A single GitHub Actions workflow that publishes both flowise-embed and flowise-embed-react to npm with matching version numbers.
workflow_dispatch (bump, tag, optional: custom_version / recovery_version)
|
v
dry-run job (no approval needed):
validate inputs → build both packages → npm publish --dry-run → show package contents + version in summary
|
v
reviewer approves (npm-publish environment gate)
|
v
publish job:
flowise-embed: set version → install → build → npm publish --tag <tag> → create version bump PR
|
v
poll npm registry until new version is available
|
v
flowise-embed-react: update dep + version → yarn upgrade → install → verify lock file → build → npm publish --tag <tag> → restore dep tag to latest → create version bump PR
- Go to Actions > "Publish flowise-embed + flowise-embed-react" > Run workflow
- Set
bump:patch— 3.1.3 → 3.1.4minor— 3.1.3 → 3.2.0major— 3.1.3 → 4.0.0prerelease— 3.1.3 → 3.1.4-dev.0custom— set any exact version in thecustom_versionfield
- Set
tag:latest(default) — allnpm install flowise-embedusers get this versiondev— onlynpm install flowise-embed@devusers get this version
- Leave
recovery_versionempty - Review the dry-run job summary — check the resolved version, package contents, and dry-run publish output
- Approve the publish job via the
npm-publishenvironment gate - Both packages publish to npm and version bump PRs are created in both repos
Or via CLI:
gh workflow run publish.yml -f bump=patch -f tag=latest
gh workflow run publish.yml -f bump=prerelease -f tag=dev
gh workflow run publish.yml -f bump=custom -f custom_version=3.2.0 -f tag=latestIf flowise-embed published successfully but flowise-embed-react failed:
- Go to Actions > "Publish flowise-embed + flowise-embed-react" > Run workflow
- Leave
bumpat default (it won't be used) - Set
recovery_versionto the version already published, e.g.3.1.4 - Review dry-run and approve the publish job
- All
flowise-embedsteps are skipped — onlyflowise-embed-reactis built, published, and gets a version bump PR
Use bump: prerelease with tag: dev to publish dev versions:
| Current version | After prerelease bump |
|---|---|
3.1.3 |
3.1.4-dev.0 |
3.1.4-dev.0 |
3.1.4-dev.1 |
3.1.4-dev.1 |
3.1.4-dev.2 |
Promote to stable with bump: patch (or minor/major) and tag: latest.
After the publish job completes, confirm both packages are on npm with matching versions:
# Check specific version exists
npm view flowise-embed@<version> version
npm view flowise-embed-react@<version> version
# Check dist-tag points to the right version
npm view flowise-embed@latest version
npm view flowise-embed-react@dev version
# Check the version bump PRs were created
gh pr list --search "chore: bump flowise-embed"
gh pr list --repo FlowiseAI/FlowiseEmbedReact --search "chore: bump flowise-embed-react"The workflow reads the current version from package.json on main. Since version bumps are delivered via PR (not direct push), you must merge the version bump PRs before running the workflow again — otherwise it will resolve to the same version and fail because it already exists on npm.
Add to FlowiseChatEmbed repo settings (repository-level, not environment-level):
| Secret | Description |
|---|---|
NPM_TOKEN |
npm Automation token with publish access to both flowise-embed and flowise-embed-react. Use the "Automation" type so it bypasses 2FA in CI. |
PAT_GITHUB |
GitHub Personal Access Token with write access to both FlowiseChatEmbed and FlowiseEmbedReact repos. |
Important: Secrets must be repository-level (not environment-level) so the dry-run job can access them.
- Classic PAT:
reposcope - Fine-grained PAT (recommended): Scope to the FlowiseAI org, select both repos, grant
Contents: Read and writeandPull requests: Read and write
Every publish goes through two jobs:
- dry-run — builds both packages, runs
npm pack --dry-runandnpm publish --dry-run, displays the resolved version and package contents in the job summary. No approval needed — runs immediately. - publish — gated behind the
npm-publishenvironment. Only runs after a reviewer approves. Publishes to npm and creates version bump PRs.
npx semver computes the new version from the current package.json version and the bump type. For custom, the input is validated as valid semver. For prerelease, versions use the dev pre-id (e.g. 3.1.4-dev.0).
Both packages are published with the same dist-tag. Use latest for stable releases and dev for pre-releases. The workflow warns (but doesn't block) if a prerelease version is published with latest or a stable version with dev.
The workflow pins devDependencies.flowise-embed to the exact new version using npm pkg set, then runs yarn upgrade flowise-embed@<version> to explicitly force yarn to resolve and lock that version — this is more reliable than relying on yarn install alone to detect the package.json change. A verification step then greps yarn.lock to confirm the correct version was resolved, failing the build if not.
After publishing, the workflow restores the dependency specifier back to "latest" before creating the version bump PR. This means the PR commits package.json with "flowise-embed": "latest" and yarn.lock with the resolved version pinned.
After publishing flowise-embed, there's a short delay before the version is available on the registry. The workflow polls npm view every 10 seconds for up to 2 minutes before proceeding to the flowise-embed-react steps.
After publishing, the workflow creates version bump PRs in both repos instead of pushing directly to main:
| Repo | PR branch | Files changed |
|---|---|---|
| FlowiseChatEmbed | chore/bump-flowise-embed-<version> |
package.json |
| FlowiseEmbedReact | chore/bump-flowise-embed-react-<version> |
package.json, yarn.lock |
HUSKY=0 is set during yarn install to prevent the prepare script (husky install) from failing in CI.
If npm publish succeeds but PR creation fails (e.g. permissions issue, branch already exists), the packages are already on npm — no rollback needed. You can manually create the version bump PR or push the version change directly. The PR step failing does not affect the published packages.