ci: sync lockfile in release PRs and skip AI disclosure on bot PRs

[Adi-204]

Description

Fixes two CI workflow issues described in #2123.

Problem 1 — Release PRs leave package-lock.json stale

The Changesets release PR runs only changeset version, which rewrites package.json/CHANGELOG.md files but never runs an install, so the root package-lock.json drifts out of sync with the bumped manifests (both the package's own version entry and the internal dependency pins in consumers). This makes npm ci fail and produces noisy lockfile diffs on later PRs.

Fix: append npm install --package-lock-only --ignore-scripts to the changesets/action version command in release-with-changesets.yml so the release PR regenerates the lockfile alongside the manifests. --package-lock-only avoids a full reinstall (node_modules is already present from the earlier npm ci) and --ignore-scripts keeps it side-effect-free.

Problem 2 — verify-ai-disclosure.yml runs on bot PRs

The AI-disclosure check ran on every PR, including machine-generated ones (e.g. the Changesets release PR from asyncapi-bot, and dependabot), adding noise on PRs no human authored.

Fix: add a job-level actor guard that skips the check for known bot authors, consistent with how other PR-triggered workflows in this repo (e.g. pr-review-checklist.yml) treat bots.

Related issue(s)

Fixes #2123

Generated-by: Cursor Agent (Claude Opus 4.8)

[changeset-bot]

⚠️ No Changeset found

Latest commit: d94a171

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[asyncapi-bot]

What reviewer looks at during PR review

The following are ideal points maintainers look for during review. Reviewing these points yourself beforehand can help streamline the review process and reduce time to merge.

1. PR Title: Use a concise title that follows our Conventional Commits guidelines and clearly summarizes the change using imperative mood (it means spoken or written as if giving a command or instruction, like "add new helper for listing operations")

   Note - In Generator, prepend feat: or fix: in PR title only when PATCH/MINOR release must be triggered.

2. PR Description: Clearly explain the issue being solved, summarize the changes made, and mention the related issue.

   Note - In Generator, we use Maintainers Work board to track progress. Ensure the PR Description includes Resolves #<issue-number> or Fixes #<issue-number> this will automatically close the linked issue when the PR is merged and helps automate the maintainers workflow.

3. Documentation: Update the relevant Generator documentation to accurately reflect the changes introduced in the PR, ensuring users and contributors have up-to-date guidance.

4. Comments and JSDoc: Write clear and consistent JSDoc comments for functions, including parameter types, return values, and error conditions, so others can easily understand and use the code.

5. DRY Code: Ensure the code follows the Don't Repeat Yourself principle. Look out for duplicate logic that can be reused.

6. Test Coverage: Ensure the new code is well-tested with meaningful test cases that pass consistently and cover all relevant edge cases.

7. Commit History: Contributors should avoid force-pushing as much as possible. It makes it harder to track incremental changes and review the latest updates.

8. Template Design Principles Alignment: While reviewing template-related changes in the packages/ directory, ensure they align with the Assumptions and Principles. If any principle feels outdated or no longer applicable, start a discussion these principles are meant to evolve with the project.

9. Reduce Scope When Needed: If an issue or PR feels too large or complex, consider splitting it and creating follow-up issues. Smaller, focused PRs are easier to review and merge.

10. Bot Comments: As reviewers, check that contributors have appropriately addressed comments or suggestions made by automated bots. If there are bot comments the reviewer disagrees with, react to them or mark them as resolved, so the review history remains clear and accurate.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two GitHub Actions workflow fixes: the release workflow's changesets/action version command now runs a lockfile-only npm install after changeset version to keep package-lock.json in sync with bumped manifests; the AI-disclosure workflow gains an if: condition excluding known bot accounts from the check.

Changes

CI Workflow Fixes

Layer / File(s)	Summary
Refresh package-lock.json after changeset version .github/workflows/release-with-changesets.yml	The version command in the changesets/action@v1 step is expanded to run npm install --package-lock-only --ignore-scripts after changeset version, with inline comments explaining why the lockfile must be refreshed.
Skip AI-disclosure check for bot PR authors .github/workflows/verify-ai-disclosure.yml	Adds an if: expression to exclude asyncapi-bot, dependabot[bot], and dependabot-preview[bot] from the AI-disclosure verification trigger.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• asyncapi/generator#2111: Introduces the verify-ai-disclosure.yml workflow that this PR now modifies to add bot-login exclusion gating.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes both changes: syncing lockfile in release PRs and skipping AI disclosure checks for bot PRs, following Conventional Commits with 'ci:' prefix in imperative mood.
Linked Issues check	✅ Passed	The pull request fully addresses both objectives from issue #2123: syncing package-lock.json in release PRs via npm install --package-lock-only, and skipping AI-disclosure verification for known bot accounts.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the two stated objectives: workflow modifications for lockfile synchronization and bot-account filtering, with no unrelated alterations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[derberg]

/rtm

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud