fix(ci): use temporary version in verify.js to avoid publish collision [EXT-7068]

[Jared Jolton (jjolton-contentful)]

Purpose of PR

The release pipeline is failing due to an order-of-operations issue - verify.js is running before @semantic-release/npm bumps to the calculated new version. To fix this issue, this changeset ensures:

1. verify.js uses a fake version, then restorePackageJson() restores the original
2. semantic-release's @semantic-release/npm bumps to the calculated new version
3. publish.js runs with the new version

PR Checklist

• Tests are added/updated/not required
• Tests are passing
• Typescript typings are added/updated/not required

Summary by CodeRabbit

• Chores
  • Improved verification flow to set a temporary "dry-run" package version during publish checks, preventing conflicts with existing versions.
• Bug Fixes
  • Fixed dry-run publish failures by ensuring the transient version is written and logged so verification completes reliably.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Modified scripts/verify.js to add a transient dry-run version. The script now records the original version for tag derivation, writes a temporary 0.0.0-verify.{timestamp} version to package.json before running npm publish --dry-run, and logs the temporary version.

Changes

Cohort / File(s)	Summary
Dry-run Version Management scripts/verify.js	Imported fs and PACKAGE_JSON_PATH; added setDryRunVersion() to read/write package.json with 0.0.0-verify.{timestamp} and return it; preserved originalVersion = getVersion() and derive tag from it; invoked setDryRunVersion() after updating package name and logged the dry-run version.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant VerifyScript as Verify Script
    participant FS as FileSystem (`package.json`)
    participant NPM as npm (publish --dry-run)

    Note over VerifyScript: Start verification
    VerifyScript->>FS: read version (getVersion) -> originalVersion
    Note right of VerifyScript: derive tag from originalVersion
    VerifyScript->>FS: setDryRunVersion() -> write 0.0.0-verify.{timestamp}
    FS-->>VerifyScript: confirm written (newVersion)
    VerifyScript->>NPM: npm publish --dry-run (uses newVersion)
    NPM-->>VerifyScript: dry-run result
    Note over VerifyScript,FS: log temporary dry-run version

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

released

Suggested reviewers

• tylerwashington888
• BobHemphill76

Poem

🐰 A tiny tweak, a timestamped song,

0.0.0-verify hops along.
The original waits, the dry-run takes stage,
No version collisions, just calm on the page.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title directly and clearly describes the main change: introducing a temporary version in verify.js to prevent npm publish conflicts during CI.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9c26d69 and 1bbd198.

📒 Files selected for processing (1)

• scripts/verify.js

🧰 Additional context used

🪛 Biome (2.1.2)

scripts/verify.js

[error] 42-42: Illegal use of reserved keyword package as an identifier in strict mode

(parse)

---

[error] 44-44: Illegal use of reserved keyword package as an identifier in strict mode

(parse)

---

[error] 50-52: Illegal use of reserved keyword package as an identifier in strict mode

(parse)

🔇 Additional comments (4)

scripts/verify.js (4)

2-2: LGTM! Necessary imports added.

The fs and PACKAGE_JSON_PATH imports are required for the new setDryRunVersion() function to read and write the package.json file.

Also applies to: 10-10

---

14-39: Excellent implementation! Past review feedback fully addressed.

The setDryRunVersion() function is well-implemented with:

• Comprehensive JSDoc explaining the timing issue with semantic-release
• Proper error handling around file I/O operations
• Trailing newline to match file formatting conventions
• Clear error messages for debugging
• Correct preservation of the package name set by setPackageName()

The past review suggestions regarding error handling and trailing newline have been successfully incorporated.

---

46-47: LGTM! Correct sequencing of version capture.

Capturing the original version before modifications and using it to determine the tag is the correct approach. The tag should be based on the actual release version, not the temporary dry-run version.

---

52-54: LGTM! Proper integration of temporary version.

The placement is correct:

1. setPackageName() modifies the package name first (line 50)
2. setDryRunVersion() then reads the modified package.json and sets the temporary version (line 53)
3. The log message provides good visibility for debugging (line 54)

This ensures npm publish --dry-run uses the temporary version while preserving the correct package name, and restorePackageJson() in the finally block (line 76) guarantees cleanup.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• EXT-7068: Request failed with status code 404

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wiz-inc-38d59fb8d7]

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	-
Sensitive Data	-
Secrets	-
IaC Misconfigurations	-
SAST Findings	1  2
Software Supply Chain Findings	-
Total	1  2

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[coderabbitai]

Actionable comments posted: 1

Fix all issues with AI Agents 🤖

In @scripts/verify.js:
- Around line 14-29: The setDryRunVersion() function performs synchronous fs
reads/writes without local error handling; wrap the readFileSync and
writeFileSync calls in a try-catch inside setDryRunVersion(), log a clear
contextual error (including the caught error) and rethrow to preserve existing
outer handling, ensure you still preserve the package name set by
setPackageName() (which uses ORIGINAL_PACKAGE_JSON) and when writing
PACKAGE_JSON_PATH include a trailing newline at the end of the JSON string to
match file formatting conventions.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 46520d1 and 9c26d69.

📒 Files selected for processing (1)

• scripts/verify.js

🧰 Additional context used

🧬 Code graph analysis (1)

scripts/verify.js (2)

scripts/shared.js (4)

• fs (3-3)
• packageJson (30-30)
• PACKAGE_JSON_PATH (7-7)
• PACKAGES (5-5)

scripts/publish.js (1)

• require (2-10)

🪛 Biome (2.1.2)

scripts/verify.js

[error] 32-32: Illegal use of reserved keyword package as an identifier in strict mode

(parse)

---

[error] 34-34: Illegal use of reserved keyword package as an identifier in strict mode

(parse)

---

[error] 40-42: Illegal use of reserved keyword package as an identifier in strict mode

(parse)

🔇 Additional comments (3)

scripts/verify.js (3)

2-2: LGTM! Necessary imports for the new functionality.

The fs module and PACKAGE_JSON_PATH imports are required for the new setDryRunVersion() function to read and modify package.json.

Also applies to: 10-10

---

36-37: Correct approach: tag should be based on the original version.

The change to preserve originalVersion and derive the tag from it (rather than from the temporary version) is the right approach. The npm tag should reflect the actual release version, not the temporary 0.0.0-verify.* version.

---

42-44: Good addition: temporary version prevents publish collision.

This change addresses the core issue described in the PR objectives. By setting a unique temporary version before npm publish --dry-run, the script avoids the "version already exists" error that occurs because verify.js runs before semantic-release calculates the new version. The logging is also helpful for CI debugging.

[contentful-automation]

🎉 This PR is included in version 4.49.1 🎉

The release is available on:

• v4.49.1
• GitHub release

Your semantic-release bot 📦🚀