feat: add github registry support#409
Conversation
📝 WalkthroughWalkthroughThe PR adds Shadcn registry configuration and validation, updates React registry generation and entries for core version 3.0.0, adds a unified release tag, and includes deprecation metadata in JSON API responses. ChangesShadcn React registry
API deprecation metadata
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant Generator as generate-registry.mjs
participant Registry as packages/react/registry.json
participant CI as ci-cd.yml
participant Release as publish-public-npm.yml
Generator->>Registry: generate React registry entries
CI->>Registry: validate Shadcn registry
Release->>Release: create and push v${VERSION} tag
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
⚔️ Resolve merge conflicts
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🚀 Preview deploymentBranch: 📝 Preview URL: https://auth0-universal-components-np3iwurcb-ui-components-217de888.vercel.app Updated at 2026-07-14T05:30:42.780Z |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #409 +/- ##
========================================
Coverage 88.73% 88.73%
========================================
Files 203 203
Lines 17351 17351
Branches 1816 2293 +477
========================================
Hits 15397 15397
Misses 1954 1954 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
rax7389
left a comment
There was a problem hiding this comment.
Please resolve the conflicts
|
@coderabbitai Review the PR changes |
|
It installs ✅ Action performedReview finished.
|
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci-cd.yml:
- Around line 57-58: Update the “Validate shadcn registry” workflow step to
invoke a reviewed, fixed shadcn release instead of the mutable latest tag, and
restrict the job’s token permissions to contents: read. Keep the existing
registry validation command and apply the permission setting at the job scope.
In @.github/workflows/publish-public-npm.yml:
- Around line 311-322: Update the release-tag flow around UNIFIED_TAG to
preserve tag immutability: remove the local and remote deletion logic, check
whether the tag already exists remotely, and fail the workflow before creating
or pushing it. Continue creating and pushing the tag only when it does not
already exist.
In `@docs-site/api/r.ts`:
- Around line 79-80: Update the deprecation headers in the response setup:
change the Deprecation value to an RFC 9745 date format using the applicable
Unix timestamp, and correct the Sunset header’s weekday from Sat to Thu while
preserving its intended date and time.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 9f142a53-94c4-4095-96b2-6921f7da3464
📒 Files selected for processing (6)
.github/workflows/ci-cd.yml.github/workflows/publish-public-npm.ymldocs-site/api/r.tspackages/react/registry.jsonpackages/react/scripts/generate-registry.mjsregistry.json
| - name: Validate shadcn registry | ||
| run: pnpm dlx shadcn@latest registry validate |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
git ls-files .github/workflows/ci-cd.yml
echo '---'
cat -n .github/workflows/ci-cd.yml | sed -n '1,180p'Repository: auth0/auth0-ui-components
Length of output: 5930
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect workflow for any existing permissions declarations and shadcn usage.
rg -n --no-heading -C 3 'permissions:|shadcn@|registry validate|dlx shadcn' .github/workflows/ci-cd.yml .github/workflowsRepository: auth0/auth0-ui-components
Length of output: 3683
Pin shadcn and restrict the job token
pnpm dlx shadcn@latest runs mutable external code in CI. Pin it to a reviewed release and add permissions: contents: read to this job.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 10-58: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block
(excessive-permissions)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci-cd.yml around lines 57 - 58, Update the “Validate
shadcn registry” workflow step to invoke a reviewed, fixed shadcn release
instead of the mutable latest tag, and restrict the job’s token permissions to
contents: read. Keep the existing registry validation command and apply the
permission setting at the job scope.
Source: Linters/SAST tools
| if git rev-parse "$UNIFIED_TAG" >/dev/null 2>&1; then | ||
| echo "Tag $UNIFIED_TAG exists locally, deleting..." | ||
| git tag -d "$UNIFIED_TAG" | ||
| fi | ||
|
|
||
| if git ls-remote --tags origin | grep -q "refs/tags/$UNIFIED_TAG"; then | ||
| echo "Tag $UNIFIED_TAG exists remotely, deleting..." | ||
| git push origin ":refs/tags/$UNIFIED_TAG" || true | ||
| fi | ||
|
|
||
| git tag -a "$UNIFIED_TAG" -m "Release v${VERSION} — GitHub Registry ref" | ||
| git push origin "$UNIFIED_TAG" |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
Keep GitHub Registry version tags immutable.
Deleting and recreating v${VERSION} can make the same installation ref resolve to different source. Fail if the release tag already exists instead of moving it.
Proposed fix
- if git rev-parse "$UNIFIED_TAG" >/dev/null 2>&1; then
- echo "Tag $UNIFIED_TAG exists locally, deleting..."
- git tag -d "$UNIFIED_TAG"
- fi
-
- if git ls-remote --tags origin | grep -q "refs/tags/$UNIFIED_TAG"; then
- echo "Tag $UNIFIED_TAG exists remotely, deleting..."
- git push origin ":refs/tags/$UNIFIED_TAG" || true
+ if git rev-parse "$UNIFIED_TAG" >/dev/null 2>&1 ||
+ git ls-remote --exit-code --tags origin "refs/tags/$UNIFIED_TAG" >/dev/null 2>&1; then
+ echo "::error::Release tag $UNIFIED_TAG already exists; refusing to move it."
+ exit 1
fi📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| if git rev-parse "$UNIFIED_TAG" >/dev/null 2>&1; then | |
| echo "Tag $UNIFIED_TAG exists locally, deleting..." | |
| git tag -d "$UNIFIED_TAG" | |
| fi | |
| if git ls-remote --tags origin | grep -q "refs/tags/$UNIFIED_TAG"; then | |
| echo "Tag $UNIFIED_TAG exists remotely, deleting..." | |
| git push origin ":refs/tags/$UNIFIED_TAG" || true | |
| fi | |
| git tag -a "$UNIFIED_TAG" -m "Release v${VERSION} — GitHub Registry ref" | |
| git push origin "$UNIFIED_TAG" | |
| if git rev-parse "$UNIFIED_TAG" >/dev/null 2>&1 || | |
| git ls-remote --exit-code --tags origin "refs/tags/$UNIFIED_TAG" >/dev/null 2>&1; then | |
| echo "::error::Release tag $UNIFIED_TAG already exists; refusing to move it." | |
| exit 1 | |
| fi | |
| git tag -a "$UNIFIED_TAG" -m "Release v${VERSION} — GitHub Registry ref" | |
| git push origin "$UNIFIED_TAG" |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish-public-npm.yml around lines 311 - 322, Update the
release-tag flow around UNIFIED_TAG to preserve tag immutability: remove the
local and remote deletion logic, check whether the tag already exists remotely,
and fail the workflow before creating or pushing it. Continue creating and
pushing the tag only when it does not already exist.
| res.setHeader('Deprecation', 'true'); | ||
| res.setHeader('Sunset', 'Sat, 31 Dec 2026 23:59:59 GMT'); |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
sed -n '1,140p' docs-site/api/r.tsRepository: auth0/auth0-ui-components
Length of output: 4806
🏁 Script executed:
python3 - <<'PY'
from datetime import datetime, timezone
dt = datetime(2026,12,31,23,59,59,tzinfo=timezone.utc)
print(dt.strftime("%a, %d %b %Y %H:%M:%S GMT"))
PYRepository: auth0/auth0-ui-components
Length of output: 193
🌐 Web query:
RFC 9745 Deprecation header value boolean date structured field syntax
💡 Result:
RFC 9745 defines the Deprecation HTTP response header field as an Item Structured Header Field [1][2]. According to the official specification, the value of the Deprecation header must be a Date as defined in RFC 9651 (the Structured Field Values for HTTP specification) [2][3]. The standard representation for this Date type in Structured Field syntax is a Unix timestamp integer preceded by an "@" character (e.g., @1688169599) [2][4]. While some industry guidelines or internal documentation may suggest the use of a boolean value (such as?1 for true) [5][6], the formal specification in RFC 9745 strictly defines the value as a Date [2][3]. Use of a boolean or other types does not conform to the syntax requirements established by the RFC [1][2].
Citations:
- 1: https://www.rfc-editor.org/info/rfc9745/
- 2: https://datatracker.ietf.org/doc/rfc9745/
- 3: https://datatracker.ietf.org/doc/html/rfc9745
- 4: https://http.dev/deprecation
- 5: https://github.com/zalando/restful-api-guidelines/blob/main/chapters/deprecation.adoc
- 6: https://github.com/ansible/apme/blob/main/.sdlc/adrs/ADR-060-rest-api-versioning-contract.md
Emit spec-compliant deprecation metadata.
Deprecation must use an RFC 9745 date value (e.g. @<unix-timestamp>), not true, and Sunset should use the correct weekday here (Thu, not Sat).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs-site/api/r.ts` around lines 79 - 80, Update the deprecation headers in
the response setup: change the Deprecation value to an RFC 9745 date format
using the applicable Unix timestamp, and correct the Sunset header’s weekday
from Sat to Thu while preserving its intended date and time.
Summary
Implement shadcn GitHub Registries as the primary distribution path for new consumers (hybrid Option 2 from the RAPID), while keeping the Vercel-hosted registry as a backwards-compatible fallback.
Why
shadcn released GitHub Registries (June 2026) which allows any public repo with a registry.json to be directly installable — no server, no build step, no custom URL configuration. This simplifies consumer DX significantly while letting us maintain backwards compatibility for existing consumers.
What
npx shadcn add auth0/auth0-ui-components/react/my-account/user-mfa-management#v3.0.0Packages
References
Testing
Checklist
Contributing
Summary by CodeRabbit
New Features
Documentation
Chores