Skip to content

fix(validate): warn on untagged prepared release, skip private package.json#55

Merged
CybotTM merged 2 commits into
mainfrom
fix/phantom-release-and-private-pkg
Jul 16, 2026
Merged

fix(validate): warn on untagged prepared release, skip private package.json#55
CybotTM merged 2 commits into
mainfrom
fix/phantom-release-and-private-pkg

Conversation

@CybotTM

@CybotTM CybotTM commented Jul 16, 2026

Copy link
Copy Markdown
Member

What

Two validate-pre-release.sh changes:

  1. New WARN — version files ahead of the latest tag. A chore: release X.Y.Z commit that merged while the tag never shipped (cancelled tag workflow) leaves the repo in a state no current check surfaces. Compares the synced file version against git tag --list 'v[0-9]*' --sort=-v:refname | head -1 (semver-aware, only warns when files are ahead).
  2. Version-sync check skips "private": true package.json/package-lock.json — local tooling, not a publishable surface; it otherwise FAILs the check on every run in affected repos.

Why

Live case (netresearch/t3x-nr-llm, 2026-07-16): version files sat at 0.19.1 with no v0.19.1 tag — the 0.19.1 release run had been cancelled and nobody noticed until the next release. The same repo's private frontend package.json (1.0.0) made the sync check permanently red.

Verification

Synthetic repo: files 0.2.0 + tag v0.1.0 → WARN fires; files 0.1.0 + tag v0.1.0 → silent. Live nr-llm run: sync check now PASSes (private package.json excluded, 0.20.0 across 2 files). bash -n clean; shellcheck adds no new findings (SC2034 at line 207 is pre-existing).

…e.json

Version files ahead of the newest tag mean a 'chore: release X.Y.Z'
commit merged but the tag never shipped (e.g. cancelled release run) —
surface it as WARN so the releaser decides whether to tag or roll it
into the next version. A 'private': true package.json is local tooling,
not a release surface — exclude it from the version-sync check instead
of failing every run.

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Copilot AI review requested due to automatic review settings July 16, 2026 19:38
@github-actions github-actions Bot added the skill label Jul 16, 2026
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the pre-release validation script to ignore private package.json files and adds a warning check for when version files are ahead of the latest git tag. The review identified a bug in the version comparison logic where lexicographical sorting could lead to incorrect version identification; a suggestion was provided to use version-aware sorting to ensure the highest version is correctly evaluated.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread skills/github-release/scripts/validate-pre-release.sh Outdated
…orted

sort -u | head -1 picked the lexicographically lowest version when files
disagree, which could skip the ahead-of-tag warning.

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
@sonarqubecloud

Copy link
Copy Markdown

@CybotTM
CybotTM merged commit 2b65d6e into main Jul 16, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants