Adjust release GitHub workflow for v7

[yannbf]

Closes #

What I did

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

• stories
• unit tests
• integration tests
• end-to-end tests

Manual testing

Caution

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

• Add or update documentation reflecting your changes
• If you are deprecating/removing a feature, make sure to update
  MIGRATION.MD

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This pull request has been released as version 0.0.0-pr-33846-sha-e0cc7193. Try it out in a new sandbox by running npx storybook@0.0.0-pr-33846-sha-e0cc7193 sandbox or in an existing project with npx storybook@0.0.0-pr-33846-sha-e0cc7193 upgrade.

More information

Published version	0.0.0-pr-33846-sha-e0cc7193
Triggered by	@yannbf
Repository	storybookjs/storybook
Branch	v7-release-fixes
Commit	e0cc7193
Datetime	Tue Feb 17 09:41:13 UTC 2026 (1771321273)
Workflow run	22093378029

To request a new release of this pull request, mention the @storybookjs/core team.

core team members can create a new canary release here or locally with gh workflow run --repo storybookjs/storybook publish.yml --field pr=33846

Summary by CodeRabbit

• Chores
  • Added a reusable CI action to streamline Node setup, caching, and optional dependency installation.
  • Revised the publish workflow to introduce a canary publish path, PR-aware canary flow, improved concurrency/permissions, deferred version bumping, and clearer release/publishing steps.
  • Bumped Node and Yarn toolchain references across project configs to newer runtime versions.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new composite GitHub Action to standardize Node.js setup and dependency installation; updates CI to support v7 releases plus an admin-gated manual canary publish flow that fetches PR metadata, publishes canaries, updates PR bodies, and reports failures. (49 words)

Changes

Cohort / File(s)	Summary
Composite Action .github/actions/setup-node-and-install/action.yml	New composite action: reads .nvmrc, runs actions/setup-node@v4, updates npm, caches Yarn v1 cache, installs scripts/ deps and optionally code/ deps via install-code-deps input.
Publish workflow .github/workflows/publish.yml	Large rewrite: adds admin-gated workflow_dispatch canary trigger, separates normal vs canary publish jobs, uses the new composite action, fetches PR metadata (gh pr view), computes/publishes canaries, updates PR bodies, creates GitHub releases/Sentry release, and posts failure notifications.
Node & Yarn runtime bumps .nvmrc, .yarnrc.yml, package.json	Bumped Node version in .nvmrc and updated root Yarn runtime reference to yarn@4.10.3 in manifests.
Code workspace Yarn config code/.yarnrc.yml, code/package.json	Updated yarnPath to yarn-4.10.3.cjs, added installStatePath, and changed packageManager to yarn@4.10.3; minor quoting/formatting normalizations.
Scripts workspace Yarn config scripts/.yarnrc.yml, scripts/package.json	Updated yarnPath and packageManager to Yarn 4.10.3; normalized YAML quoting and paths.

Sequence Diagram

sequenceDiagram
    actor Admin as Admin User
    participant GHA as GitHub Actions
    participant GHCLI as gh CLI
    participant Repo as Repository
    participant NodeSetup as setup-node-and-install
    participant Registry as Package Registry
    participant Discord as Discord Webhook

    Admin->>GHA: trigger workflow_dispatch (PR number)
    GHA->>GHA: validate triggering actor (admin)
    GHA->>GHCLI: gh pr view -> fetch PR metadata (owner, fork, branch, sha)
    GHA->>Repo: checkout PR branch/fork
    GHA->>NodeSetup: run composite action (read .nvmrc, setup Node, cache, install deps)
    GHA->>GHA: compute canary version
    GHA->>Registry: publish canary package
    GHA->>GHCLI: update PR body with canary details
    GHA->>Discord: post failure notification (on publish failure)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• CI: Provide basic CI jobs for forked repositories, and disable our own jobs #32632: Adds/uses the same .github/actions/setup-node-and-install composite action referenced by these workflow changes.
• Copilot: Improve instructions, setup steps #33231: Integrates workflow automation that directly calls the new composite action introduced here.
• Release tooling: Use npm Trusted Publishing #32607: Also updates publish workflow and upgrades Yarn/Node references, overlapping with the manifest and workflow edits in this change.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/publish.yml (1)

110-137: ⚠️ Potential issue | 🟠 Major

Fix missing is-prerelease reference (actionlint error).

steps.is-prerelease isn’t defined in this job (actionlint flags it), so the prerelease flag/environment resolution is unreliable. Use the existing IS_PRERELEASE env or reintroduce the step.

