Skip to content

feat: add github registry support#409

Open
harishsundar-okta wants to merge 1 commit into
mainfrom
feat/github-registry-hybrid
Open

feat: add github registry support#409
harishsundar-okta wants to merge 1 commit into
mainfrom
feat/github-registry-hybrid

Conversation

@harishsundar-okta

@harishsundar-okta harishsundar-okta commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

Implement shadcn GitHub Registries as the primary distribution path for new consumers (hybrid Option 2 from the RAPID), while keeping the Vercel-hosted registry as a backwards-compatible fallback.

Why

shadcn released GitHub Registries (June 2026) which allows any public repo with a registry.json to be directly installable — no server, no build step, no custom URL configuration. This simplifies consumer DX significantly while letting us maintain backwards compatibility for existing consumers.

What

  • Add root registry.json with include directive pointing to packages/react/registry.json
  • Add HTTP deprecation headers (Deprecation, Sunset, Link) to the Vercel registry API
  • Add unified v{VERSION} git tag creation to the publish workflow for consumer ref pinning
  • Add shadcn registry validate to the CI pipeline
  • Pin all npm dependencies to exact versions (no ^/~ ranges) for deterministic installs
  • Add framework namespace scoping (react/) to registry items for future multi-framework support
  • New consumer install path:
    npx shadcn add auth0/auth0-ui-components/react/my-account/user-mfa-management#v3.0.0

Packages

  • packages/core
  • packages/react

References

Testing

Screenshot 2026-07-14 at 11 18 39 AM

Checklist

  • Breaking change
  • Requires docs update
  • Backward compatible

Contributing

Summary by CodeRabbit

  • New Features

    • Added a Shadcn UI component registry for React components.
    • Updated React registry entries with current versions, shared utilities, telemetry support, pagination, and compatibility helpers.
    • Added a unified version tag for published packages.
  • Documentation

    • Marked the JSON API as deprecated and provided its sunset date and successor link.
  • Chores

    • Added automated validation of the component registry during builds.
    • Improved registry generation with framework metadata and consistent dependency versions.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The PR adds Shadcn registry configuration and validation, updates React registry generation and entries for core version 3.0.0, adds a unified release tag, and includes deprecation metadata in JSON API responses.

Changes

Shadcn React registry

Layer / File(s) Summary
Registry configuration and generation
registry.json, packages/react/scripts/generate-registry.mjs
Adds the root Shadcn registry configuration and emits React-prefixed names, framework metadata, and normalized pinned dependencies.
Core and organization registry entries
packages/react/registry.json
Updates My Account and My Organization blocks to core version 3.0.0 and registers shared telemetry, pagination, constants, service, and compatibility files.
SSO registry entries
packages/react/registry.json
Updates SSO provider blocks to core version 3.0.0 with pinned dependencies and expanded shared file lists.
Registry validation and release tagging
.github/workflows/ci-cd.yml, .github/workflows/publish-public-npm.yml
Adds post-build registry validation and creates the unified v${VERSION} Git tag.

API deprecation metadata

Layer / File(s) Summary
JSON response deprecation headers
docs-site/api/r.ts
Adds Deprecation, Sunset, and successor-version Link headers to JSON responses.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Generator as generate-registry.mjs
  participant Registry as packages/react/registry.json
  participant CI as ci-cd.yml
  participant Release as publish-public-npm.yml
  Generator->>Registry: generate React registry entries
  CI->>Registry: validate Shadcn registry
  Release->>Release: create and push v${VERSION} tag
Loading

Suggested reviewers: rax7389

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding GitHub registry support.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/github-registry-hybrid
⚔️ Resolve merge conflicts
  • Resolve merge conflict in branch feat/github-registry-hybrid

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@harishsundar-okta harishsundar-okta changed the title feat: add github registry support (hybrid option 2) feat: add github registry support Jul 14, 2026
@harishsundar-okta harishsundar-okta added the enhancement New feature or request label Jul 14, 2026
@github-actions

Copy link
Copy Markdown

🚀 Preview deployment

Branch: refs/pull/409/merge
Commit: e1a1a39

📝 Preview URL: https://auth0-universal-components-np3iwurcb-ui-components-217de888.vercel.app


Updated at 2026-07-14T05:30:42.780Z

@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.73%. Comparing base (25c419c) to head (4d764c7).

