fix: updated release flow to match the current flows

[jasonsaayman]

Summary by cubic

Updates the release-branch workflow to build, upload, and test the packed npm tarball, aligning with the current publish flow. Adds CJS/ESM module tests across Node versions and removes the dependency review step.

Description

• Summary of changes

  • Pack tarball with npm pack and upload axios-*.tgz as axios-tarball (fail if missing).
  • Update smoke tests to install from the packed tarball.
  • Add CJS module tests on Node 12/14/16/18.
  • Add ESM module tests on Node 20/22/24.
  • Migrate to actions/checkout@v6, actions/setup-node@v6, actions/upload-artifact@v7, actions/download-artifact@v8.
  • Remove dependency review step.

• Reasoning

  • Test the exact artifact we publish to npm.
  • Validate CJS/ESM behavior across supported Node versions.
  • Simplify the flow by dropping an unnecessary step.

• Additional context

  • Artifact renamed from axios (dist) to axios-tarball (npm pack).
  • Tarball installed via npm install --no-save ../../../artifacts/axios-*.tgz.
  • Review: should bump-version-and-create-pr also depend on the new module test jobs to fully gate releases?

Testing

• No unit tests changed.
• CI updates:
  • Smoke tests now install axios from the packed tarball.
  • New module test jobs for CJS and ESM across Node versions.
• No additional tests needed beyond these CI checks; they cover the publishable artifact end-to-end.

^{Written for commit 183fedd. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 1 file

Confidence score: 4/5

• This PR looks safe to merge overall, with one moderate workflow configuration risk rather than an application/runtime regression.
• In .github/workflows/release-branch.yml, actions/dependency-review-action is used under workflow_dispatch without base-ref/head-ref; on non-PR events this can cause the dependency review step to run with incomplete context or fail to compare changes as intended.
• Given the issue is medium severity (5/10) with reasonably strong confidence (7/10) and scoped to CI behavior, the merge risk appears limited but worth addressing soon.
• Pay close attention to .github/workflows/release-branch.yml - dependency-review inputs for manual dispatch are likely incomplete without explicit refs.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/release-branch.yml">

<violation number="1" location=".github/workflows/release-branch.yml:50">
P2: `actions/dependency-review-action` is being run in a `workflow_dispatch` workflow, but no `base-ref`/`head-ref` are provided. The action’s docs call out `base-ref`/`head-ref` as the mechanism for non-PR event types, so consider setting them here to ensure the dependency comparison is done against the intended refs.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}