Publish packages in lockstep

[willwashburn]

Summary

• publish all npm packages together in dependency order
• add burn-style lockstep baseline healing before version bumps
• normalize current package versions to 0.5.5 and make internal workspace deps exact at pack time
• include the README tagline change

Verification

• pnpm install --frozen-lockfile
• pnpm run check
• parsed publish and verify workflow YAML
• packed @agentworkforce/harness-kit and confirmed @agentworkforce/workload-router rewrites to 0.5.5

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: e2111bd3-c223-458c-b86f-601ab3d11afc

📥 Commits

Reviewing files that changed from the base of the PR and between febe429 and 390bd6b.

📒 Files selected for processing (1)

• packages/harness-kit/package.json

---

📝 Walkthrough

Walkthrough

The publish workflow was redesigned to execute lockstep multi-package publishing (workload-router, harness-kit, cli, agentworkforce) in fixed dependency order, replacing the prior per-package input mechanism. CI actions were upgraded, version-healing logic was externalized to a temp script, and the GitHub Release action was updated. A README header was revised and a package dependency spec was widened.

Changes

Lockstep Multi-Package Publishing

Layer / File(s)	Summary
Workflow Architecture .github/workflows/publish.yml (lines 1–5, 84–91)	Workflow renamed to "Publish Packages"; per-package workflow inputs removed; resolve-packages logic simplified to always publish in fixed dependency order (workload-router → harness-kit → cli → agentworkforce).
CI Tooling Upgrades .github/workflows/publish.yml (lines 58–66, 512–515)	Upgrade checkout v4 → v6, pnpm v4 → v5, setup-node v4 → v6, and softprops/action-gh-release v2 → v3.
Version Healing Mechanism .github/workflows/publish.yml (lines 107–177, 205–209)	Heal-versions logic moved from inline to externalized /tmp/lockstep-heal.mjs script; comments updated to reference baseline heal; functionality preserved.
Release Anchoring .github/workflows/publish.yml (lines 466–471)	Release anchor clarified to reference agentworkforce tag for lockstep multi-package publishes; GitHub Release action invocation aligned with updated action version.
Dependency Configuration packages/harness-kit/package.json (line 21)	@agentworkforce/workload-router dependency spec changed from workspace:^ to workspace:* to support lockstep version alignment.
Documentation README.md (lines 3–4)	Header replaced: removed "# workforce" + subtitle; added single line describing saved agent configurations.

Sequence Diagram

sequenceDiagram
    actor User
    participant GitHub as GitHub Actions
    participant Checkout as Checkout & Setup
    participant Build as Build & Test
    participant Heal as Version Heal
    participant Publish as npm Publish
    participant Release as GitHub Release

    User->>GitHub: Trigger publish workflow
    GitHub->>Checkout: Set up workspace (v6)
    Checkout->>Checkout: Install pnpm (v5), Node (v6)
    GitHub->>Build: Build all packages<br/>(workload-router → harness-kit → cli → agentworkforce)
    Build->>Build: Test all packages in order
    GitHub->>Heal: Run lockstep baseline heal script<br/>(/tmp/lockstep-heal.mjs)
    Heal->>Heal: Align local versions to npm baseline
    GitHub->>Publish: Bump and publish all packages<br/>in dependency order
    Publish->>Publish: Tag each package release
    GitHub->>Release: Build combined release notes
    Release->>Release: Create GitHub Release<br/>(anchored to agentworkforce)
    Release-->>User: Multi-package release complete

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Four packages hop in perfect time,
Lockstep rhythm, bells that chime,
Scripts heal and healers mend,
From start to GitHub release end,
Workflows dance in sync, divine!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Publish packages in lockstep' directly describes the main objective of the changeset—converting from package-specific to lockstep multi-package publishing.
Description check	✅ Passed	The description is directly related to the changeset, outlining the key changes: lockstep publishing, baseline healing, version normalization, and README updates, with verification steps provided.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/installable-persona-sources

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: febe429b53

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Skip lockstep heal when version bump is none

The new baseline-heal step runs npm version and can mutate package versions even when the dispatch input uses version: none (the documented no-bump path). In that mode, the later commit/tag steps are skipped by their if conditions, but Pack + publish still runs, so you can publish healed versions that are never committed or tagged in git. This reintroduces npm/git drift and breaks later changelog/tag baselines for any run where heal changes versions but no explicit bump/custom version was requested.

Useful? React with 👍 / 👎.

[willwashburn]

@copilot resolve the merge conflicts in this pull request

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/publish.yml (1)

385-386: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Pin npm to a stable version instead of latest.

Line 386 makes the publish path non-reproducible; a future npm minor/patch release could introduce unexpected behavior. The workflow requires npm >= 11.5.1 for OIDC trusted-publisher flow, so pin to a known-good version within that range (e.g., npm@11.13.0 or npm@11.x).

🔧 Proposed change

-      - name: Install latest npm
-        run: npm install -g npm@latest
+      - name: Install npm 11.x (pinned for reproducible publish behavior)
+        run: npm install -g npm@11

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 385 - 386, Replace the
non-reproducible "Install latest npm" step that runs "npm install -g npm@latest"
with a pinned, known-good npm version; update the run command in that step (the
"Install latest npm" workflow step) to install a specific npm release in the
supported range (for example "npm@11.13.0" or "npm@11.x") and ensure the chosen
version is >= 11.5.1 to keep OIDC trusted-publisher support while making the
publish workflow reproducible.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Line 3: Update the tagline string "Saved configurations of coding agents you
can save and share with your collegues." by correcting the misspelling
"collegues" to "colleagues" so the sentence reads "Saved configurations of
coding agents you can save and share with your colleagues."; locate and edit the
exact line containing that tagline in README.md.

---

Outside diff comments:
In @.github/workflows/publish.yml:
- Around line 385-386: Replace the non-reproducible "Install latest npm" step
that runs "npm install -g npm@latest" with a pinned, known-good npm version;
update the run command in that step (the "Install latest npm" workflow step) to
install a specific npm release in the supported range (for example "npm@11.13.0"
or "npm@11.x") and ensure the chosen version is >= 11.5.1 to keep OIDC
trusted-publisher support while making the publish workflow reproducible.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 362f07fd-4d6c-47f3-8204-91e5f7cecf01

📥 Commits

Reviewing files that changed from the base of the PR and between 429fd79 and febe429.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• .github/workflows/publish.yml
• README.md
• packages/agentworkforce/package.json
• packages/harness-kit/package.json
• packages/workload-router/package.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix typo in the new tagline.

Line 3 has a spelling error: collegues → colleagues.

✏️ Proposed fix

-Saved configurations of coding agents you can save and share with your collegues.
+Saved configurations of coding agents you can save and share with your colleagues.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Saved configurations of coding agents you can save and share with your collegues.
	Saved configurations of coding agents you can save and share with your colleagues.

🧰 Tools

🪛 LanguageTool

[grammar] ~3-~3: Ensure spelling is correct
Context: ...agents you can save and share with your collegues. ## Core frame A persona is the runtime...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` at line 3, Update the tagline string "Saved configurations of
coding agents you can save and share with your collegues." by correcting the
misspelling "collegues" to "colleagues" so the sentence reads "Saved
configurations of coding agents you can save and share with your colleagues.";
locate and edit the exact line containing that tagline in README.md.

[Copilot]

@copilot resolve the merge conflicts in this pull request

Resolved in 390bd6b. The conflicts were in packages/agentworkforce/package.json and packages/workload-router/package.json where both sides bumped the version — I kept main's 0.6.0 (the actual published release) in both files. The harness-kit auto-merged cleanly, preserving both the 0.6.0 version from main and the workspace:* dep change from this branch.