ci: add pkg.pr.new previews

[ScriptedAlchemy]

Summary

• Add a pkg.pr.new workflow that publishes preview packages for PRs targeting main.
• Install pkg-pr-new as a dev dependency so CI runs it from the lockfile.
• Build the package before publishing the preview and comment with pnpm install instructions for the commit SHA.

Test plan

• pnpm install --frozen-lockfile
• pnpm build
• pnpm exec pkg-pr-new --help

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow file .github/workflows/pkg-pr-new.yml is added, triggered on pull_request events targeting the main branch. The workflow defines scoped permissions (contents: read, pull-requests: write), PR-number-scoped concurrency with in-progress run cancellation, and a single publish job on ubuntu-latest. The job checks out the repository, sets up Node.js from .nvmrc, installs PNPM, runs pnpm install --frozen-lockfile and pnpm build, then executes pkg-pr-new publish with --commentWithSha and --packageManager=pnpm. The pkg-pr-new package at ^0.0.75 is added to devDependencies in package.json.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: add pkg.pr.new previews' clearly and concisely summarizes the main change: adding CI/CD support for preview package publishing via pkg.pr.new.
Description check	✅ Passed	The description is directly related to the changeset, detailing the workflow addition, dependency installation, and build configuration with a clear test plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pkg-pr-new

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pkg-pr-new.yml:
- Line 7: The permissions block at the top of the workflow is set to an empty
object which removes all token scopes, but the publish step uses the
--commentWithSha flag which requires the pull-requests: write permission to post
comments on pull requests. Update the permissions configuration from an empty
object to explicitly grant the pull-requests: write scope so the workflow can
successfully create and update PR comments when using the --commentWithSha
option.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 1a6fe70a-20e2-4d94-a3dd-e0846fdedc22

📥 Commits

Reviewing files that changed from the base of the PR and between ceef4ee and 7b68259.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• .github/workflows/pkg-pr-new.yml
• package.json

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/pkg-pr-new.yml (1)

22-32: ⚠️ Potential issue | 🟡 Minor

Update pnpm/action-setup to match the v4 release tag SHA.

The pnpm/action-setup action is pinned to b906affcce14559ad1aafd4ab0e942779e9f58b1, but the v4 tag points to f40ffcd9367d9f12939873eb1018b921a783ffaa. Update the action to the current v4 release SHA to maintain supply chain integrity consistency. The other two actions (checkout and setup-node) are correctly pinned to their respective v4 release commits.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pkg-pr-new.yml around lines 22 - 32, The pnpm/action-setup
action is pinned to an outdated SHA that does not match the current v4 release
tag. In the Setup PNPM step, update the uses field for pnpm/action-setup from
the current SHA b906affcce14559ad1aafd4ab0e942779e9f58b1 to the correct v4
release SHA f40ffcd9367d9f12939873eb1018b921a783ffaa to maintain consistency
with the other pinned actions (checkout and setup-node) and ensure supply chain
integrity.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/pkg-pr-new.yml:
- Around line 22-32: The pnpm/action-setup action is pinned to an outdated SHA
that does not match the current v4 release tag. In the Setup PNPM step, update
the uses field for pnpm/action-setup from the current SHA
b906affcce14559ad1aafd4ab0e942779e9f58b1 to the correct v4 release SHA
f40ffcd9367d9f12939873eb1018b921a783ffaa to maintain consistency with the other
pinned actions (checkout and setup-node) and ensure supply chain integrity.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 23f38549-2b4d-4bdf-950d-7d70e391de9f

📥 Commits

Reviewing files that changed from the base of the PR and between 7b68259 and e17720a.

📒 Files selected for processing (1)

• .github/workflows/pkg-pr-new.yml