🐛 Proposed fix

-            ${{ steps.is-prerelease.outputs.prerelease == 'true' && '--prerelease' || '' }}
+            ${{ env.IS_PRERELEASE == 'true' && '--prerelease' || '' }}
...
-          environment: ${{ steps.is-prerelease.outputs.prerelease == 'true' && 'prerelease' || 'latest' }}
+          environment: ${{ env.IS_PRERELEASE == 'true' && 'prerelease' || 'latest' }}

🤖 Fix all issues with AI agents

In @.github/workflows/publish.yml:
- Around line 139-145: The workflow step "Report job failure to Discord"
currently uses the mutable ref uses: Ilshidur/action-discord@master which is a
supply-chain risk; update that uses value to a specific immutable release tag or
commit SHA (e.g., Ilshidur/action-discord@vX.Y.Z or
Ilshidur/action-discord@<commit-sha>) so the action is pinned, and commit the
updated publish.yml entry accordingly.
- Around line 201-204: The canary publish step named "Publish v${{
steps.version.outputs.next-version }}" runs `yarn release:publish --tag
v7-canary --verbose` without the required npm auth token; add the missing
environment variable YARN_NPM_AUTH_TOKEN (set to the secrets value, e.g., ${{
secrets.YARN_NPM_AUTH_TOKEN }}) to that step so `yarn npm publish` invoked by
`release:publish` can authenticate successfully.

🧹 Nitpick comments (1)

.github/workflows/publish.yml (1)

180-185: Use github.repository explicitly instead of relying on implicit null fallback.

The actions/checkout action treats null as an empty string and falls back to the current repository automatically. While this behavior works correctly, explicitly using github.repository as the fallback makes the intent clearer and avoids relying on implicit GitHub Actions behavior.

🔧 Proposed fix

-          repository: ${{ steps.info.outputs.isFork == 'true' && steps.info.outputs.repository || null }}
+          repository: ${{ steps.info.outputs.isFork == 'true' && steps.info.outputs.repository || github.repository }}

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for release:publish references and auth token usage
fd -a 'package.json' -x rg -n '"release:publish"' {}
echo "---"
rg -n --hidden -g '!**/node_modules/**' 'YARN_NPM_AUTH_TOKEN|NPM_TOKEN|NODE_AUTH_TOKEN|npmAuthToken'

Repository: storybookjs/storybook

Length of output: 50377

---

🏁 Script executed:

# Read the publish.yml file to see the exact context around lines 200-210
wc -l .github/workflows/publish.yml
head -n 210 .github/workflows/publish.yml | tail -n 30

Repository: storybookjs/storybook

Length of output: 1359

---

🏁 Script executed:

# Search for all publish steps and env variables in publish.yml
grep -n -B2 -A5 "release:publish" .github/workflows/publish.yml

Repository: storybookjs/storybook

Length of output: 875

---

🏁 Script executed:

# Check the release/publish.ts script to see if it requires auth
head -n 100 scripts/release/publish.ts

Repository: storybookjs/storybook

Length of output: 3212

---

🏁 Script executed:

# Continue reading the publish script to find the actual npm publish logic
sed -n '100,250p' scripts/release/publish.ts

Repository: storybookjs/storybook

Length of output: 3001

---

🏁 Script executed:

# Get full context of both publish steps side by side
sed -n '95,110p' .github/workflows/publish.yml
echo "---"
sed -n '195,210p' .github/workflows/publish.yml

Repository: storybookjs/storybook

Length of output: 1511

---

Add missing npm auth token to canary publish step.

The canary publish step (line 201-203) runs yarn release:publish --tag v7-canary --verbose without setting YARN_NPM_AUTH_TOKEN, while the main publish step (line 101) includes this environment variable. Since release:publish internally calls yarn npm publish to publish packages to the npm registry, the missing auth token will cause the canary publish to fail.

Proposed fix

       - name: Publish v${{ steps.version.outputs.next-version }}
         working-directory: scripts
+        env:
+          YARN_NPM_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: yarn release:publish --tag v7-canary --verbose

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Publish v${{ steps.version.outputs.next-version }}
	working-directory: scripts
	run: yarn release:publish --tag v7-canary --verbose
	- name: Publish v${{ steps.version.outputs.next-version }}
	working-directory: scripts
	env:
	YARN_NPM_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
	run: yarn release:publish --tag v7-canary --verbose

🤖 Prompt for AI Agents

In @.github/workflows/publish.yml around lines 201 - 204, The canary publish
step named "Publish v${{ steps.version.outputs.next-version }}" runs `yarn
release:publish --tag v7-canary --verbose` without the required npm auth token;
add the missing environment variable YARN_NPM_AUTH_TOKEN (set to the secrets
value, e.g., ${{ secrets.YARN_NPM_AUTH_TOKEN }}) to that step so `yarn npm
publish` invoked by `release:publish` can authenticate successfully.

[storybook-bot]

Failed to publish canary version of this pull request, triggered by @yannbf. See the failed workflow run at: https://github.com/storybookjs/storybook/actions/runs/21995459403

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/publish.yml:
- Around line 126-137: The workflow references
steps.is-prerelease.outputs.prerelease but no step with id is-prerelease exists;
either remove those dead references or add an is-prerelease step that computes
whether the release is a prerelease from steps.version.outputs.current-version.
To add it, create a job step with id:is-prerelease (e.g., using
actions/github-script or a shell run) that reads
steps.version.outputs.current-version, evaluates if it contains a prerelease
identifier (like a hyphen/rc/alpha/beta per your tagging scheme) and sets an
output named prerelease=true/false; keep the existing uses of
steps.is-prerelease.outputs.prerelease in the GitHub release flag and in the
Create Sentry release environment. Ensure the new step id is exactly
is-prerelease so steps.is-prerelease.outputs.prerelease resolves correctly.

🧹 Nitpick comments (1)

.github/workflows/publish.yml (1)

40-47: Remove unreachable step.

This step is unreachable because the job-level if condition (lines 31-34) already excludes commits containing [skip ci]. If that condition is false, the entire job is skipped before any steps run.

Proposed fix

-      - name: Cancel if [skip ci]
-        if: contains(github.event.head_commit.message, '[skip ci]')
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        # From https://stackoverflow.com/a/75809743
-        run: |
-          gh run cancel ${{ github.run_id }}
-          gh run watch ${{ github.run_id }}
-
       - name: Checkout ${{ github.ref_name }}

[storybook-bot]

Failed to publish canary version of this pull request, triggered by @valentinpalkovic. See the failed workflow run at: https://github.com/storybookjs/storybook/actions/runs/22056610769

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/publish.yml:
- Around line 100-116: The workflow step "Create GitHub Release" is passing
IS_PRERELEASE: false and then placing $IS_PRERELEASE as a positional argument to
gh release create, which causes "false" to be interpreted as a file to upload;
remove the IS_PRERELEASE environment variable and delete the $IS_PRERELEASE
positional argument from the gh release create run block (do not pass "false" or
any unused env var; if you need prerelease behavior later use the --prerelease
flag explicitly).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

gh release create positional arguments files GitHub CLI documentation

💡 Result:

gh release create accepts asset files as positional arguments after the tag:

• Syntax: gh release create [<tag>] [<filename>... | <pattern>...] [1]
• Meaning: anything after <tag> is treated as a list of files (assets) to upload, and you can also pass glob patterns (expanded by your shell), e.g. ./dist/*.tgz [1].
• Optional tag: if you omit <tag>, gh can run interactively, but you can still provide a tag explicitly: gh release create v1.2.3 ./asset.zip [1].
• Asset label: append #Label to a filename to set the display label, e.g. '/path/to/asset.zip#My display label' [1].
• Example from GitHub Docs: gh release create v1.0.0 ./*amd64* (uploads matching files as assets) [2].

Sources: GitHub CLI manual for gh release create [1], GitHub Docs example usage [2].

---

🌐 Web query:

GitHub CLI gh release create --prerelease flag syntax

💡 Result:

For gh release create, --prerelease is a boolean flag (no value needed):

gh release create <tag> --prerelease
# or
gh release create <tag> -p

Example:

gh release create v1.2.0-rc.1 --prerelease --title "v1.2.0 RC1" --notes "Release candidate"

Source: GitHub CLI manual for gh release create (shows -p, --prerelease Mark the release as a prerelease). [1]

---

🏁 Script executed:

# Check the workflow file to understand the context and see if there are any conditional statements or prerelease logic elsewhere
cd .github/workflows && cat -n publish.yml | head -150

Repository: storybookjs/storybook

Length of output: 6954

---

Remove the literal false positional argument passed to gh release create.

The IS_PRERELEASE: false environment variable expands to the string "false", which is treated as a filename/asset by gh release create (positional arguments after the tag are file paths to upload). This will cause the release step to fail. Since this job creates stable releases, simply omit the argument entirely.

Fix

-          IS_PRERELEASE: false
         run: |
           gh release create \
           "v$CURRENT_VERSION" \
             --repo "$REPOSITORY" \
             --target "$REF_NAME" \
             --title "v$CURRENT_VERSION" \
-            --notes "$CHANGELOG" \
-            $IS_PRERELEASE
+            --notes "$CHANGELOG"

🤖 Prompt for AI Agents

In @.github/workflows/publish.yml around lines 100 - 116, The workflow step
"Create GitHub Release" is passing IS_PRERELEASE: false and then placing
$IS_PRERELEASE as a positional argument to gh release create, which causes
"false" to be interpreted as a file to upload; remove the IS_PRERELEASE
environment variable and delete the $IS_PRERELEASE positional argument from the
gh release create run block (do not pass "false" or any unused env var; if you
need prerelease behavior later use the --prerelease flag explicitly).

[storybook-bot]

Failed to publish canary version of this pull request, triggered by @valentinpalkovic. See the failed workflow run at: https://github.com/storybookjs/storybook/actions/runs/22056816886

[storybook-bot]

Failed to publish canary version of this pull request, triggered by @valentinpalkovic. See the failed workflow run at: https://github.com/storybookjs/storybook/actions/runs/22056816886

[storybook-bot]

Failed to publish canary version of this pull request, triggered by @valentinpalkovic. See the failed workflow run at: https://github.com/storybookjs/storybook/actions/runs/22057276525

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/publish.yml:
- Around line 52-55: The workflow step "Setup Node.js and Install Dependencies"
uses an invalid local action path that includes the filename; change the uses
value from "./.github/actions/setup-node-and-install/action.yml" to point to the
action directory only (e.g., "./.github/actions/setup-node-and-install") so
GitHub Actions will discover action.yml automatically and the workflow will run
correctly.
- Around line 89-91: The Publish step (name: "Publish" running yarn
release:publish --tag v7 --verbose) should explicitly set the
YARN_NPM_AUTH_TOKEN environment variable; add env: YARN_NPM_AUTH_TOKEN: ${{
secrets.NPM_TOKEN }} to that job step so the publish command uses the explicit
NPM token (matching the canary-release-pr workflow pattern) instead of relying
solely on the environment: Release secret injection.

🧹 Nitpick comments (1)

.github/workflows/publish.yml (1)

140-143: Clarify: head_commit check is ineffective for workflow_dispatch.

The condition contains(github.event.head_commit.message, '[skip ci]') checks the commit message, but for workflow_dispatch events, github.event.head_commit is null. This means the [skip ci] check never applies to canary releases. If this is intentional (canary releases should never be skipped), consider removing the redundant check or adding a comment explaining the behavior.

Option: Remove redundant check for clarity

     if: |
       github.repository_owner == 'storybookjs' &&
-      github.event_name == 'workflow_dispatch' &&
-      contains(github.event.head_commit.message, '[skip ci]') != true
+      github.event_name == 'workflow_dispatch'

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

GitHub Actions uses directive local composite action syntax path

💡 Result:

To call a local (same-repo) composite action from a workflow, uses: must point to the directory that contains the action metadata file (action.yml / action.yaml), using a relative path (typically from the repo root after actions/checkout). Example: uses: ./.github/actions/hello-world-composite-action. [1]

steps:
  - uses: actions/checkout@v5
  - uses: ./.github/actions/my-composite-action   # folder containing action.yml

Key points:

• uses: for a local action is ./<path-to-folder>, not a YAML file path. [1]
• The folder you reference must contain action.yml/action.yaml (or a Dockerfile for Docker actions). [1]

Caveat (important if you’re inside a composite action calling another local action):

• Relative local uses: ./... paths are resolved relative to the workflow workspace (the checked-out repo in the job), not relative to the composite action’s own directory—so if your composite action repo is checked out into a subfolder, you may need to include that prefix (and you can’t easily compute it in uses:). This behavior is a known pain point/limitation discussed by the runner team/community. [2]

Sources: [1] GitHub Docs – creating/using a composite action locally, including uses: ./.github/actions/... syntax. [2] actions/runner issue discussing local action path resolution behavior.

---

🏁 Script executed:

# Check if the action directory exists and what files it contains
find .github/actions/setup-node-and-install -type f 2>/dev/null | head -20

Repository: storybookjs/storybook

Length of output: 115

---

🏁 Script executed:

# Also check the workflow file to understand the full context
cat -n .github/workflows/publish.yml | head -60

Repository: storybookjs/storybook

Length of output: 2674

---

Remove /action.yml suffix from local action path.

The uses directive for local composite actions must reference only the directory. GitHub Actions automatically discovers action.yml or action.yaml in the specified directory. The current syntax with the filename is invalid and will cause the workflow to fail.

Proposed fix

       - name: Setup Node.js and Install Dependencies
-        uses: ./.github/actions/setup-node-and-install/action.yml
+        uses: ./.github/actions/setup-node-and-install
         with:
           install-code-deps: true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Setup Node.js and Install Dependencies
	uses: ./.github/actions/setup-node-and-install/action.yml
	with:
	node-version-file: '.nvmrc'
	- name: Cache dependencies
	uses: actions/cache@v3
	with:
	path: |
	~/.yarn/berry/cache
	key: yarn-v1-${{ hashFiles('scripts/yarn.lock') }}-${{ hashFiles('code/yarn.lock') }}
	restore-keys: |
	yarn-v1-${{ hashFiles('scripts/yarn.lock') }}-${{ hashFiles('code/yarn.lock') }}
	yarn-v1-${{ hashFiles('scripts/yarn.lock') }}
	yarn-v1
	- name: Install script dependencies
	run: |
	yarn install
	- name: Cancel all release preparation runs
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: yarn release:cancel-preparation-runs
	install-code-deps: true
	- name: Setup Node.js and Install Dependencies
	uses: ./.github/actions/setup-node-and-install
	with:
	install-code-deps: true

🤖 Prompt for AI Agents

In @.github/workflows/publish.yml around lines 52 - 55, The workflow step "Setup
Node.js and Install Dependencies" uses an invalid local action path that
includes the filename; change the uses value from
"./.github/actions/setup-node-and-install/action.yml" to point to the action
directory only (e.g., "./.github/actions/setup-node-and-install") so GitHub
Actions will discover action.yml automatically and the workflow will run
correctly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if npm auth is configured in the composite action or .npmrc files
echo "=== Checking composite action for npm auth ==="
cat .github/actions/setup-node-and-install/action.yml 2>/dev/null || echo "File not found"

echo -e "\n=== Checking .npmrc files ==="
fd -H '.npmrc' -x cat {}

echo -e "\n=== Checking for NPM_TOKEN usage in workflows ==="
rg -n 'NPM_TOKEN|YARN_NPM_AUTH_TOKEN' .github/workflows/

echo -e "\n=== Checking publish.yml for environment configuration ==="
cat .github/workflows/publish.yml | head -100

Repository: storybookjs/storybook

Length of output: 4099

---

🏁 Script executed:

#!/bin/bash
echo "=== Searching for setup-node-and-install action ==="
fd 'setup-node-and-install' .github/

echo -e "\n=== Listing .github/actions directory ==="
ls -la .github/actions/ 2>/dev/null || echo "No actions directory found"

echo -e "\n=== Full listing of .github directory ==="
find .github/ -type f -name "*.yml" -o -name "*.yaml" | head -20

echo -e "\n=== Checking the full publish job definition for Release environment ==="
rg -A 150 "jobs:" .github/workflows/publish.yml | head -200

Repository: storybookjs/storybook

Length of output: 7377

---

🏁 Script executed:

#!/bin/bash
echo "=== Contents of setup-node-and-install/action.yml ==="
cat .github/actions/setup-node-and-install/action.yml

echo -e "\n=== All files in setup-node-and-install ==="
ls -la .github/actions/setup-node-and-install/

echo -e "\n=== Searching for how npm auth is configured in release scripts ==="
fd 'release' scripts/ | grep -E '\.(js|ts|sh)$'

echo -e "\n=== Checking if .npmrc is created dynamically ==="
rg '\.npmrc|NPM_TOKEN|YARN_NPM_AUTH_TOKEN' scripts/ -t js -t ts

Repository: storybookjs/storybook

Length of output: 632

---

🏁 Script executed:

#!/bin/bash
echo "=== Using hexdump to check for special characters ==="
hexdump -C .github/actions/setup-node-and-install/ | head -20

echo -e "\n=== Using find to locate the file ==="
find .github/actions/setup-node-and-install/ -type f

echo -e "\n=== Try reading with head ==="
head -50 .github/actions/setup-node-and-install/*

echo -e "\n=== Check release publish script ==="
cat scripts/release/publish.ts 2>/dev/null || find scripts -name "*publish*" -type f

echo -e "\n=== Check if npm registry is configured anywhere ==="
rg 'registry|npm_token|npmAuthToken' scripts/ -i

Repository: storybookjs/storybook

Length of output: 11967

---

Add explicit npm authentication token to the publish step for consistency.

The publish step lacks an explicit YARN_NPM_AUTH_TOKEN environment variable, unlike the canary-release-pr workflow which explicitly sets YARN_NPM_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}. While the job uses environment: Release to provide environment secrets, relying on implicit environment configuration is less maintainable. Add the token explicitly to match the canary release pattern:

      - name: Publish
        if: steps.publish-needed.outputs.published == 'false'
        env:
          YARN_NPM_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: yarn release:publish --tag v7 --verbose

🤖 Prompt for AI Agents

In @.github/workflows/publish.yml around lines 89 - 91, The Publish step (name:
"Publish" running yarn release:publish --tag v7 --verbose) should explicitly set
the YARN_NPM_AUTH_TOKEN environment variable; add env: YARN_NPM_AUTH_TOKEN: ${{
secrets.NPM_TOKEN }} to that job step so the publish command uses the explicit
NPM token (matching the canary-release-pr workflow pattern) instead of relying
solely on the environment: Release secret injection.

[storybook-bot]

Failed to publish canary version of this pull request, triggered by @valentinpalkovic. See the failed workflow run at: https://github.com/storybookjs/storybook/actions/runs/22057474856

[storybook-bot]

Failed to publish canary version of this pull request, triggered by @valentinpalkovic. See the failed workflow run at: https://github.com/storybookjs/storybook/actions/runs/22058148576

[storybook-bot]

Failed to publish canary version of this pull request, triggered by @yannbf. See the failed workflow run at: https://github.com/storybookjs/storybook/actions/runs/22092082296