chore: integrate Linear Releases with multi-package workflow

[maxigimenez]

Add linear-release.yaml workflow for tag-based release syncing. Update publish.yaml to mark releases complete in Linear and post to Slack. Each package uses its own Linear pipeline access key. Update README with Linear Releases documentation.

Made with Cursor

[coderabbitai]

Warning

Review limit reached

@maxigimenez, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 19 minutes and 41 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0a78ffa2-21ce-479f-8653-23a805e06089

📥 Commits

Reviewing files that changed from the base of the PR and between 5271a71 and aef0f44.

📒 Files selected for processing (3)

• .github/workflows/linear-release.yaml
• .github/workflows/publish.yaml
• README.md

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch maxi/eng-556-enable-linear-release-process-for-currents-reporter

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[maxigimenez]

@coderabbitai review this PR

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get PR details and changed files
gh pr view 368 --repo currents-dev/currents-reporter --json title,body,files,additions,deletions,baseRefName,headRefName

echo "=== CHANGED FILES ==="
gh pr diff 368 --repo currents-dev/currents-reporter --name-only

Length of output: 1185

---

🏁 Script executed:

#!/bin/bash
# Get the full diff
gh pr diff 368 --repo currents-dev/currents-reporter

Length of output: 8354

---

---

@maxigimenez: Here is my review of PR #368.

---

Review: chore: integrate Linear Releases with multi-package workflow

🔴 Critical Bug — Regex breaks node-test-reporter tags

File: .github/workflows/linear-release.yaml, "Extract package and version from tag" step

if [[ $TAG =~ ^`@currents/`([^-]+)-v(.+)$ ]]; then

The character class [^-]+ matches one or more characters that are NOT a hyphen. This means it stops at the very first - in the package name. For the tag @currents/node-test-reporter-v1.0.0:

• [^-]+ captures only node
• Then the pattern looks for -v but finds -test → no match → exit 1

Every push of a @currents/node-test-reporter-v* tag will fail at this step. The fix is to anchor the version with a digit so the greedy match can work correctly:

-          if [[ $TAG =~ ^`@currents/`([^-]+)-v(.+)$ ]]; then
+          if [[ $TAG =~ ^`@currents/`(.+)-v([0-9]+\..+)$ ]]; then

By requiring the version to start with a digit, the greedy (.+) for the package name correctly backtracks to the last -v<digit> boundary, correctly capturing node-test-reporter and 1.0.0.

---

🔴 Shell Injection Risk — User input interpolated into node -e

File: .github/workflows/publish.yaml, "Extract package version" step

PACKAGE_SHORT_NAME=$(node -e "const m = JSON.parse('${{ env.PACKAGE_MAP }}'); console.log(m['${{ github.event.inputs.package }}'])")

${{ github.event.inputs.package }} is injected directly into a shell command string. A value containing ' or $(...) could break out of the string context. The recommended pattern is to pass user input via environment variables:

- name: Extract package version
  id: extract_version
  env:
    PACKAGE_INPUT: ${{ github.event.inputs.package }}
  run: |
    PACKAGE_SHORT_NAME=$(node -e "
      const m = JSON.parse(process.env.PACKAGE_MAP);
      console.log(m[process.env.PACKAGE_INPUT]);
    ")
    PACKAGE_VERSION=$(node -p "require('./packages/$PACKAGE_SHORT_NAME/package.json').version")
    echo "version=$PACKAGE_VERSION" >> $GITHUB_OUTPUT
    echo "package_short=$PACKAGE_SHORT_NAME" >> $GITHUB_OUTPUT

This keeps user input out of the evaluated code string.

---

🟡 Missing Default Case → Silent Failure

File: .github/workflows/publish.yaml, "Determine Linear access key" step

case "$PACKAGE_SHORT" in
  cmd)   ...;;
  jest)  ...;;
  node-test-reporter) ...;;
  # No *) fallback!
esac

If package_short is empty or unexpected, the step exits with code 0 (success), key is unset, and secrets[''] resolves to an empty string. The subsequent "Mark Linear release as complete" step will run with an empty access_key and likely fail silently or with an unhelpful error.

Add a default error case:

+            *)
+              echo "Error: Unknown package '$PACKAGE_SHORT'"
+              exit 1
+              ;;

---

🟡 Unpinned Third-Party Action Versions

Both workflows use mutable version tags which can be silently updated (intentionally or via supply-chain attack):

Action	Used tag	Recommendation
linear/linear-release-action	@v0	Pin to a full SHA
slackapi/slack-github-action	@v2	Pin to a full SHA

Example:

uses: linear/linear-release-action@<full-sha>  # v0

You can find the current commit SHA from the action's releases page.

---

✅ What looks good

• The overall workflow structure (branch sync vs. tag sync) is clean and well-organized.
• Separating Linear pipeline keys per package is the right approach.
• The steps.release.outputs.release-url guard on the Slack notification prevents posting if Linear didn't return a URL.
• README documentation is clear and covers all required secrets.