ci: add coordinated main + preview release workflow

[notgitika]

Summary

Two workflows to keep main and preview branches in sync and release them together.

1. sync-preview.yml — auto-merge main into preview

Runs on every push to main. Merges main into preview automatically so preview stays current while preserving its own divergent values (package version, preview-specific tests, etc.). If there are conflicts, it skips silently — no failed workflow, just a note that manual merge is needed.

2. release-main-and-preview.yml — coordinated release

Releases both branches to npm in a single run.

How to use:

1. Go to Actions → Release Both (Main + Preview)
2. Pick bump types (e.g., patch for main, prerelease for preview)
3. Click Run workflow

What it does:

• Verifies preview contains all of main (should already be, thanks to sync-preview)
• Bumps versions and creates release PRs for both branches in parallel
• Runs lint, typecheck, build, and unit tests on both
• Waits for manual approval — merge both PRs before approving
• Verifies both PRs are merged before either publish runs (prevents drift)
• Publishes main (@latest) and preview (@preview) to npm
• Creates git tags and GitHub releases for both

There's a dry_run option that creates PRs and runs tests without publishing.

Why merge instead of rebase

The preview branch has intentionally different values from main (package version, some tests). Rebase would overwrite these. Merge preserves preview-specific changes and only conflicts when both branches edit the same lines.

Test plan

• Trigger sync-preview by merging a commit to main — verify main is merged into preview
• Verify sync-preview skips cleanly when preview has merge conflicts
• Trigger release with dry_run: true to verify PR creation and test jobs
• Verify release fails at preflight if preview doesn't contain main
• Verify release fails at verify-merges if PRs aren't merged yet

[agentcore-cli-automation]

Blocker: preview_bump_type values aren't accepted by scripts/bump-version.ts

The workflow exposes preview and preview-major as preview_bump_type options (lines 20–26) and passes them straight to the bump script:

BUMP_CMD="npx tsx scripts/bump-version.ts $BUMP_TYPE"

But scripts/bump-version.ts only accepts major | minor | patch | prerelease and hard-exits on anything else:

if (!['major', 'minor', 'patch', 'prerelease'].includes(bumpType)) {
  console.error(`Error: Invalid bump type '${bumpType}'. Must be one of: major, minor, patch, prerelease`);
  process.exit(1);
}

So every invocation of this workflow will fail at the "Bump version" step in prepare-preview. This doesn't appear to have been validated against the bump script.

The existing release.yml handles preview by passing prerelease as the bump type with --prerelease-tag preview (see the prerelease → dist_tag=preview branch in release.yml), which produces versions like 1.0.0-preview.2.

Options to fix:

1. Change the preview_bump_type input to map to the existing script: pass prerelease --prerelease-tag preview for the preview option, and figure out what preview-major should mean (maybe major --prerelease-tag preview via a new script flag, or a two-step bump).
2. Extend scripts/bump-version.ts to natively support preview and preview-major bump types, then keep the workflow as-is.
3. Drop preview-major entirely if the intent isn't clear, and just use prerelease --prerelease-tag preview for preview.

Whichever path you take, please also add dry-run validation of the bump step in the test plan before merging.

[agentcore-cli-automation]

Serial publish still allows the drift this workflow is meant to prevent

The PR description motivates this workflow with "if one fails or we forget the other, the two npm tags drift out of sync." But the current design doesn't actually close that gap on the publish side:

• publish-main runs first and publishes @latest.
• publish-preview has needs: [prepare-preview, publish-main], so if publish-main succeeds but publish-preview fails (npm flake, OIDC hiccup, version-verify mismatch because the preview PR wasn't merged, etc.), you're left in exactly the state the PR is trying to avoid: @latest bumped, @preview stale.

At minimum it would help to:

1. Document the recovery procedure (e.g., "if publish-preview fails, re-run just that job after merging the preview PR"), and/or
2. Have publish-preview retry on failure, and/or
3. Gate the approval more strictly so both PRs are verified as merged before either publish runs (e.g., combine the two "Verify version" checks into the approval gate so both are confirmed atomically before any npm publish happens).

Option 3 is probably the most robust — a single pre-publish verification job that checks both main and preview have the expected versions, then kicks off both publishes, would make the "all or nothing" intent real.

[agentcore-cli-automation]

Test artifacts are uploaded but never consumed — publish jobs rebuild from source

test-main and test-preview upload dist/ and *.tgz as artifacts (dist-main, dist-preview), but neither publish-main nor publish-preview downloads them. Both publish jobs do their own npm ci + npm run build against the post-merge main/preview branches.

Two problems with this:

1. What you test isn't what you ship. The test jobs pack from the release/v* branch pre-merge; the publish jobs build from main/preview post-merge. In practice these should be identical, but if anyone force-pushes or amends during the approval window, the published artifact can differ from what passed tests without anything catching it.
2. Wasted CI minutes / dead code. The upload-artifact steps just produce artifacts that get garbage-collected unused.

Compare with the existing release.yml, which uses actions/download-artifact@v8 in publish-npm to reuse the tested dist/.

Options:

1. Download the artifacts in the publish jobs and publish from them (matches existing release.yml).
2. If you'd rather rebuild post-merge for safety, drop the upload-artifact steps entirely — they're misleading as-is.

[notgitika]

@agentcore-cli-automation review my commits after the first one

[agentcore-cli-automation]

sync-preview will conflict on every release cycle and silently skip, leaving preview stale

Every release produces a version bump commit on both main and preview that modifies the same files (package.json, package-lock.json, CHANGELOG.md) with different content (e.g., main bumps to 1.0.1 while preview already has 1.0.1-preview.2). When sync-preview runs on the next push to main and tries to rebase preview onto main, replaying preview's version-bump commit on top of main's new version-bump commit will reliably conflict on those exact files.

Because the rebase failure is silent (echo only, no notification, no failed workflow), the expected steady state after the first release is:

• sync-preview runs on every main push, hits conflicts, aborts silently
• No one notices until someone triggers release-main-and-preview, at which point the preflight check fails
• Someone has to manually rebase preview anyway

So the auto-sync ends up helping only for non-release commits to main, which may or may not be the common case — but the PR description sells this as the mechanism that keeps branches in sync for release, and that's exactly the case where it won't work.

A few options to consider:

1. Teach sync-preview (or the release workflow) to drop preview's stale version-bump commits before rebasing — e.g., reset preview to main and then re-apply only the preview-specific diff (which in practice may be empty if preview tracks main verbatim apart from versioning).
2. Keep the rebase, but on conflict post a notification (issue, Slack, PR comment) so the failure isn't silent.
3. If preview is intended to be identical to main except for the npm dist-tag, consider reframing: don't keep a separate long-lived branch at all, and make "preview release" a flag on the existing release.yml that publishes the main HEAD under the @preview tag with a prerelease version. That would eliminate the drift problem entirely.

At minimum, the silent-skip behavior should be replaced with something observable, because the common case for this workflow appears to leave preview perpetually behind without anyone knowing.

[agentcore-cli-automation]

sync-preview.yml has no concurrency control and force-pushes preview

The workflow runs on every push to main and ends with git push --force-with-lease origin preview. If two commits land on main in quick succession (common when merging a batch of PRs), two sync-preview runs will execute in parallel, both checking out origin/preview, both rebasing, and both racing to force-push. --force-with-lease will protect against overwriting unknown changes, but one of the two runs will fail mid-push and abort — and because the job doesn't fail loudly, you'll just end up with preview synced to whichever commit won the race (which may not be the latest main).

Please add a concurrency block to serialize runs, e.g.:

concurrency:
  group: sync-preview
  cancel-in-progress: false

(cancel-in-progress: false is important here — you don't want to cancel a partially-completed rebase/push mid-flight.)

[agentcore-cli-automation]

prepare-preview syncs @aws/agentcore-cdk to latest, not preview

Both prepare-main and prepare-preview have the same step:

LATEST_CDK=$(npm view @aws/agentcore-cdk version 2>/dev/null || echo "")

npm view <pkg> version returns the version tagged latest. For the preview release that's almost certainly wrong — a preview CLI should ship with the preview CDK (the @aws/agentcore-cdk@preview dist-tag), not the stable one. As written, every preview release of the CLI will pin the bundled CDK template to the latest stable CDK, defeating the purpose of having a preview channel for coordinated CLI+CDK changes.

Options:

1. In prepare-preview, query the preview tag instead: npm view @aws/agentcore-cdk@preview version.
2. Add a workflow input so the operator can pick which CDK dist-tag to sync to per-branch.

(This is arguably pre-existing — the CDK is currently only published under alpha/latest, so today both queries return the same thing — but the moment CDK has a real preview channel, this workflow will silently ship the wrong version.)

[aidandaly24]

@agentcore-cli-automation do a final review. Ready for approval?

[aidandaly24]

this lgtm, im aligned. we can always change it later