Additional details and impacted files
@@           Coverage Diff            @@
##             main     #409    +/-   ##
========================================
  Coverage   88.73%   88.73%            
========================================
  Files         203      203            
  Lines       17351    17351            
  Branches     1816     2293   +477     
========================================
  Hits        15397    15397            
  Misses       1954     1954            

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@rax7389 rax7389 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please resolve the conflicts

@rax7389

rax7389 commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

@coderabbitai Review the PR changes

@coderabbitai

coderabbitai Bot commented Jul 18, 2026

Copy link
Copy Markdown

@rax7389 The PR description image shows a successful terminal installation via:

npx shadcn add auth0/auth0-ui-components/react/my-account/user-mfa-management#feat/github-registry-hybrid

It installs shadcn@4.13.0, completes registry and dependency checks, confirms overwriting existing button.tsx and utils.ts, and creates 60 files including the MFA-management component tree. I’ll review the PR changes.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci-cd.yml:
- Around line 57-58: Update the “Validate shadcn registry” workflow step to
invoke a reviewed, fixed shadcn release instead of the mutable latest tag, and
restrict the job’s token permissions to contents: read. Keep the existing
registry validation command and apply the permission setting at the job scope.

In @.github/workflows/publish-public-npm.yml:
- Around line 311-322: Update the release-tag flow around UNIFIED_TAG to
preserve tag immutability: remove the local and remote deletion logic, check
whether the tag already exists remotely, and fail the workflow before creating
or pushing it. Continue creating and pushing the tag only when it does not
already exist.

In `@docs-site/api/r.ts`:
- Around line 79-80: Update the deprecation headers in the response setup:
change the Deprecation value to an RFC 9745 date format using the applicable
Unix timestamp, and correct the Sunset header’s weekday from Sat to Thu while
preserving its intended date and time.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 9f142a53-94c4-4095-96b2-6921f7da3464

📥 Commits

Reviewing files that changed from the base of the PR and between 25c419c and 4d764c7.

📒 Files selected for processing (6)
  • .github/workflows/ci-cd.yml
  • .github/workflows/publish-public-npm.yml
  • docs-site/api/r.ts
  • packages/react/registry.json
  • packages/react/scripts/generate-registry.mjs
  • registry.json

Comment on lines +57 to +58
- name: Validate shadcn registry
run: pnpm dlx shadcn@latest registry validate

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows/ci-cd.yml
echo '---'
cat -n .github/workflows/ci-cd.yml | sed -n '1,180p'

Repository: auth0/auth0-ui-components

Length of output: 5930


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect workflow for any existing permissions declarations and shadcn usage.
rg -n --no-heading -C 3 'permissions:|shadcn@|registry validate|dlx shadcn' .github/workflows/ci-cd.yml .github/workflows

Repository: auth0/auth0-ui-components

Length of output: 3683


Pin shadcn and restrict the job token
pnpm dlx shadcn@latest runs mutable external code in CI. Pin it to a reviewed release and add permissions: contents: read to this job.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 10-58: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-cd.yml around lines 57 - 58, Update the “Validate
shadcn registry” workflow step to invoke a reviewed, fixed shadcn release
instead of the mutable latest tag, and restrict the job’s token permissions to
contents: read. Keep the existing registry validation command and apply the
permission setting at the job scope.

Source: Linters/SAST tools

Comment on lines +311 to +322
if git rev-parse "$UNIFIED_TAG" >/dev/null 2>&1; then
echo "Tag $UNIFIED_TAG exists locally, deleting..."
git tag -d "$UNIFIED_TAG"
fi

if git ls-remote --tags origin | grep -q "refs/tags/$UNIFIED_TAG"; then
echo "Tag $UNIFIED_TAG exists remotely, deleting..."
git push origin ":refs/tags/$UNIFIED_TAG" || true
fi

git tag -a "$UNIFIED_TAG" -m "Release v${VERSION} — GitHub Registry ref"
git push origin "$UNIFIED_TAG"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Keep GitHub Registry version tags immutable.

Deleting and recreating v${VERSION} can make the same installation ref resolve to different source. Fail if the release tag already exists instead of moving it.

Proposed fix
-          if git rev-parse "$UNIFIED_TAG" >/dev/null 2>&1; then
-            echo "Tag $UNIFIED_TAG exists locally, deleting..."
-            git tag -d "$UNIFIED_TAG"
-          fi
-
-          if git ls-remote --tags origin | grep -q "refs/tags/$UNIFIED_TAG"; then
-            echo "Tag $UNIFIED_TAG exists remotely, deleting..."
-            git push origin ":refs/tags/$UNIFIED_TAG" || true
+          if git rev-parse "$UNIFIED_TAG" >/dev/null 2>&1 ||
+             git ls-remote --exit-code --tags origin "refs/tags/$UNIFIED_TAG" >/dev/null 2>&1; then
+            echo "::error::Release tag $UNIFIED_TAG already exists; refusing to move it."
+            exit 1
           fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if git rev-parse "$UNIFIED_TAG" >/dev/null 2>&1; then
echo "Tag $UNIFIED_TAG exists locally, deleting..."
git tag -d "$UNIFIED_TAG"
fi
if git ls-remote --tags origin | grep -q "refs/tags/$UNIFIED_TAG"; then
echo "Tag $UNIFIED_TAG exists remotely, deleting..."
git push origin ":refs/tags/$UNIFIED_TAG" || true
fi
git tag -a "$UNIFIED_TAG" -m "Release v${VERSION} — GitHub Registry ref"
git push origin "$UNIFIED_TAG"
if git rev-parse "$UNIFIED_TAG" >/dev/null 2>&1 ||
git ls-remote --exit-code --tags origin "refs/tags/$UNIFIED_TAG" >/dev/null 2>&1; then
echo "::error::Release tag $UNIFIED_TAG already exists; refusing to move it."
exit 1
fi
git tag -a "$UNIFIED_TAG" -m "Release v${VERSION} — GitHub Registry ref"
git push origin "$UNIFIED_TAG"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-public-npm.yml around lines 311 - 322, Update the
release-tag flow around UNIFIED_TAG to preserve tag immutability: remove the
local and remote deletion logic, check whether the tag already exists remotely,
and fail the workflow before creating or pushing it. Continue creating and
pushing the tag only when it does not already exist.

Comment thread docs-site/api/r.ts
Comment on lines +79 to +80
res.setHeader('Deprecation', 'true');
res.setHeader('Sunset', 'Sat, 31 Dec 2026 23:59:59 GMT');

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

sed -n '1,140p' docs-site/api/r.ts

Repository: auth0/auth0-ui-components

Length of output: 4806


🏁 Script executed:

python3 - <<'PY'
from datetime import datetime, timezone
dt = datetime(2026,12,31,23,59,59,tzinfo=timezone.utc)
print(dt.strftime("%a, %d %b %Y %H:%M:%S GMT"))
PY

Repository: auth0/auth0-ui-components

Length of output: 193


🌐 Web query:

RFC 9745 Deprecation header value boolean date structured field syntax

💡 Result:

RFC 9745 defines the Deprecation HTTP response header field as an Item Structured Header Field [1][2]. According to the official specification, the value of the Deprecation header must be a Date as defined in RFC 9651 (the Structured Field Values for HTTP specification) [2][3]. The standard representation for this Date type in Structured Field syntax is a Unix timestamp integer preceded by an "@" character (e.g., @1688169599) [2][4]. While some industry guidelines or internal documentation may suggest the use of a boolean value (such as?1 for true) [5][6], the formal specification in RFC 9745 strictly defines the value as a Date [2][3]. Use of a boolean or other types does not conform to the syntax requirements established by the RFC [1][2].

Citations:


Emit spec-compliant deprecation metadata.

Deprecation must use an RFC 9745 date value (e.g. @<unix-timestamp>), not true, and Sunset should use the correct weekday here (Thu, not Sat).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs-site/api/r.ts` around lines 79 - 80, Update the deprecation headers in
the response setup: change the Deprecation value to an RFC 9745 date format
using the applicable Unix timestamp, and correct the Sunset header’s weekday
from Sat to Thu while preserving its intended date and time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants