chore(release): v3.0.0-beta.13

[oasis-cloud]

Summary by CodeRabbit

• Chores
  • 优化发布流程，现在发布自动触发改为基于拉取请求，提高了变更处理的精准性。
  • 调整了关键配置的应用时机，使得流程更加安全和准确。
  • 更新了包的版本，从 "3.0.0-beta.13" 升级至 "3.0.0-beta.14"。
  • 新增发布脚本 "publish:beta" 和 "publish:latest"，增强了发布过程的灵活性。
• Bug Fixes
  • 移除了不再支持的 CSS 变量 'nutuiPickerListHeight'，确保变量集的准确性。

[coderabbitai]

Warning

Rate limit exceeded

@oasis-cloud has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 13 minutes and 46 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 39b001c and 1989f86.

📒 Files selected for processing (1)

• .github/workflows/release-beta.yml (1 hunks)

Walkthrough

此次 PR 修改了 .github/workflows/release-beta.yml 工作流配置。主要变更包括：将工作流触发器由 push 事件修改为 pull_request 事件，并注释掉原来的 push 触发器。同时，将环境变量 NODE_AUTH_TOKEN 和 NPM_CONFIG_PROVENANCE 从全局环境中移除，分别在针对 @nutui/nutui-react 和 @nutui/nutui-react-taro 的发布步骤中定义。此外，checkout 步骤现指定使用拉取请求的 head SHA 来确保工作流在准确提交上运行。NutCSSVariables 类型定义中的 'nutuiPickerListHeight' 变量被移除，影响有效的 CSS 变量名称集。

Changes

文件	修改摘要
.github/workflows/release-beta.yml	- 将触发器由 push 改为 pull_request（针对 feat_v3.x 分支），同时注释掉原 push 触发器。 - 环境变量 NODE_AUTH_TOKEN 和 NPM_CONFIG_PROVENANCE 从全局移至各自对应的发布步骤中。 - checkout 步骤现指定拉取请求的 head SHA。 - setup-node 步骤更新，添加 registry-url 参数。 - 发布步骤中添加 --access public。
src/packages/configprovider/types.ts	- 从 NutCSSVariables 类型中移除 'nutuiPickerListHeight' 变量。
package.json	- 版本更新：从 "3.0.0-beta.13" 改为 "3.0.0-beta.14"。
scripts/build-taro.mjs	- 在 generateReleasePackageJson 函数中新增 "publish:beta" 和 "publish:latest" 脚本。
scripts/build.mjs	- 在 generateReleasePackageJson 函数中新增 "publish:beta" 和 "publish:latest" 脚本。

Possibly related PRs

• chore(ci): update branch #2792: 当前 PR 关于工作流配置的更改与此 PR 中的 feat_v3.x 分支条件调整直接相关。
• chore: ci uses pnpm@10 #2992: 当前 PR 关于 "Release 3x Beta" 的工作流更改，与此 PR 中的 pnpm 安装更新直接相关。
• chore: support pnpm workspace #2842: 当前 PR 涉及的工作流更新与此 PR 中增强的包管理和发布过程直接相关，尤其是关于 pnpm 的使用。

Suggested reviewers

• xiaoyatong
• Alex-huxiyang

Poem

我是一只小兔子，代码轻轻跳跃，
触发器悄然转换，推向请求的路上。
环境变量分区域，步步显露真章，
checkout 定向提交，如星辰般闪烁。
发布之歌缓缓奏响，愿代码化作春天的飞扬！ 🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.79%. Comparing base (3539ffc) to head (1989f86).

Additional details and impacted files

@@            Coverage Diff             @@
##           feat_v3.x    #2993   +/-   ##
==========================================
  Coverage      85.79%   85.79%           
==========================================
  Files            281      281           
  Lines          18527    18527           
  Branches        2810     2810           
==========================================
  Hits           15896    15896           
  Misses          2626     2626           
  Partials           5        5           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/release-beta.yml (1)

86-86: 添加文件结尾的换行符

根据 YAML 规范，文件末尾应该有一个换行符。

  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  NPM_CONFIG_PROVENANCE: true
+

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 86-86: no new line character at the end of file

(new-line-at-end-of-file)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3539ffc and e887c17.

📒 Files selected for processing (1)

• .github/workflows/release-beta.yml (3 hunks)

🧰 Additional context used

🪛 YAMLlint (1.35.1)

.github/workflows/release-beta.yml

[error] 86-86: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: build
• GitHub Check: test
• GitHub Check: release-3x-beta

🔇 Additional comments (3)

.github/workflows/release-beta.yml (3)

17-20: 检出配置的改进

使用 github.event.pull_request.head.sha 确保了工作流在正确的提交上运行，这是一个很好的改进。

---

72-75: 环境变量范围优化

将 NODE_AUTH_TOKEN 和 NPM_CONFIG_PROVENANCE 从全局移动到局部是一个很好的安全实践，可以限制敏感信息的暴露范围。

Also applies to: 84-86

---

3-8:

Details

❓ Verification inconclusive

工作流触发器变更需要验证

将触发器从 push 改为 pull_request 可能会影响发布流程。请确认：

1. PR 合并后是否会自动触发发布
2. 是否需要额外的工作流来处理合并后的发布

---

🌐 Web query:

GitHub Actions 中 pull_request 触发器在 PR 合并后是否会触发工作流？

💡 Result:

GitHub Actions 中的 pull_request 触发器默认不会在 PR 合并后触发工作流。以下是关键细节：

默认行为

1. pull_request 事件默认仅响应以下活动类型：
   • opened（新开 PR）
   • synchronize（PR 分支更新）
   • reopened（重新打开 PR）[1][9]
2. PR 关闭时的处理：
   • 若 PR 未合并关闭：GITHUB_REF 保持为 refs/pull/PULL_REQUEST_NUMBER/merge
   • 若 PR 已合并关闭：GITHUB_REF 变为目标分支引用（如 /refs/heads/main），但不会自动触发工作流 [1][7]

如何在 PR 合并时触发

需改用 pull_request_target 触发器并添加条件判断：

on:
  pull_request_target:
    types: [closed]

jobs:
  check_merged:
    if: github.event.pull_request.merged == true
    runs-on: ubuntu-latest
    steps:
      - run: echo "PR was merged!"

此配置会在 PR 关闭时触发工作流，并通过条件判断过滤出实际完成合并的情况 [1][7][9]。

关键区别对比

触发器类型	响应场景	安全特性	SHA/REF 指向
pull_request	PR未合并且无冲突时	自动隔离 fork PR	临时合并提交
pull_request_target	PR关闭（含合并）	需手动处理安全检查	基分支最新提交

若需要更精细控制合并队列场景，可结合 merge_group 事件使用 [8]。

Citations:

• 1: https://docs.github.com/zh/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
• 2: https://blog.csdn.net/Ber_Bai/article/details/120303880
• 3: https://icpc.cloud/2024/01/23/GitHub-Actions-%E6%89%8B%E5%8A%A8%E8%A7%A6%E5%8F%91%E6%96%B9%E5%BC%8F/
• 4: https://blog.csdn.net/ljbmxsm/article/details/140249178
• 5: https://blog.csdn.net/m0_57236802/article/details/133466974
• 6: https://docs.github.com/zh/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs
• 7: https://alampy.com/2024/04/20/gha-workflow-for-pull-request/
• 8: https://docs.github.com/zh/enterprise-server@3.12/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-a-merge-queue
• 9: https://docs.github.com/zh/actions/writing-workflows/choosing-when-your-workflow-runs/triggering-a-workflow
• 10: https://docs.github.com/zh/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning?learn=code_security_actions&learnProduct=code-security

---

工作流触发器问题：请确认触发条件是否满足预期发布流程

经过验证，GitHub Actions 中的 pull_request 触发器默认不会在 PR 合并后触发工作流。请确认：

• 是否预期在 PR 合并后不自动执行发布流程？
• 如果期望在合并后触发发布操作，建议改用 pull_request_target 触发器并配合条件判断来确保仅在 PR 合并的情况下执行发布任务。
• 请检查其他相关配置（如 PR head SHA 引用和环境变量的局部设置），确保与工作流触发逻辑一致。

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/release-beta.yml (2)

47-51: npm 注册表配置增强了安全性

明确指定 npm 注册表 URL 是一个很好的安全实践。建议考虑添加 provenance 支持以进一步增强包的安全性。

 - uses: actions/setup-node@v4
   with:
     registry-url: 'https://registry.npmjs.org'
     node-version: '20'
     cache: 'pnpm'
+    provenance: true

---

69-77: 发布命令优化建议

发布命令已添加 --access public 标志，这很好。建议添加错误处理和重试机制，以提高发布的可靠性。

-        run: npm publish --tag ${{ env.RELEASE_TAG }} --access public
+        run: |
+          MAX_RETRIES=3
+          RETRY_COUNT=0
+          until npm publish --tag ${{ env.RELEASE_TAG }} --access public || [ $RETRY_COUNT -eq $MAX_RETRIES ]; do
+            RETRY_COUNT=$((RETRY_COUNT+1))
+            echo "发布失败，第 $RETRY_COUNT 次重试..."
+            sleep 5
+          done
+          if [ $RETRY_COUNT -eq $MAX_RETRIES ]; then
+            echo "发布失败，已达到最大重试次数"
+            exit 1
+          fi

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a2edf9e and bed54ae.

📒 Files selected for processing (1)

• .github/workflows/release-beta.yml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: build
• GitHub Check: test
• GitHub Check: release-3x-beta

🔇 Additional comments (2)

.github/workflows/release-beta.yml (2)

17-19: 权限配置符合最小权限原则

新增的权限配置遵循了最小权限原则，仅授予必要的权限：

• contents: read - 用于检出代码
• id-token: write - 用于 npm 发布时的身份验证

---

21-24: 检出配置确保了正确的代码版本

使用 github.event.pull_request.head.sha 确保工作流在正确的提交上运行，这是一个很好的做法。

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

工作流触发器变更需要验证

将触发器从 push 改为 pull_request 可能会影响现有的发布流程。请确认：

1. 团队成员了解新的发布流程
2. CI/CD 管道仍能按预期工作

---

🏁 Script executed:

#!/bin/bash
# 检查是否有其他工作流依赖于此工作流
gh workflow list --all | grep -B 2 -A 2 "Release 3x Beta"

# 检查最近的工作流运行状态
gh run list --workflow=release-beta.yml --limit 5

Length of output: 979

---

工作流触发器配置需要修复

经过验证，通过 gh run list 查看最近 5 次运行均显示失败（失败原因涉及 chore_publish_beta 任务），这表明将触发器从 push 更改为 pull_request 后，CI/CD 管道目前并未按预期工作。请检查以下几点：

• 检查工作流日志，确认失败原因是否与触发器变更或其它配置问题相关；
• 验证所有依赖此工作流的配置和权限是否同步更新；
• 确保团队成员充分了解新的触发器设置和发布流程，并准备好对应的调整措施。

请尽快修正这些问题，确保 beta 版本的发布流程能够顺利进行。

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/release-beta.yml (2)

66-69: 构建步骤注释确认
说明：关于 pnpm build:taro 的构建步骤已被注释。如果该步骤暂时不需要，请在注释中添加说明；如果不再需要，建议移除相关代码以保持配置整洁。

---

77-79: 确认是否需要保留关于 nutui-react-taro 发布步骤的注释
说明：目前关于 @nutui/nutui-react-taro 的发布步骤已经被完整注释。建议确认这部分内容是暂时取消还是计划移除，如无后续使用建议可考虑直接删除以减少混淆。

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c01e634 and 6d4b386.

📒 Files selected for processing (3)

• .github/workflows/release-beta.yml (3 hunks)
• scripts/build-taro.mjs (1 hunks)
• scripts/build.mjs (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• scripts/build-taro.mjs
• scripts/build.mjs

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/release-beta.yml

24-24: input "registry-url" is not defined in action "actions/checkout@v4". available inputs are "clean", "fetch-depth", "fetch-tags", "filter", "github-server-url", "lfs", "path", "persist-credentials", "ref", "repository", "set-safe-directory", "show-progress", "sparse-checkout", "sparse-checkout-cone-mode", "ssh-key", "ssh-known-hosts", "ssh-strict", "ssh-user", "submodules", "token"

(action)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: test

🔇 Additional comments (5)

.github/workflows/release-beta.yml (5)

3-5: 触发器配置修改：从 push 到 pull_request
说明：已将工作流触发器从 push 修改为 pull_request，请确认该变动已与团队沟通，确保发布流程调整后能正常触发和执行。

---

12-15: 新增运行环境和权限配置
说明：为 release-3x-beta 任务新增了 runs-on: ubuntu-latest 以及 contents: write 和 id-token: write 权限，这有助于确保工作流在正确的环境下运行并具有所需的权限，请核实这些配置符合发布流程的要求。

---

25-26: 检查 checkout 步骤中环境变量设置
说明：在 actions/checkout@v4 的 env 块中再次设置了 NODE_AUTH_TOKEN，请确认此设置与全局环境变量配置一致，避免可能的覆盖或冗余。

---

51-51: 适用于 setup-node 的 registry-url 配置
说明：在 actions/setup-node@v4 步骤中正确配置了 registry-url 为 'https://registry.npmjs.org'，确保节点依赖可以正确解析，此配置看起来没有问题。

---

73-75: 发布步骤更新为 pnpm 命令
说明：更新后的发布步骤使用 pnpm --dir ./release/h5 publish:beta 命令，并在该步骤中通过 env 传入 NODE_AUTH_TOKEN。请确认目录路径和命令参数符合预期的发布需求。

[coderabbitai]

⚠️ Potential issue

错误：actions/checkout 不支持 registry-url 参数
说明：目前 actions/checkout@v4 的输入参数不包含 registry-url（参见 actionlint 提示），建议移除此参数以避免无效配置，或检查是否选用支持该参数的其他 Action。

🧰 Tools

🪛 actionlint (1.7.4)

24-24: input "registry-url" is not defined in action "actions/checkout@v4". available inputs are "clean", "fetch-depth", "fetch-tags", "filter", "github-server-url", "lfs", "path", "persist-credentials", "ref", "repository", "set-safe-directory", "show-progress", "sparse-checkout", "sparse-checkout-cone-mode", "ssh-key", "ssh-known-hosts", "ssh-strict", "ssh-user", "submodules", "token"

(action)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/release-beta.yml (1)

72-75: 注释 React-Taro 发布步骤
目前 Run Releases @nutui/nutui-react-taro 部分已被注释。建议在注释中说明停用此步骤的原因，以便团队后续理解和维护。

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6d4b386 and 39b001c.

📒 Files selected for processing (1)

• .github/workflows/release-beta.yml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: build
• GitHub Check: test

🔇 Additional comments (6)

.github/workflows/release-beta.yml (6)

3-6: 触发器变动验证
将原有的 push 触发器注释掉，并启用 pull_request 触发器。请验证此变更是否会影响现有 CI/CD 流程，并确保团队已知晓更新后的触发器逻辑。

---

13-16: 新增权限设置
为 release-3x-beta 作业添加了 contents: write 和 id-token: write 的权限。请确认这些权限不会引入安全风险，并符合项目的发布要求。

---

21-21: 检出特定提交
指定 ref: ${{ github.event.pull_request.head.sha }} 可确保工作流检出 PR 的实际提交版本。请确保在所有触发场景下该变量均能正确传递，否则可能导致检出失败。

---

46-48: 指定注册表 URL
在 actions/setup-node 步骤中添加了 registry-url: 'https://registry.npmjs.org' 参数，以确保使用指定的 npm 源。请确认这一设置符合项目对依赖缓存和发布的要求。

---

61-64: 注释掉 Taro 构建步骤
将 pnpm build:taro 相关命令注释掉，请确认这是预期行为。如果未来需要处理 Taro 构建，请补充相应说明或后续调整计划。

---

68-70: 更新发布命令及环境变量
发布步骤更新为使用 pnpm --dir ./release/h5 publish:beta，同时配置了 NODE_AUTH_TOKEN 环境变量。请确认发布目录和令牌配置正确，以避免发布失败。