feat: dev releases to GitHub Releases instead of npm

[carlos-alm]

Summary

• Dev builds (push to main) now create GitHub pre-releases with .tgz tarballs instead of publishing to npm — stops polluting the registry with transient X.Y.Z-dev.SHA versions
• Stable releases (release event / workflow_dispatch) unchanged — still publish to npm with OIDC provenance
• Old dev releases auto-pruned to keep only the last 5 (tags cleaned up too)
• Dev version computation simplified: no more npm registry query, just MAJOR.MINOR.(PATCH+1)-dev.SHORT_SHA

Changes

Single file: .github/workflows/publish.yml

• Split dev path into new publish-dev job (npm pack → gh release create --prerelease)
• Existing publish job now gated with if: github.event_name != 'push' for stable only
• Removed npm version query from compute-version dev branch

Test plan

• Push to main triggers publish-dev → GitHub pre-release created with 5 tarballs
• Pre-release is marked as prerelease with correct dev-v* tag
• No npm publish happens for dev builds
• After 6+ dev pushes, only last 5 dev releases remain
• Stable release via workflow_dispatch still publishes to npm as before

[claude]

Claude finished @carlos-alm's task —— View job

---

PR Review Complete ⭐⭐⭐⭐

Todo List:

• Phase 1: Root cause analysis - understand the problem being solved
• Phase 2: Configuration change detection - review workflow changes
• Phase 3: Test integrity check
• Phase 4: Code quality review of workflow logic
• Provide final rating and recommendation

Root Cause Analysis

Problem Being Solved: Dev builds (push to main) currently publish transient X.Y.Z-dev.SHA versions to npm, cluttering the public registry with ephemeral development artifacts that users shouldn't install. This creates noise and potential confusion in the npm registry.

Why This Approach: Moving dev builds to GitHub pre-releases is a sound architectural decision. It keeps dev artifacts accessible for testing while maintaining npm registry cleanliness. The dual-path approach (GitHub for dev, npm for stable) is a common best practice.

Risk Assessment: Low risk. Changes are well-isolated, maintain backward compatibility for stable releases, and add proper cleanup mechanisms.

Code Quality Assessment

✅ Excellent Design Decisions

1. Clean Separation: Lines 142, 273 - Dev builds (if: github.event_name == 'push') and stable builds (if: github.event_name != 'push') are properly isolated with clear conditional logic.

2. Simplified Version Logic: Lines 68-74 - Dev version computation no longer queries npm registry, reducing external dependencies and potential race conditions. The formula MAJOR.MINOR.(PATCH+1)-dev.SHA is deterministic and clear.

3. Auto-pruning: Lines 232-247 - Excellent implementation using jq to keep only the last 5 dev releases, preventing repository bloat. The --cleanup-tag flag ensures tags are also removed.

4. Proper Permissions: Lines 145-146, 277-280 - Correctly scoped permissions (contents: write for dev, id-token: write for stable npm publishing).

5. Idempotent Operations: Lines 374-378 - Platform package publishing includes version checks to handle re-runs gracefully.

✅ Security & Best Practices

1. OIDC Publishing: Lines 294-295, 388 - Stable releases maintain OIDC trusted publishing with provenance (--provenance flag).

2. Token Scoping: Proper use of GITHUB_TOKEN for GitHub operations vs npm registry authentication.

3. No Hardcoded Secrets: All credentials properly managed through GitHub secrets and OIDC.

⚠️ Minor Observations

1. Preflight Skip Logic: Lines 25-26 - The complex regex matching for skipping dev builds on release commits is correct but could benefit from a comment explaining the logic.

2. Error Handling: Lines 237-247 - The pruning logic assumes jq and GitHub CLI succeed. Consider adding basic error handling for robustness.

3. Tag Naming: Line 225 - The dev-v${VERSION} tag format is consistent and follows semver conventions well.

✅ Test Coverage Considerations

The test plan in the PR description is comprehensive:

• Dev push triggers correctly
• Pre-release creation with proper metadata
• No npm pollution
• Auto-pruning behavior
• Stable release path unchanged

Technical Implementation Review

Workflow Structure (Excellent)

• Concurrency control: Line 15-17 prevents parallel publishes
• Job dependencies: Proper needs declarations ensure correct execution order
• Artifact handling: Lines 168-171, 311-314 - Native binaries properly downloaded and used

Version Computation (Improved)

• Deterministic: No external npm queries for dev versions
• Collision-resistant: SHA inclusion prevents version conflicts
• Format consistency: Follows semver conventions

Platform Package Generation (Robust)

• Code reuse: Lines 176-218 and 331-382 share identical platform package generation logic - could be extracted to a script, but acceptable duplication for workflow clarity
• Proper metadata: Generated packages have correct os/cpu constraints
• File handling: Native binaries properly copied and packaged

No Critical Issues Found

• No test expectations lowered
• No linting rules relaxed
• No security regressions
• No breaking changes to stable release process
• Configuration changes are justified and well-implemented

Root Cause Analysis

Problem Being Solved: Legitimate npm registry pollution issue - dev builds shouldn't clutter public package registry
Why This Approach: GitHub pre-releases are the appropriate venue for development artifacts
Risk Assessment: Very low risk, well-architected solution

Critical Concerns

None identified. This is a well-thought-out improvement that solves a real problem without introducing risks.

Final Recommendation

• Rating: ⭐⭐⭐⭐ (4/5)
• Action: APPROVE
• Reasoning: Excellent implementation of a sound architectural decision. Solves npm registry pollution while maintaining all existing functionality for stable releases. Code quality is high with proper error handling, security practices, and cleanup mechanisms. The single-file change reduces risk while the comprehensive test plan ensures reliability.

Minor Suggestions (non-blocking):

1. Consider adding a comment explaining the preflight skip logic (lines 25-26)
2. Add basic error handling around the pruning jq pipeline for extra robustness

This PR represents exactly the kind of thoughtful infrastructure improvement that enhances the project without breaking existing workflows.

---

[greptile-apps]

Greptile Summary

Refactored publish workflow to publish dev builds as GitHub pre-releases instead of npm, eliminating registry pollution from transient dev versions. Stable releases continue publishing to npm unchanged.

Key changes:

• Dev version computation simplified: removed npm registry query, now just MAJOR.MINOR.(PATCH+1)-dev.SHORT_SHA
• New publish-dev job creates GitHub pre-releases with tarballs (main + 4 platform packages)
• Old dev releases auto-pruned to keep only last 5 (with robust error handling)
• Existing publish job gated to stable releases only (github.event_name != 'push')
• Clean separation: dev path and stable path are now mutually exclusive

Note: Dev build install instructions show only the main package installation, which will use WASM fallback. Consider documenting how to install platform-specific tarballs for native performance.

Confidence Score: 4/5

• Safe to merge with minor documentation improvement suggested
• Well-designed refactoring with proper error handling, clear job separation, and no logical issues. Score reflects one non-critical documentation suggestion about install instructions.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/publish.yml	Refactored dev and stable release workflows; dev builds now publish to GitHub pre-releases instead of npm, with good error handling and release pruning logic

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    Start([Workflow Trigger]) --> TriggerCheck{Event Type?}
    
    TriggerCheck -->|push to main| Preflight[Preflight Checks]
    TriggerCheck -->|release event| Preflight
    TriggerCheck -->|workflow_dispatch| Preflight
    
    Preflight --> ComputeVersion[Compute Version]
    Preflight --> BuildNative[Build Native Binaries<br/>4 platforms]
    
    ComputeVersion --> VersionCheck{Event Type?}
    VersionCheck -->|push to main| DevVersion[MAJOR.MINOR.PATCH+1-dev.SHA]
    VersionCheck -->|release/dispatch| StableVersion[Stable semver from tag/input]
    
    DevVersion --> PublishDevJob
    StableVersion --> PublishJob
    
    BuildNative --> PublishDevJob
    BuildNative --> PublishJob
    
    PublishDevJob[publish-dev job]
    PublishDevJob --> PackDev[npm pack main + platforms]
    PackDev --> CreateRelease[Create GitHub pre-release<br/>with tarballs]
    CreateRelease --> PruneOld[Prune old dev releases<br/>keep last 5]
    PruneOld --> DevSummary[Generate summary]
    
    PublishJob[publish job]
    PublishJob --> CheckExists{Already<br/>published?}
    CheckExists -->|No| PublishNPM[Publish to npm<br/>with provenance]
    CheckExists -->|Yes| SkipPublish[Skip publish]
    PublishNPM --> CreatePR[Create version bump PR]
    SkipPublish --> CreatePR
    CreatePR --> CreateTag[Create git tag]
    
    DevSummary --> End([End])
    CreateTag --> End
    
    style PublishDevJob fill:#e1f5ff
    style PublishJob fill:#ffe1f5
    style DevVersion fill:#e1f5ff
    style StableVersion fill:#ffe1f5

Loading

_{Last reviewed commit: fe45512}

[greptile-apps]

_{1 file reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Prune step will silently succeed when there are fewer than 5 dev releases (e.g., first few pushes). The .[5:] slice on an array with <5 elements returns an empty array, so the while loop never executes — this is actually the correct behavior, but adding || true after the while loop would make the intent clearer.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

[carlos-alm]

Fixed in 5b8f5c4 — added a comment above the loop: # When fewer than 5 dev releases exist, OLD_TAGS is empty and the loop is a no-op

[claude]

Claude finished @carlos-alm's task —— View job

---

PR Review Complete ⭐⭐⭐⭐

Todo List:

• Phase 1: Root cause analysis - understand the problem being solved
• Phase 2: Configuration change detection - review workflow changes
• Phase 3: Test integrity check
• Phase 4: Code quality review of workflow logic
• Provide final rating and recommendation

Root Cause Analysis

Problem Being Solved: Dev builds (push to main) currently publish transient X.Y.Z-dev.SHA versions to npm, cluttering the public registry with ephemeral development artifacts that users shouldn't install. This creates noise and potential confusion in the npm registry.

Why This Approach: Moving dev builds to GitHub pre-releases is a sound architectural decision. It keeps dev artifacts accessible for testing while maintaining npm registry cleanliness. The dual-path approach (GitHub for dev, npm for stable) is a common best practice.

Risk Assessment: Low risk. Changes are well-isolated, maintain backward compatibility for stable releases, and add proper cleanup mechanisms.

Code Quality Assessment

✅ Excellent Design Decisions

1. Clean Separation: Lines 142, 283 - Dev builds (if: github.event_name == 'push') and stable builds (if: github.event_name != 'push') are properly isolated with clear conditional logic.

2. Simplified Version Logic: Lines 68-74 - Dev version computation no longer queries npm registry, reducing external dependencies and potential race conditions. The formula MAJOR.MINOR.(PATCH+1)-dev.SHA is deterministic and clear.

3. Auto-pruning: Lines 243-257 - Excellent implementation using jq to keep only the last 5 dev releases, preventing repository bloat. The --cleanup-tag flag ensures tags are also removed.

4. Proper Permissions: Lines 145-146, 287-290 - Correctly scoped permissions (contents: write for dev, id-token: write for stable npm publishing).

5. Idempotent Operations: Lines 384-388 - Platform package publishing includes version checks to handle re-runs gracefully.

✅ Security & Best Practices

1. OIDC Publishing: Lines 391, 398 - Stable releases maintain OIDC trusted publishing with provenance (--provenance flag).

2. Token Scoping: Proper use of GITHUB_TOKEN for GitHub operations vs npm registry authentication.

3. No Hardcoded Secrets: All credentials properly managed through GitHub secrets and OIDC.

⚠️ Minor Observations

1. Preflight Skip Logic: Lines 25-26 - The complex regex matching for skipping dev builds on release commits is correct but could benefit from a comment explaining the logic.

2. Error Handling: Lines 238-257 - The pruning logic includes proper error handling with fallback to warnings, which is excellent for non-critical cleanup operations.

3. Tag Naming: Line 225 - The dev-v${VERSION} tag format is consistent and follows semver conventions well.

✅ Test Coverage Considerations

The test plan in the PR description is comprehensive:

• Dev push triggers correctly
• Pre-release creation with proper metadata
• No npm pollution
• Auto-pruning behavior
• Stable release path unchanged

Technical Implementation Review

Workflow Structure (Excellent)

• Concurrency control: Lines 15-17 prevents parallel publishes
• Job dependencies: Proper needs declarations ensure correct execution order
• Artifact handling: Lines 168-171, 321-324 - Native binaries properly downloaded and used

Version Computation (Improved)

• Deterministic: No external npm queries for dev versions
• Collision-resistant: SHA inclusion prevents version conflicts
• Format consistency: Follows semver conventions

Platform Package Generation (Robust)

• Code reuse: Lines 176-218 and 341-392 share identical platform package generation logic - acceptable duplication for workflow clarity
• Proper metadata: Generated packages have correct os/cpu constraints
• File handling: Native binaries properly copied and packaged

No Critical Issues Found

• No test expectations lowered
• No linting rules relaxed
• No security regressions
• No breaking changes to stable release process
• Configuration changes are justified and well-implemented

Critical Concerns

None identified. This is a well-thought-out improvement that solves a real problem without introducing risks.

Final Recommendation

• Rating: ⭐⭐⭐⭐ (4/5)
• Action: APPROVE
• Reasoning: Excellent implementation of a sound architectural decision. Solves npm registry pollution while maintaining all existing functionality for stable releases. Code quality is high with proper error handling, security practices, and cleanup mechanisms. The single-file change reduces risk while the comprehensive test plan ensures reliability.

Minor Suggestions (non-blocking):

1. Consider adding a comment explaining the preflight skip logic (lines 25-26)
2. The error handling in the pruning section is already well-implemented

This PR represents exactly the kind of thoughtful infrastructure improvement that enhances the project without breaking existing workflows.

---

View job

[carlos-alm]

Addressed the review feedback in fe45512:

Error Handling (lines 237-247): The pruning step now handles failures at each stage:

• gh release list failure → logs ::warning::, exits cleanly
• jq parse failure → logs ::warning::, exits cleanly
• Individual gh release delete failure → logs ::warning::, continues with remaining releases
• Empty tag lines are skipped

Pruning is housekeeping — it should never fail the dev build workflow.

@greptileai

[greptile-apps]

Install instructions incomplete: installing just the main tarball will use WASM fallback (native binaries won't be available). Consider adding a note about this, or showing how to install the platform-specific tarball:

# Linux x64 example with native performance:
npm install \
  https://github.com/optave/codegraph/releases/download/dev-v${VERSION}/optave-codegraph-${VERSION}.tgz \
  https://github.com/optave/codegraph/releases/download/dev-v${VERSION}/optave-codegraph-linux-x64-gnu-${VERSION}.tgz

[carlos-alm]

Fixed in 5b8f5c4 — the summary now clarifies the main tarball uses WASM fallback and shows how to install platform-specific tarballs (linux-x64, darwin-arm64) for native performance.

[claude]

Claude finished @carlos-alm's task —— View job

---

PR Review Complete ⭐⭐⭐⭐

Todo List:

• Phase 1: Root cause analysis - understand the problem being solved
• Phase 2: Configuration change detection - review workflow changes
• Phase 3: Test integrity check
• Phase 4: Code quality review of workflow logic
• Provide final rating and recommendation

Root Cause Analysis

Problem Being Solved: Dev builds (push to main) currently publish transient X.Y.Z-dev.SHA versions to npm, cluttering the public registry with ephemeral development artifacts that users shouldn't install. This creates noise and potential confusion in the npm registry.

Why This Approach: Moving dev builds to GitHub pre-releases is a sound architectural decision. It keeps dev artifacts accessible for testing while maintaining npm registry cleanliness. The dual-path approach (GitHub for dev, npm for stable) is a common best practice.

Risk Assessment: Low risk. Changes are well-isolated, maintain backward compatibility for stable releases, and add proper cleanup mechanisms.

Code Quality Assessment

✅ Excellent Design Decisions

1. Clean Separation: Lines 142, 290 - Dev builds (if: github.event_name == 'push') and stable builds (if: github.event_name != 'push') are properly isolated with clear conditional logic.

2. Simplified Version Logic: Lines 68-74 - Dev version computation no longer queries npm registry, reducing external dependencies and potential race conditions. The formula MAJOR.MINOR.(PATCH+1)-dev.SHA is deterministic and clear.

3. Auto-pruning: Lines 243-258 - Excellent implementation using jq to keep only the last 5 dev releases, preventing repository bloat. The --cleanup-tag flag ensures tags are also removed.

4. Proper Permissions: Lines 145-146, 294-297 - Correctly scoped permissions (contents: write for dev, id-token: write for stable npm publishing).

5. Idempotent Operations: Lines 391-395 - Platform package publishing includes version checks to handle re-runs gracefully.

✅ Security & Best Practices

1. OIDC Publishing: Lines 398, 405 - Stable releases maintain OIDC trusted publishing with provenance (--provenance flag).

2. Token Scoping: Proper use of GITHUB_TOKEN for GitHub operations vs npm registry authentication.

3. No Hardcoded Secrets: All credentials properly managed through GitHub secrets and OIDC.

✅ Error Handling (Addressed in Recent Commit)

Lines 238-251 - The author addressed previous feedback with robust error handling:

• gh release list failure → logs ::warning::, exits cleanly
• jq parse failure → logs ::warning::, exits cleanly
• Individual gh release delete failure → logs ::warning::, continues with remaining releases
• Empty tag lines are properly skipped (line 255)

⚠️ Minor Observations

1. Preflight Skip Logic: Lines 25-26 - The complex regex matching for skipping dev builds on release commits is correct but could benefit from a comment explaining the logic.

2. Tag Naming: Line 225 - The dev-v${VERSION} tag format is consistent and follows semver conventions well.

✅ Test Coverage Considerations

The test plan in the PR description is comprehensive:

• Dev push triggers correctly
• Pre-release creation with proper metadata
• No npm pollution
• Auto-pruning behavior
• Stable release path unchanged

Technical Implementation Review

Workflow Structure (Excellent)

• Concurrency control: Lines 15-17 prevents parallel publishes
• Job dependencies: Proper needs declarations ensure correct execution order
• Artifact handling: Lines 168-171, 328-331 - Native binaries properly downloaded and used

Version Computation (Improved)

• Deterministic: No external npm queries for dev versions
• Collision-resistant: SHA inclusion prevents version conflicts
• Format consistency: Follows semver conventions

Platform Package Generation (Robust)

• Code reuse: Lines 176-218 and 348-399 share identical platform package generation logic - could be extracted to a script, but acceptable duplication for workflow clarity
• Proper metadata: Generated packages have correct os/cpu constraints
• File handling: Native binaries properly copied and packaged

No Critical Issues Found

• No test expectations lowered
• No linting rules relaxed
• No security regressions
• No breaking changes to stable release process
• Configuration changes are justified and well-implemented

Critical Concerns

None identified. This is a well-thought-out improvement that solves a real problem without introducing risks.

Final Recommendation

• Rating: ⭐⭐⭐⭐ (4/5)
• Action: APPROVE
• Reasoning: Excellent implementation of a sound architectural decision. Solves npm registry pollution while maintaining all existing functionality for stable releases. Code quality is high with proper error handling, security practices, and cleanup mechanisms. The single-file change reduces risk while the comprehensive test plan ensures reliability.

Minor Suggestions (non-blocking):

1. Consider adding a comment explaining the preflight skip logic (lines 25-26)
2. The error handling in the pruning section is already well-implemented after the recent commit

This PR represents exactly the kind of thoughtful infrastructure improvement that enhances the project without breaking existing workflows.

---

[claude]

Claude finished @carlos-alm's task —— View job

---

PR Review Complete ⭐⭐⭐⭐

Todo List:

• Phase 1: Root cause analysis - understand the problem being solved
• Phase 2: Configuration change detection - review workflow changes
• Phase 3: Test integrity check
• Phase 4: Code quality review of workflow logic
• Provide final rating and recommendation

Root Cause Analysis

Problem Being Solved: Dev builds (push to main) currently publish transient X.Y.Z-dev.SHA versions to npm, cluttering the public registry with ephemeral development artifacts that users shouldn't install. This creates noise and potential confusion in the npm registry.

Why This Approach: Moving dev builds to GitHub pre-releases is a sound architectural decision. It keeps dev artifacts accessible for testing while maintaining npm registry cleanliness. The dual-path approach (GitHub for dev, npm for stable) is a common best practice.

Risk Assessment: Low risk. Changes are well-isolated, maintain backward compatibility for stable releases, and add proper cleanup mechanisms.

Code Quality Assessment

✅ Excellent Design Decisions

1. Clean Separation: Lines 142, 290 - Dev builds (if: github.event_name == 'push') and stable builds (if: github.event_name != 'push') are properly isolated with clear conditional logic.

2. Simplified Version Logic: Lines 68-74 - Dev version computation no longer queries npm registry, reducing external dependencies and potential race conditions. The formula MAJOR.MINOR.(PATCH+1)-dev.SHA is deterministic and clear.

3. Auto-pruning: Lines 243-258 - Excellent implementation using jq to keep only the last 5 dev releases, preventing repository bloat. The --cleanup-tag flag ensures tags are also removed. Error handling is robust with fallback warnings.

4. Proper Permissions: Lines 145-146, 294-297 - Correctly scoped permissions (contents: write for dev, id-token: write for stable npm publishing).

5. Idempotent Operations: Lines 392-395 - Platform package publishing includes version checks to handle re-runs gracefully.

✅ Security & Best Practices

1. OIDC Publishing: Lines 398, 405 - Stable releases maintain OIDC trusted publishing with provenance (--provenance flag).

2. Token Scoping: Proper use of GITHUB_TOKEN for GitHub operations vs npm registry authentication.

3. No Hardcoded Secrets: All credentials properly managed through GitHub secrets and OIDC.

⚠️ Minor Observations

1. Preflight Skip Logic: Lines 25-26 - The complex regex matching for skipping dev builds on release commits is correct but could benefit from a comment explaining the logic.

2. Error Handling: Lines 238-258 - The pruning logic includes excellent error handling with graceful fallbacks. Each potential failure point logs warnings and continues, which is appropriate for housekeeping operations.

3. Tag Naming: Line 225 - The dev-v${VERSION} tag format is consistent and follows semver conventions well.

✅ Test Coverage Considerations

The test plan in the PR description is comprehensive:

• Dev push triggers correctly
• Pre-release creation with proper metadata
• No npm pollution
• Auto-pruning behavior
• Stable release path unchanged

Technical Implementation Review

Workflow Structure (Excellent)

• Concurrency control: Lines 15-17 prevents parallel publishes
• Job dependencies: Proper needs declarations ensure correct execution order
• Artifact handling: Lines 168-171, 328-331 - Native binaries properly downloaded and used

Version Computation (Improved)

• Deterministic: No external npm queries for dev versions
• Collision-resistant: SHA inclusion prevents version conflicts
• Format consistency: Follows semver conventions

Platform Package Generation (Robust)

• Code reuse: Lines 176-218 and 348-399 share identical platform package generation logic - acceptable duplication for workflow clarity
• Proper metadata: Generated packages have correct os/cpu constraints
• File handling: Native binaries properly copied and packaged

No Critical Issues Found

• No test expectations lowered
• No linting rules relaxed
• No security regressions
• No breaking changes to stable release process
• Configuration changes are justified and well-implemented

Critical Concerns

None identified. This is a well-thought-out improvement that solves a real problem without introducing risks.

Final Recommendation

• Rating: ⭐⭐⭐⭐ (4/5)
• Action: APPROVE
• Reasoning: Excellent implementation of a sound architectural decision. Solves npm registry pollution while maintaining all existing functionality for stable releases. Code quality is high with proper error handling, security practices, and cleanup mechanisms. The single-file change reduces risk while the comprehensive test plan ensures reliability.

Minor Suggestions (non-blocking):

1. Consider adding a comment explaining the preflight skip logic (lines 25-26)
2. The error handling in the pruning section is already well-implemented with fe45512

This PR represents exactly the kind of thoughtful infrastructure improvement that enhances the project without breaking existing workflows.

---

[claude]

Claude finished @carlos-alm's task —— View job

---

PR Review Complete ⭐⭐⭐⭐

Todo List:

• Phase 1: Root cause analysis - understand the problem being solved
• Phase 2: Configuration change detection - review workflow changes
• Phase 3: Test integrity check
• Phase 4: Code quality review of workflow logic
• Provide final rating and recommendation

Root Cause Analysis

Problem Being Solved: Dev builds (push to main) currently publish transient X.Y.Z-dev.SHA versions to npm, cluttering the public registry with ephemeral development artifacts that users shouldn't install. This creates noise and potential confusion in the npm registry.

Why This Approach: Moving dev builds to GitHub pre-releases is a sound architectural decision. It keeps dev artifacts accessible for testing while maintaining npm registry cleanliness. The dual-path approach (GitHub for dev, npm for stable) is a common best practice.

Risk Assessment: Low risk. Changes are well-isolated, maintain backward compatibility for stable releases, and add proper cleanup mechanisms.

Code Quality Assessment

✅ Excellent Design Decisions

1. Clean Separation: Lines 142, 290 - Dev builds (if: github.event_name == 'push') and stable builds (if: github.event_name != 'push') are properly isolated with clear conditional logic.

2. Simplified Version Logic: Lines 68-74 - Dev version computation no longer queries npm registry, reducing external dependencies and potential race conditions. The formula MAJOR.MINOR.(PATCH+1)-dev.SHA is deterministic and clear.

3. Auto-pruning: Lines 243-258 - Excellent implementation using jq to keep only the last 5 dev releases, preventing repository bloat. The --cleanup-tag flag ensures tags are also removed. Error handling is robust with fallback warnings.

4. Proper Permissions: Lines 145-146, 294-297 - Correctly scoped permissions (contents: write for dev, id-token: write for stable npm publishing).

5. Idempotent Operations: Lines 392-395 - Platform package publishing includes version checks to handle re-runs gracefully.

✅ Security & Best Practices

1. OIDC Publishing: Lines 398, 405 - Stable releases maintain OIDC trusted publishing with provenance (--provenance flag).

2. Token Scoping: Proper use of GITHUB_TOKEN for GitHub operations vs npm registry authentication.

3. No Hardcoded Secrets: All credentials properly managed through GitHub secrets and OIDC.

⚠️ Minor Observations

1. Preflight Skip Logic: Lines 25-26 - The complex regex matching for skipping dev builds on release commits is correct but could benefit from a comment explaining the logic.

2. Error Handling: Lines 238-258 - The pruning logic includes excellent error handling with graceful fallbacks. Each potential failure point logs warnings and continues, which is appropriate for housekeeping operations.

3. Tag Naming: Line 225 - The dev-v${VERSION} tag format is consistent and follows semver conventions well.

✅ Test Coverage Considerations

The test plan in the PR description is comprehensive:

• Dev push triggers correctly
• Pre-release creation with proper metadata
• No npm pollution
• Auto-pruning behavior
• Stable release path unchanged

Technical Implementation Review

Workflow Structure (Excellent)

• Concurrency control: Lines 15-17 prevents parallel publishes
• Job dependencies: Proper needs declarations ensure correct execution order
• Artifact handling: Lines 168-171, 328-331 - Native binaries properly downloaded and used

Version Computation (Improved)

• Deterministic: No external npm queries for dev versions
• Collision-resistant: SHA inclusion prevents version conflicts
• Format consistency: Follows semver conventions

Platform Package Generation (Robust)

• Code reuse: Lines 176-218 and 348-399 share identical platform package generation logic - acceptable duplication for workflow clarity
• Proper metadata: Generated packages have correct os/cpu constraints
• File handling: Native binaries properly copied and packaged

No Critical Issues Found

• No test expectations lowered
• No linting rules relaxed
• No security regressions
• No breaking changes to stable release process
• Configuration changes are justified and well-implemented

Critical Concerns

None identified. This is a well-thought-out improvement that solves a real problem without introducing risks.

Final Recommendation

• Rating: ⭐⭐⭐⭐ (4/5)
• Action: APPROVE
• Reasoning: Excellent implementation of a sound architectural decision. Solves npm registry pollution while maintaining all existing functionality for stable releases. Code quality is high with proper error handling, security practices, and cleanup mechanisms. The single-file change reduces risk while the comprehensive test plan ensures reliability.

Minor Suggestions (non-blocking):

1. Consider adding a comment explaining the preflight skip logic (lines 25-26)
2. The error handling in the pruning section is already well-implemented with fe45512

This PR represents exactly the kind of thoughtful infrastructure improvement that enhances the project without breaking existing workflows.

---

View job