[AAASM-2097] 🐛 (ci): Pass --tag alpha to pnpm publish for pre-release versions

[Chisanan232]

Description

The v0.0.1-alpha.1 dry-run failed on both release pipelines with:

npm error You must specify a tag using --tag when publishing a prerelease version.

npm refuses to default a pre-release version (anything with a - in the SemVer) to the latest dist-tag, because doing so would push unstable bits to default-install users.

Fix

Compute the dist-tag at publish time from the package version:

Version	Dist-tag arg	Effect
0.0.1-alpha.1, 0.0.1-rc.1, etc.	--tag alpha	Publishes to @alpha dist-tag (NOT @latest)
0.0.1 (clean GA)	(empty)	Publishes to default @latest dist-tag

Applied to all three publish surfaces in this repo:

File	Line	Surface
release.yml	38	Single-step publish
release-node.yml	159	Per-runtime loop (4 sub-packages)
release-node.yml	167	Main @agent-assembly/sdk publish

Each publish step now reads package.json version, branches on *-*, and applies --tag alpha only for pre-releases.

Out-of-scope

Future -beta.* / -rc.* work would need its own dist-tag mapping (currently everything -... maps to alpha). That's not in this PR's scope — the dry-run is only exercising -alpha.*.

Type of Change

• 🐛 Bug fix

Breaking Changes

• No — GA tags publish to @latest as before; only pre-release tags get a new dist-tag.

Related Issues

• Related Jira ticket: AAASM-2097
• Parent Story: AAASM-1203 — F113: Node.js SDK binary distribution
• Discovery context: v0.0.1-alpha.1 dry-run, release.yml run 26483480083 + release-node.yml run 26483480059

Testing

• actionlint .github/workflows/release.yml clean
• actionlint .github/workflows/release-node.yml clean
• Manual evaluation of the dist-tag logic against 0.0.1-alpha.1 and 0.0.1 (one branches yes, the other no)

Verification will fully close after the next release tag push — observe npm view @agent-assembly/sdk dist-tags showing the new dist-tag.

Checklist

• Code follows project style guidelines
• Self-review of the diff completed
• Commits follow Gitmoji convention

— Claude Code (Opus 4.7, 1M context)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Chisanan232]

Claude Code review — AAASM-2097

CI state

25/25 SUCCESS across the full node-sdk CI matrix — napi-build × 4 (ubuntu/macos/windows × Node 20+22), module-smoke (18/20/22), test (18/20/22/24 × ubuntu/macos/windows = 12 entries), quality, coverage-and-analysis, SonarCloud, codecov/patch. mergeable=MERGEABLE, mergeStateStatus=CLEAN.

The CI runs pnpm install with the existing lockfile (without alpha-1 lockfile drift, since that's a separate PR #57). All publish-step changes are workflow-only — they execute on tag push, not on PR CI. Verification closes when the next tag pushes.

Scope vs. acceptance criteria

AC	Where verified	Status
Pushing a pre-release tag publishes @agent-assembly/sdk under the @alpha dist-tag	pnpm publish ... --tag alpha resolved at runtime based on node -p "require('./package.json').version" containing -	✅ logic verified by inspection
Pushing a GA tag publishes under @latest as before	DIST_TAG="" branch when version doesn't contain -, falls back to npm default	✅
Applied to all publish surfaces in the repo	Diff touches 3 distinct steps: release.yml line 38, release-node.yml line 159 (4-runtime loop), release-node.yml line 167 (main SDK)	✅
actionlint clean on both modified files	Verified locally before push	✅
npm view @agent-assembly/sdk dist-tags shows both alpha and latest after both release types	Cannot fully verify until next pre-release tag publishes — deferred	⏳ deferred to live verification

Implementation detail worth recording

• Shell-time computation vs. expression-time: VERSION=$(node -p "require('./package.json').version") runs inside the bash step rather than via GitHub Actions expressions. This avoids needing a separate Compute dist-tag step and keeps the publish step self-contained. The cost is a small bash if-block per step.
• # shellcheck disable=SC2086: intentional. $DIST_TAG either expands to --tag alpha (2 tokens) or `` (empty), so we want word-splitting. Quoting would break it.
• Future -beta.* / -rc.* work: any version with - currently maps to alpha. When -beta/-rc need their own dist-tags, the if-branch can be expanded to detect the identifier substring (*-beta.* → beta, etc.). Out of scope for this PR — the alpha-1 dry-run is the only pre-release on the immediate roadmap.

Verdict

Ready for human approval and merge. Full CI green, scope-AC items all verified by inspection or CI, the deferred "live verification" item is the appropriate-by-construction outcome for a publish-time-only change.

— Claude Code (Opus 4.7, 1M context)

[Chisanan232]

Claude Code follow-up — derived dist-tag pattern

Update commit: 3d73909 — ♻️ (ci): Derive npm dist-tag from SemVer pre-release identifier

Why this update

The original commit f9c618d hardcoded --tag alpha for every pre-release version. That was technically sufficient for the v0.0.1-alpha.1 dry-run but the user flagged it during review: as soon as -beta.* / -rc.* / -canary.* ships, a 0.0.1-rc.1 build would land on the @alpha dist-tag, masking the rc bits behind the alpha channel. They're right — that was the wrong call on my part.

The fix

Extract the pre-release identifier from the version string via bash regex and use it directly as the dist-tag. Zero workflow changes needed when introducing a new pre-release channel:

# Derive the npm dist-tag from the SemVer pre-release identifier.
if [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+-([a-zA-Z]+) ]]; then
  DIST_TAG="--tag ${BASH_REMATCH[1]}"
else
  DIST_TAG=""
fi

Version	Extracted DIST_TAG	npm dist-tag
0.0.1	(empty)	@latest
0.0.1-alpha.1	--tag alpha	@alpha
0.0.1-beta.2	--tag beta	@beta
0.0.1-rc.1	--tag rc	@rc
0.0.1-canary.20260528	--tag canary	@canary

Regex sanity-checked locally against 7 version shapes; all pass.

Scope

Same 3 publish surfaces as the original commit:

• release.yml line 38 (single-step publish)
• release-node.yml line 159 (4-runtime sub-package loop)
• release-node.yml line 167 (main @agent-assembly/sdk)

Both files clean against actionlint after the update.

Related follow-up

The user also flagged that aa-cli/Cargo.toml's hardcoded version = "0.0.1-alpha.1" literals (from AAASM-2094) have the same future-proofing concern. The right fix there is the [workspace.dependencies] inheritance pattern, which is a larger refactor than the AAASM-2094 bug scope. Filed as AAASM-2100 as a separate refactor sub-task under AAASM-1200.

— Claude Code (Opus 4.7, 1M context)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud