add NPM preview release workflow for publishing snapshot/preview releases
• Add changeset snapshot configuration
• Fix CI permissions issue where workflows wouldn't trigger on changesets/release PRs (both NPM and Rust)
• Add title override to changesets action so PRs pass PR title lint

NPM Preview Release Workflow

New workflow that allows publishing preview releases to NPM:

• Trigger: Manual dispatch (workflow_dispatch) from GitHub Actions UI
• Dist-tags: beta, alpha, rc, preview
• Version format: {baseVersion}-{tag}.{gitSha} (e.g., 19.10.0-beta.abc1234)
• Branch policy: Can be triggered from any branch
• Output: Creates GitHub pre-release with installation instructions

Usage

1. Go to Actions → "NPM Preview Release"
2. Click "Run workflow"
3. Select the branch and dist-tag
4. The workflow will:
   • Create snapshot versions using changesets
   • Build all packages
   • Publish to NPM with the selected dist-tag
   • Create a GitHub pre-release

Installation

After running, users can install preview packages:

npm install @hyperlane-xyz/sdk@beta
npm install @hyperlane-xyz/cli@beta

CI Permissions Fix

Both NPM and Rust release workflows now use a GitHub App token instead of GITHUB_TOKEN. This fixes the issue where merging/pushing release PRs wouldn't trigger other CI workflows.

Setup Required

1. Create a GitHub App with:

   • Name: hyperlane-release-bot (or similar)
   • Permissions:
     • Contents: Read & Write
     • Pull requests: Read & Write

2. Install the app on this repository

3. Add these repository secrets:

   • HYPERLANE_GITHUB_APP_ID: The App ID from the app's settings
   • HYPERLANE_GITHUB_APP_PRIVATE_KEY: Generate and download a private key

Test plan

• Verify NPM preview release workflow appears in Actions tab
• Create GitHub App and add secrets
• Test preview release workflow on a non-main branch
• Verify the generated GitHub release has correct installation instructions
• Verify changesets PR creation still works
• Verify Rust release PR creation still works
• Verify CI triggers when changesets/release PRs are pushed

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Configured snapshot versioning for preview NPM package releases
  • Enhanced CI/CD workflows with GitHub App token authentication for improved release security

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1509e6f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR layers in snapshot-based versioning for preview releases and swaps out GITHUB_TOKEN for proper GitHub App token authentication across multiple release workflows. Introduces a new preview release pipeline alongside updates to existing release automation.

Changes

Cohort / File(s)	Summary
Snapshot Versioning Config \.changeset/config.json	Added snapshot property with useCalculatedVersion: true and prereleaseTemplate: "{tag}.{commit}" for preview version metadata.
New Preview Release Workflow \.github/workflows/npm-preview-release.yml	New workflow triggered via workflow_dispatch that computes snapshot versions, builds packages, publishes preview releases to npm, and creates GitHub pre-releases with release notes.
Token Authentication Updates \.github/workflows/release.yml, \.github/workflows/rust-release.yml	Added GitHub App token generation step using actions/create-github-app-token@v1 and replaced GITHUB_TOKEN references with generated token in changesets actions and release creation steps. Also added explicit PR title field in release.yml.

Sequence Diagram

sequenceDiagram
    participant User
    participant Workflow
    participant Git
    participant npm as npm Registry
    participant GitHub
    
    User->>Workflow: Trigger npm-preview-release<br/>(snapshot_tag: beta)
    Workflow->>Workflow: Extract base version<br/>from package.json
    Workflow->>Workflow: Compute preview version<br/>(base + tag + SHA)
    Workflow->>Workflow: yarn changeset version<br/>--snapshot
    Workflow->>Workflow: yarn build
    Workflow->>npm: yarn changeset publish<br/>(with npm token)
    npm-->>Workflow: Preview packages published
    Workflow->>GitHub: Create pre-release<br/>with computed tag
    GitHub-->>Workflow: Release created
    Workflow->>User: Summary with install<br/>instructions

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Token authentication refactor: Verify GitHub App token scoping and permissions across all three workflows (release.yml, rust-release.yml, npm-preview-release.yml)
• Version computation logic: Confirm preview version derivation logic correctly combines base version, snapshot tag, and git SHA
• Workflow orchestration: Check job dependencies, environment variables, and step ordering for correctness
• Secrets and authentication: Ensure proper handling of npm tokens, GitHub App credentials, and token output binding

Possibly related PRs

• feat: agents release workflow #7194: Modifies rust-release workflow with GitHub App token changes, directly aligned with this PR's token authentication updates across release workflows.

Suggested reviewers

• xeno097
• kamiyaa
• ameten
• Mo-Hussain

Poem

🧅 Like ogres with layers, these workflows run deep,
Preview releases now have tokens to keep—
GitHub App auth replaces the old way,
Snapshot versions ship out every day.
Build, test, and publish, a well-oiled machine,
The finest release pipeline you've ever seen.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: adding an NPM preview release workflow and fixing CI permissions issues across multiple workflows.
Description check	✅ Passed	The description covers all template sections with substantial detail: clear summary of changes, description of NPM workflow with usage instructions, CI permissions fix explanation, required setup steps, and a comprehensive test plan checklist.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pbio/npm-preview-release-workflow

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c4f3d33 and c5c017a.

📒 Files selected for processing (4)

• .changeset/config.json (1 hunks)
• .github/workflows/npm-preview-release.yml (1 hunks)
• .github/workflows/release.yml (2 hunks)
• .github/workflows/rust-release.yml (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6943
File: rust/main/config/mainnet_config.json:965-965
Timestamp: 2025-08-26T13:46:37.695Z
Learning: In the repository hyperlane-xyz/hyperlane-monorepo, skip reviewing the file rust/main/config/mainnet_config.json in future code reviews as requested by paulbalaji.

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6943
File: rust/main/config/mainnet_config.json:965-965
Timestamp: 2025-08-26T13:46:37.695Z
Learning: In the repository hyperlane-xyz/hyperlane-monorepo, skip reviewing the file rust/main/config/testnet_config.json in future code reviews as requested by paulbalaji.

🪛 actionlint (1.7.8)

.github/workflows/npm-preview-release.yml

30-30: label "depot-ubuntu-latest" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (53)

• GitHub Check: env-test-matrix (testnet4, sepolia, core)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-config)
• GitHub Check: cli-evm-e2e-matrix (warp-rebalancer)
• GitHub Check: cli-evm-e2e-matrix (warp-init)
• GitHub Check: cli-evm-e2e-matrix (warp-send)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-recovery)
• GitHub Check: cli-evm-e2e-matrix (warp-read)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-basic)
• GitHub Check: cli-evm-e2e-matrix (warp-check-5)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-2)
• GitHub Check: cli-evm-e2e-matrix (warp-check-1)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-submitters)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-2)
• GitHub Check: cli-evm-e2e-matrix (warp-check-3)
• GitHub Check: cli-evm-e2e-matrix (warp-check-2)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-2)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-1)
• GitHub Check: cli-evm-e2e-matrix (warp-check-4)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-1)
• GitHub Check: cli-evm-e2e-matrix (core-init)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ism-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-1)
• GitHub Check: cli-evm-e2e-matrix (core-apply)
• GitHub Check: cli-evm-e2e-matrix (core-read)
• GitHub Check: cli-evm-e2e-matrix (core-check)
• GitHub Check: cli-evm-e2e-matrix (core-deploy)
• GitHub Check: cli-evm-e2e-matrix (relay)
• GitHub Check: env-test-matrix (mainnet3, optimism, igp)
• GitHub Check: env-test-matrix (mainnet3, inevm, igp)
• GitHub Check: env-test-matrix (mainnet3, optimism, core)
• GitHub Check: env-test-matrix (mainnet3, ethereum, igp)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, igp)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, core)
• GitHub Check: env-test-matrix (mainnet3, ethereum, core)
• GitHub Check: env-test-matrix (mainnet3, inevm, core)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-route-extension)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-deploy)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-apply)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-radix-e2e-matrix (core-deploy)
• GitHub Check: cli-radix-e2e-matrix (warp-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-deploy)
• GitHub Check: cosmos-sdk-e2e-run
• GitHub Check: cli-cosmos-e2e-matrix (core-apply)
• GitHub Check: cli-cosmos-e2e-matrix (warp-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-read)
• GitHub Check: cli-cosmos-e2e-matrix (warp-read)
• GitHub Check: cli-cosmos-e2e-matrix (core-check)
• GitHub Check: cli-install-test-run
• GitHub Check: e2e-matrix (evm)
• GitHub Check: lint-rs
• GitHub Check: test-rs
• GitHub Check: lander-coverage

🔇 Additional comments (8)

.changeset/config.json (1)

33-37: Nice setup for snapshot-based versioning.

The snapshot config properly enables the changesets snapshot flow—like layers in an ogre, each piece does its job. The template {tag}.{commit} will pair nicely with the preview release workflow's version generation.

.github/workflows/rust-release.yml (1)

173-181: GitHub App token replacement looks solid.

The token generation step is placed right where it needs to be, and the consumption in the release PR creation step ensures downstream workflows get triggered. This aligns with the PR's goal of fixing CI permissions.

.github/workflows/release.yml (2)

58-73: Token swap and title addition work well together.

Adding the title to the changesets action keeps the PR title lint happy, and swapping in the GitHub App token ensures those release PRs trigger downstream workflows. Clean implementation.

---

161-177: Same solid pattern in publish-release job.

Consistent token generation and usage mirrors the prepare-release job nicely. Nothing fancy needed here—it just works.

.github/workflows/npm-preview-release.yml (4)

65-65: Consider using GitHub App token for consistency and potential downstream triggering.

Right now this workflow uses GITHUB_TOKEN directly for the changeset command (line 65) and the softprops action (lines 77-82). Since the rest of the PR migrates to GitHub App tokens to ensure downstream workflows trigger, consider doing the same here.

Check if softprops/action-gh-release actually needs the GitHub App token for workflow triggering—if the preview release creation is supposed to kick off other workflows, you'll want the app token. If it's just for creating the release, the direct token might be fine, but aligning with release.yml and rust-release.yml would be cleaner.

Also applies to: 77-82

---

30-30: Custom runner label flagged by linting.

The static analysis hints that depot-ubuntu-latest is an unknown label. If this is a self-hosted runner (which it looks like given the pattern across the org), you may need to configure it in an actionlint.yaml file per the tool's suggestion. Worth checking if that config file exists and needs updating.

---

47-57: Version computation looks spot-on.

Extracting the base version from the SDK package.json and combining it with the tag and short SHA into that preview format is exactly what you need. Clear, straightforward.

---

84-99: Release notes and installation instructions are nicely done.

The warning box for preview releases, the branch/commit info, and the installation command examples make it obvious to users what they're grabbing and how to use it. Good documentation baked right into the release.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[paulbalaji]

Superseded by #7472 (Hyper Gonk CI permissions) and #7473 (preview release workflows)