Skip to content

ci: harden the release path#194

Merged
helly25 merged 2 commits into
mainfrom
ci/harden-release-path
Jun 16, 2026
Merged

ci: harden the release path#194
helly25 merged 2 commits into
mainfrom
ci/harden-release-path

Conversation

@helly25

@helly25 helly25 commented Jun 15, 2026

Copy link
Copy Markdown
Owner

Fallout-fixes from the 0.11.0 release mishap.

What broke

  • trigger_release.sh was run from a squash-merged feature branch. Its guards only check git diff origin/main (tree), which was empty because the branch tree == main — so it tagged the wrong commit. (Tag since moved onto main.)
  • On macOS the script then died at sed — BSD sed -i needs a backup-suffix arg and 0,/re/ is GNU-only, so it parsed MODULE.bazel as the script (invalid command code M). The version bump never ran.
  • The full Test matrix fires on tag pushes (on: [push]), and trunk check broke diffing against the now-gone prior tag object after the tag move.
  • 0.11.0's BCR publish died at Create final entry: .bcr/patches/bazelmod.patch no longer applied (its context said skylib 1.8.2/platforms 1.0.0; the tarball has 1.9.0/1.1.0).

Fixes

  • trigger_release.sh: must be on main at exactly origin/main; numeric X.Y.Z arg check; pre-flight that every .bcr/patches/* still applies (fails before tagging); portable sed (BSD + GNU).
  • main.yml: branch pushes only (branches: ['**']).
  • release.yml: numeric semver tag filter ([0-9]+.[0-9]+.[0-9]+).
  • .bcr/patches/bazelmod.patch: regenerated with 1-line context — verified to apply to both the repo and the published 0.11.0 tarball, and won't re-break on dependency bumps.

helly25 added 2 commits June 15, 2026 23:54
@helly25
ci: harden the release path
0d4b537 
- trigger_release.sh: require running on `main` at exactly origin/main — the
  tree-only diff checks passed off a just-squash-merged feature branch, so
  0.11.0 got tagged on the wrong commit. Also validate the version arg is
  numeric X.Y.Z; pre-flight that .bcr/patches/* still apply (so publish-to-bcr
  can't fail post-tag); and replace GNU-only `sed -i`/`0,/re/` with portable
  temp-file edits (BSD sed on macOS mis-parsed them -> "invalid command code M").
- main.yml: trigger on branch pushes only ('**'). Tag pushes ran the full
  matrix needlessly and broke `trunk check`, which diffs against the now-gone
  prior tag object after a tag move.
- release.yml: match numeric semver tags only, [0-9]+.[0-9]+.[0-9]+.
- .bcr/patches/bazelmod.patch: regenerate with 1-line context so the include()
  comment-out survives dependency bumps (it broke on skylib 1.8.2 -> 1.9.0,
  which is why 0.11.0's BCR publish died at "Create final entry").
@helly25
ci: apply shfmt formatting to trigger_release.sh
a1ead87
@helly25 helly25 requested a review from Fab-Cat June 15, 2026 23:24
@helly25 helly25 enabled auto-merge (squash) June 15, 2026 23:24
@helly25 helly25 merged commit c17a784 into main Jun 16, 2026
38 checks passed
@helly25 helly25 deleted the ci/harden-release-path branch June 16, 2026 10:28
@helly25 helly25 mentioned this pull request Jun 18, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Fab-Cat Fab-Cat Fab-Cat approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@helly25 @Fab-Cat