chore: pin SDK consumers after release

[IlyaasK]

Summary

• add a Pin SDK Consumers workflow that runs after the Publish NPM workflow succeeds for a release, plus manual dispatch for a specific version
• open/update cross-repo PRs that exact-pin @onkernel/sdk in dashboard and MCP and refresh their Bun lockfiles
• add a small helper that rewrites package.json to an exact SDK version and rejects ranges like ^0.60.0

Validation

• ./node_modules/.bin/prettier --check .github/workflows/pin-consumers.yml scripts/utils/pin-sdk-consumer.mjs
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/pin-consumers.yml"); puts "yaml ok"'
• node scripts/utils/pin-sdk-consumer.mjs /private/tmp/sdk-consumer-package.json v0.62.0
• node scripts/utils/pin-sdk-consumer.mjs /private/tmp/sdk-consumer-package.json '^0.62.0' exits 2 as expected
• NPM_CONFIG_CACHE=/private/tmp/kernel-node-sdk-npm-cache npm run lint
• npm test

---

Note

Low Risk
CI-only automation and a local package.json helper; no runtime SDK or app code changes in this repo.

Overview
Adds post-release automation so downstream repos pick up the new @onkernel/sdk without manual bumps.

A new Pin SDK Consumers workflow runs after Publish NPM succeeds on a release (or via manual dispatch with a version). It resolves a semver, uses a GitHub App token, and for kernel/kernel (dashboard) and kernel/kernel-mcp-server clones each repo, runs a helper to set an exact SDK version in package.json, runs bun install, and opens or skips a PR on branch automation/pin-node-sdk-<version>.

The helper scripts/utils/pin-sdk-consumer.mjs rewrites dependencies["@onkernel/sdk"] to that exact version and rejects invalid input (including semver ranges like ^0.62.0).

^{Reviewed by Cursor Bugbot for commit 05d9182. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Created a monitoring plan for this PR.

What this PR does: Automates the post-release step of opening dependency-pin PRs in kernel/kernel (dashboard) and kernel/kernel-mcp-server after each new SDK version is published to NPM.

Intended effect:

• Pin SDK Consumers workflow run: baseline 0 (new workflow); confirmed if the next SDK release triggers a successful run and PRs appear in both downstream repos with the correct exact-version pin (e.g., "@onkernel/sdk": "X.Y.Z").
• Downstream PR creation: baseline none (first run); confirmed if both automation/pin-node-sdk-<version> branches are pushed and PRs opened — or a "already pins" early-exit if the version was already current.

Risks:

• Workflow auth failure — GitHub App token (ADMIN_APP_ID/ADMIN_APP_PRIVATE_KEY) must have write access to both downstream repos; alert if the Pin SDK Consumers run exits with permission denied or missing-secret errors.
• Wrong version resolved — If workflow_run.head_branch is not a semver tag, the workflow falls back to gh release list; alert if the pinned version in the opened PR doesn't match the just-published release.
• Missing @onkernel/sdk dependency — Script exits code 1 if the downstream package.json doesn't list @onkernel/sdk; alert if either pin step fails with "does not declare dependencies."
• bun install lock file drift — If Bun resolution changes introduce unexpected transitive dependency changes in the downstream repos, the PR diff will be larger than expected; reviewers should verify bun.lock changes are minimal.
• Silent skip on manual trigger — workflow_dispatch requires an explicit valid semver version input; invalid input exits code 2 with no PR created; alert if the run exits non-zero without creating any branch.

Status updates will be posted automatically on this PR as monitoring progresses.

View monitor

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 05d9182. Configure here.}

[cursor]

Release fallback picks wrong version

Medium Severity

When workflow_run triggers pinning, the resolved SDK version often comes from gh release list (newest publishedAt among the last 10 releases) because workflow_run.head_branch is usually not a semver tag for release-triggered Publish NPM runs. That version is not tied to the completed publish run, so a delayed or overlapping release can pin dashboard/MCP to a different @onkernel/sdk than the one just published.

 

^{Reviewed by Cursor Bugbot for commit 05d9182. Configure here.}

[cursor]

Lease push blocks branch updates

Medium Severity

Consumer repos are cloned with --depth 1 and a new local branch is pushed with --force-with-lease, but the remote automation branch is never fetched. If automation/pin-node-sdk-* already exists on the remote, Git typically cannot establish a lease and rejects the push, so reruns that need to refresh the same branch (e.g. lockfile updates) fail after changes are committed locally.

Additional Locations (1)

• .github/workflows/pin-consumers.yml#L133-L148

 

^{Reviewed by Cursor Bugbot for commit 05d9182. Configure here.}