chore: fix-publish-steps

[ryanbas21]

JIRA Ticket

https://pingidentity.atlassian.net/browse/SDKS-4858

Description

Due to unforeseen issues, we want to guard the job against the changesets release branch.

Additionally add steps to force no agents (no distributed build tasks) and no nx cache when running build in publish steps

Summary by CodeRabbit

• Chores
  • CI publishing workflows updated to run fresh, uncached builds before package publish steps.
  • Snapshot publishing now includes an additional guard to avoid running on the release branch/ref selected for releases.
  • Release scripts adjusted so release runs perform non-cached builds, reducing stale artifacts and ensuring published packages reflect the latest build output.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6272a18

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds the --skip-nx-cache flag to several pnpm nx run-many -t build invocations (GitHub Actions composite actions, workflow job, and package.json script) and refines a workflow if condition to avoid running on changeset-release/main refs for the snapshot job.

Changes

Cohort / File(s)	Summary
GitHub Actions composite actions \.github/actions/publish-beta/action.yml, \.github/actions/publish-release/action.yml	Added --skip-nx-cache to the pnpm nx run-many -t build --no-agents build step to bypass Nx cache.
Workflow job \.github/workflows/publish.yml	Expanded snapshot job if condition to exclude changeset-release/main refs and inserted a build step: pnpm nx run-many -t build --no-agents --skip-nx-cache before the recursive publish step.
Package scripts package.json	Updated scripts.ci:release to include --skip-nx-cache on the Nx multi-target build invocation.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore: update-npm-version-in-ci #497: Modifies CI publish flow and the pnpm nx run-many build invocation in workflow/package.json.
• ci: use-trusted-publishers #418: Introduced/centralized nx run-many usage in publish workflows; related to adding flags to that invocation.

Suggested reviewers

• cerebrl
• ancheetah
• spetrov

Poem

"I’m a rabbit in the CI glen,
skipping caches now and then,
hops through workflows, light and spry,
builds anew beneath the sky,
npm carrots, publish then!"

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'chore: fix-publish-steps' is vague and does not clearly convey the specific nature of the changes, such as adding cache bypass flags or guarding against release branches.	Consider a more descriptive title like 'chore: add cache bypass and branch guard to publish workflows' to better communicate the actual changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description includes the required JIRA ticket link and a clear description of the changes made, following the repository template structure.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch update-publish-steps

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 232ee41

Command	Status	Duration	Result
nx run-many -t build --no-agents	✅ Succeeded	<1s	View ↗
nx affected -t build lint test typecheck e2e-ci	✅ Succeeded	1m 55s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-03-19 19:17:24 UTC

[pkg-pr-new]

Open in StackBlitz

@forgerock/davinci-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/davinci-client@551

@forgerock/device-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/device-client@551

@forgerock/journey-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/journey-client@551

@forgerock/oidc-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/oidc-client@551

@forgerock/protect

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/protect@551

@forgerock/sdk-types

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-types@551

@forgerock/sdk-utilities

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-utilities@551

@forgerock/iframe-manager

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/iframe-manager@551

@forgerock/sdk-logger

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-logger@551

@forgerock/sdk-oidc

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-oidc@551

@forgerock/sdk-request-middleware

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-request-middleware@551

@forgerock/storage

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/storage@551

commit: 232ee41

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 14.77%. Comparing base (5d6747a) to head (232ee41).
⚠️ Report is 8 commits behind head on main.

❌ Your project status has failed because the head coverage (14.77%) is below the target coverage (40.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #551       +/-   ##
===========================================
- Coverage   70.90%   14.77%   -56.14%     
===========================================
  Files          53      153      +100     
  Lines        2021    26262    +24241     
  Branches      377     1056      +679     
===========================================
+ Hits         1433     3879     +2446     
- Misses        588    22383    +21795     

see 101 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Deployed 0c3b703 to https://ForgeRock.github.io/ping-javascript-sdk/pr-551/0c3b703af7bced717105c81cc5f22ca2325f19f2 branch gh-pages in ForgeRock/ping-javascript-sdk

[github-actions]

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🆕 New Packages

🆕 @forgerock/journey-client - 87.8 KB (new)
🆕 @forgerock/journey-client - 0.0 KB (new)

➖ No Changes

➖ @forgerock/sdk-logger - 1.6 KB
➖ @forgerock/sdk-request-middleware - 4.5 KB
➖ @forgerock/iframe-manager - 2.4 KB
➖ @forgerock/sdk-oidc - 4.8 KB
➖ @forgerock/storage - 1.5 KB
➖ @forgerock/sdk-types - 7.9 KB
➖ @forgerock/protect - 150.1 KB
➖ @forgerock/device-client - 9.2 KB
➖ @forgerock/davinci-client - 41.3 KB
➖ @forgerock/sdk-utilities - 11.2 KB
➖ @forgerock/oidc-client - 24.9 KB

---

13 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated

• Current Size: Total gzipped size of all files in the package's dist directory
• Baseline: Comparison against the latest build from the main branch
• Files included: All build outputs except source maps and TypeScript build cache
• Exclusions: .map, .tsbuildinfo, and .d.ts.map files

---

_{🔄 Updated automatically on each push to this PR}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

package.json (1)

18-18: Consider consolidating release builds to a single stage.

With Line 18 building in ci:release, and publish actions also building (.github/actions/publish-release/action.yml Line 35, .github/actions/publish-beta/action.yml Line 13), release flows can perform redundant non-cached builds. Consider keeping one authoritative build step to reduce publish latency.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 18, The CI currently runs builds in the npm script
"ci:release" and again inside the publish actions, causing duplicate non-cached
builds; pick one authoritative build step (recommend keeping "ci:release" as the
single build stage) and remove or gate the build steps in the publish actions
(.github/actions/publish-release/action.yml and
.github/actions/publish-beta/action.yml) so they don’t rebuild artifacts—either
remove the build command from those action.yml files or add an input/flag (e.g.,
skip-build) to short-circuit the build when artifacts are produced by
"ci:release", and ensure the publish actions consume the produced build
artifacts instead.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/publish.yml:
- Line 99: The current job guard only checks github.ref and can be bypassed when
workflow_dispatch supplies a user-controlled inputs.branch; update the job's
if-condition to also validate the dispatched input by adding checks against
github.event.inputs.branch (or github.event.inputs.branch prefixed with
refs/heads/) so it does not equal the protected release branch (e.g.,
"changeset-release/main" and "refs/heads/changeset-release/main"); ensure the
expression used for the job run condition combines github.event_name ==
'workflow_dispatch', github.ref != 'refs/heads/changeset-release/main', and the
new github.event.inputs.branch != 'changeset-release/main' /
github.event.inputs.branch != 'refs/heads/changeset-release/main' checks so the
snapshot publishing step that reads inputs.branch cannot be pointed at the
protected branch.

---

Nitpick comments:
In `@package.json`:
- Line 18: The CI currently runs builds in the npm script "ci:release" and again
inside the publish actions, causing duplicate non-cached builds; pick one
authoritative build step (recommend keeping "ci:release" as the single build
stage) and remove or gate the build steps in the publish actions
(.github/actions/publish-release/action.yml and
.github/actions/publish-beta/action.yml) so they don’t rebuild artifacts—either
remove the build command from those action.yml files or add an input/flag (e.g.,
skip-build) to short-circuit the build when artifacts are produced by
"ci:release", and ensure the publish actions consume the produced build
artifacts instead.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d9f36b9b-9604-4cd8-b8b9-9f87be4f224d

📥 Commits

Reviewing files that changed from the base of the PR and between e239060 and 6272a18.

📒 Files selected for processing (4)

• .github/actions/publish-beta/action.yml
• .github/actions/publish-release/action.yml
• .github/workflows/publish.yml
• package.json