fix(validate): warn on untagged prepared release, skip private package.json#55
Conversation
…e.json Version files ahead of the newest tag mean a 'chore: release X.Y.Z' commit merged but the tag never shipped (e.g. cancelled release run) — surface it as WARN so the releaser decides whether to tag or roll it into the next version. A 'private': true package.json is local tooling, not a release surface — exclude it from the version-sync check instead of failing every run. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
There was a problem hiding this comment.
Code Review
This pull request updates the pre-release validation script to ignore private package.json files and adds a warning check for when version files are ahead of the latest git tag. The review identified a bug in the version comparison logic where lexicographical sorting could lead to incorrect version identification; a suggestion was provided to use version-aware sorting to ensure the highest version is correctly evaluated.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
…orted sort -u | head -1 picked the lexicographically lowest version when files disagree, which could skip the ahead-of-tag warning. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
|



What
Two
validate-pre-release.shchanges:chore: release X.Y.Zcommit that merged while the tag never shipped (cancelled tag workflow) leaves the repo in a state no current check surfaces. Compares the synced file version againstgit tag --list 'v[0-9]*' --sort=-v:refname | head -1(semver-aware, only warns when files are ahead)."private": truepackage.json/package-lock.json — local tooling, not a publishable surface; it otherwise FAILs the check on every run in affected repos.Why
Live case (netresearch/t3x-nr-llm, 2026-07-16): version files sat at 0.19.1 with no
v0.19.1tag — the 0.19.1 release run had been cancelled and nobody noticed until the next release. The same repo's private frontendpackage.json(1.0.0) made the sync check permanently red.Verification
Synthetic repo: files 0.2.0 + tag v0.1.0 → WARN fires; files 0.1.0 + tag v0.1.0 → silent. Live nr-llm run: sync check now PASSes (private package.json excluded, 0.20.0 across 2 files).
bash -nclean; shellcheck adds no new findings (SC2034 at line 207 is pre-existing).