chore(deploy): migrating to multi-branch CI/CD release flow

[mmaietta]

🎯 Overview

This adds support for automated releases with a multi-branch/multi-dist-tag setup in the monorepo while still leveraging changesets/CLI and changesets/action GH app.

TLDR;

• next tag will always be "bleeding edge" - latest fixes, latest features
• latest will always refer to stable - tends to track downloads % on https://www.npmjs.com/package/electron-builder?activeTab=versions
• v26 will become legacy/CommonJS release
• (Before anymajor semver bump, a release branch needs to be cut for previous version as LTS)

---

Branch Pattern	Dist-Tag	Config File	Purpose
master	next	config.json	Pre-release/canary builds
release/v1.x	v1	config.release-v1.json	LTS version 1.x
release/v2.x	v2	config.release-v2.json	LTS version 2.x
release/vN.x	vN	config.release-vN.json	LTS version N.x

Branch Naming Convention: Release branches MUST follow the pattern release/v{major}.x (e.g., release/v1.x, release/v2.x)

The changesets/action GitHub Action automatically:

1. ✅ Detects when changesets exist
2. ✅ Creates a "Version Packages" PR
3. ✅ Bumps versions when PR is merged
4. ✅ Publishes to npm with the correct dist-tag
5. ✅ Creates git tags

The only customization needed is:

• Different baseBranch in changeset configs per branch
• Different --tag argument when publishing

📝 Configuration Details

Master Branch Config (.changeset/config.json)

{
  "baseBranch": "master",
  ....
}

Release/v26 Branch Config (.changeset/config.release-v26.json)

{
  "baseBranch": "release/v26.x",
  ....
}

As an overview...when Changesets Exist

Push to master OR release/v26 or other release/ scoped-branch
         ↓
Workflow detects .changeset/*.md files
         ↓
Creates "Version Packages" PR
         ↓
[Eng reviews and merge]
         ↓
Workflow detects PR merge
         ↓
Publishes with correct --tag
         ↓
Creates git tags
         ↓
Done! ✅

🔧 Adding a new Release Branch is SIMPLE

To support a new branch (e.g., release/v27.x):

1. Add new release branch config

Create .changeset/config.release-v27.json:

{
  "baseBranch": "release/v27.x",
  ....
}

2. That's it

[changeset-bot]

⚠️ No Changeset found

Latest commit: badac00

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[Copilot]

Pull request overview

Updates the repo’s release automation to support publishing from multiple branches with branch-based npm dist-tags, while also reorganizing TypeScript build configuration for scripts.

Changes:

• Extend the release GitHub Action to run on master and release/**, and determine the npm dist-tag from the branch name.
• Switch CI publishing to changeset publish with a configurable dist-tag via NPM_DIST_TAG.
• Consolidate scripts TypeScript configuration under scripts/tsconfig.json and adjust schema generation TS compiler options.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
tsconfig.json	Points the solution build at ./scripts instead of ./scripts/renderer.
scripts/tsconfig.json	New TS project config for compiling scripts/** TypeScript.
scripts/renderer/tsconfig.json	Removes the per-subfolder TS project config in favor of the new scripts config.
scripts/generate-schema.ts	Adjusts TS compiler option typing for schema generation.
package.json	Updates ci:publish to use changeset publish and a branch-provided dist-tag.
.github/workflows/pr-release.yml	Adds release-branch triggers, dist-tag derivation, and publish summary output.
.changeset/config.release-v26.json	Adds a changesets config intended for release/v26.x.
.changeset/config.json	Updates schema reference and modifies changesets config fields.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		High CVE: Race Condition in node-npm tar Path Reservations via Unicode Ligature Collisions on macOS APFS CVE: GHSA-r6q2-hw4h-h46w Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS (HIGH) Affected versions: < 7.5.4 Patched version: 7.5.4 From: pnpm-lock.yaml → npm/@electron/rebuild@4.0.1 → npm/tar@6.2.1 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@6.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: node-npm tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization CVE: GHSA-8qq5-rm4j-mr97 node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization (HIGH) Affected versions: < 7.5.3 Patched version: 7.5.3 From: pnpm-lock.yaml → npm/@electron/rebuild@4.0.1 → npm/tar@6.2.1 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@6.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Race Condition in node-npm tar Path Reservations via Unicode Ligature Collisions on macOS APFS CVE: GHSA-r6q2-hw4h-h46w Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS (HIGH) Affected versions: < 7.5.4 Patched version: 7.5.4 From: packages/app-builder-lib/package.json → npm/tar@7.5.3 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@7.5.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm tar Reason: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exhorbitant rates) by contacting i@izs.me From: pnpm-lock.yaml → npm/@electron/rebuild@4.0.1 → npm/tar@6.2.1 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@6.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	temp-file@​3.4.0
	tar@​7.5.3

View full report