build(release): pre-tag gates + automated post-release bump in cut-release#397
Merged
Conversation
…lease Automate the post-release version bump and gate the tag on the metadata and binary compatibility that a stale README or an accidental break would otherwise slip past. cut-release.ps1: - -PostReleaseOnly now opens the next development line: bumps every train pom to the next patch -SNAPSHOT (idempotent — skipped when already a SNAPSHOT, and when there is no core/pom.xml) and restores the /blob/develop showcase links, leaving the README/showcase install snippets on the just-published release (the version guard requires snippets to advertise the version on Central during a -SNAPSHOT cycle). - Fast pre-tag metadata gate (Step 2b): fails the cut if the CHANGELOG is not dated for the target, the README "Latest stable" prose block does not name it, the README install snippet lags, or a train pom's version is wrong. That prose block has no test guarding it, so this is the only automated guard against tagging with a stale release-status line; a dry run warns on it (the one check needing no mutation). - Binary-compatibility gate (Step 5b): runs japicmp against the published baseline before commit/tag, independent of the PR-time CI gate. Skipped by -SkipVerify and on the legacy 1.x layout. - Post-tag reminders point at the release-smoke suite (post-publish) and the -PostReleaseOnly follow-up. release-process.md: document the new gates and the automated SNAPSHOT bump, the post-publish release-smoke step, and a release-publication failure-recovery table (failed GitHub Release, failed Central validation with the module deploy order, partial publication, stale-tag documentation, and the patch-release criteria). Verified via -DryRun of a full cut and of -PostReleaseOnly, the Assert-ReleaseMetadata regexes against the real CHANGELOG/README, and Get-NextSnapshotVersion across final / patch-carry / pre-release / already-SNAPSHOT inputs. No tag, no publish; project stays on 2.0.1-SNAPSHOT.
Close six release-safety gaps in the cut-release / publish tooling: - Extract the branch / clean-tree (incl. staged) / origin-sync preflight into Assert-BranchPreflight and run it from both a real cut and -PostReleaseOnly, so the post-release path can no longer commit + push from the wrong branch, a dirty tree, or out of sync with origin. - -PostReleaseOnly now runs `mvnw validate` + VersionConsistencyGuardTest after the SNAPSHOT bump, before committing/pushing. The Maven args go through splatted arrays, not inline: the call operator re-tokenizes an inline -Djacoco.skip=true at the dot into a bogus Maven phase. - publish.yml gains a start_at choice input, a plan step, and per-module `if:` guards so a partial Central publication can resume from the first unpublished module. A full re-dispatch always starts at core and Central rejects re-uploading an already-validated coordinate, so it must not be blindly rerun — the recovery doc is corrected to match. - Assert-ReleaseMetadata now fails when the graph-compose README install snippet is missing, not only when its version differs. - New release-script-check.yml runs cut-release.ps1's dry-runs and a unit check of Get-NextSnapshotVersion on any change to the script (the main CI path filters skip it). - Script help text documents that -PostReleaseOnly opens the next SNAPSHOT line. Verified: both dry-runs exit 0; the splat passes -Djacoco.skip=true intact (inline splits it); the publish plan-step start_at logic and the missing-snippet check tested. No tag, no publish; develop stays 2.0.1-SNAPSHOT.
…ale-README check Three release-safety fixes on top of the release-process hardening: - Assert-BranchPreflight now checks the exit code of `git fetch` and both `git rev-parse` calls (capturing before .Trim() so a failure surfaces the real message, not a null-method error). A silently-failed fetch (network/auth) would otherwise compare against a stale origin ref and wrongly report the branch in sync — a real gap for a release script. - publish.yml's deploy planner rejects an unknown start_at: an unrecognised value would leave every module skipped and publish nothing while the job stayed green. Empty (a tag-triggered run) still means "all". - The README "Latest stable" check moves to Step 0, BEFORE any file is mutated (extracted into Test-ReadmeLatestStable). A stale line now aborts with a clean tree instead of failing at Step 2b after Steps 1-2 dirtied the tree — which the next preflight would then refuse to run over. Assert-ReleaseMetadata keeps the post-mutation checks (CHANGELOG date, install snippet, pom versions). release-script-check.yml now runs the real Test-ReadmeLatestStable against the actual README (not just a dry-run print), so the stale-tag guard's regex is exercised in CI. Verified: both dry-runs exit 0; the Step-0 Latest-stable warning fires before Step 1; start_at accepts empty/all/<module> and rejects unknown values; Test-ReadmeLatestStable matches the README's version and rejects a bogus one. No tag, no publish; develop stays 2.0.1-SNAPSHOT.
…heck Two release-safety fixes: - Pre-release path. The script supports X.Y.Z-rc.N / -alpha / -beta, but publish.yml never ships a hyphenated tag to Maven Central — pre-releases go only to the GitHub Release pre-release surface. So gate the Central-facing work on $isFinalRelease = $Version -match '^\d+\.\d+\.\d+$': only a final release checks the README 'Latest stable' block, rewrites the README / module / showcase install snippets, and validates them in Assert-ReleaseMetadata. A pre-release still bumps the train poms (the tag builds at that version) but leaves 'Latest stable' and the Central snippets on the last stable, on-Central version — rewriting them to an RC would advertise a coordinate that 404s for anyone who copies it. VersionConsistencyGuardTest matches: snippets must equal the pom only for a concrete final version; for a -SNAPSHOT or pre-release pom they must equal the latest published release. - Origin-tag check. The check used `git fetch refs/tags/...`, which exits 128 for a legitimately-absent tag (the normal pre-cut case), so its exit code could never distinguish "tag free" from a network failure. Switched to `git ls-remote --tags` (empty output = free; non-zero = network/auth error), so a broken connection can no longer be mistaken for "tag is free". release-script-check.yml adds a 2.1.0-rc.1 dry-run asserting the pre-release path (no 'Latest stable' check, no install-snippet bump). Verified: final (2.0.2) and pre-release (2.1.0-rc.1) dry-runs both exit 0 with the correct split; VersionConsistencyGuardTest 12/12; ls-remote distinguishes an absent tag (exit 0, empty) from a network error. No tag, no publish; develop stays 2.0.1-SNAPSHOT.
…elease notes
Ensure a pre-release (X.Y.Z-rc.N / -alpha / -beta) never reaches Maven Central,
consistent with cut-release.ps1's final-vs-pre-release split.
- publish.yml: a manual workflow_dispatch bypassed the job `if:` (its first operand
is unconditionally true for dispatch), so a dispatched pre-release tag could
publish. Add a first-stage step that rejects any tag not matching ^vX.Y.Z$ (tag is
passed via env, not inlined, to avoid ref-name injection).
- cut-release.ps1: validate the version up front against
^\d+\.\d+\.\d+(-(rc|alpha|beta)\.\d+)?$, so an arbitrary suffix like 2.1.0-preview.1
is rejected rather than silently taken as a pre-release. Only print the "verify
Maven Central" / "smoke published artifacts" reminders for a final release.
- release.yml: a pre-release has no CHANGELOG section of its own, so it now uses the
upcoming final version's notes (NOTES_TAG=${TAG%%-*}) instead of a generic fallback.
- VersionConsistencyGuardTest.latestPublishedRelease(): restrict to a final semver
header (\d+\.\d+\.\d+), so a dated pre-release header is never treated as the
published Central version.
- release-script-check.yml: add a 2.1.0-preview.1 rejection assertion (trapping the
script's terminating throw with try/catch — *>&1 does not catch a throw in-process).
Verified: final (2.0.2) and pre-release (2.1.0-rc.1) dry-runs exit 0; 2.1.0-preview.1
is rejected in-process; VersionConsistencyGuardTest 12/12; the publish tag guard
accepts v2.0.2 and rejects hyphenated/malformed tags; ${TAG%%-*} yields the final
tag; both workflow YAMLs valid. No tag, no publish; develop stays 2.0.1-SNAPSHOT.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The GA surfaced two release-process gaps. After a release the train poms stay at the release version, so the japicmp gate is a silent no-op until someone manually opens the next
-SNAPSHOT(the gap hit in the japicmp PR — done by hand there). And the README "Latest stable" prose block has no test guarding it, so a tag can be cut while it still names the previous version (the recurring stale-tag-README bug). This hardenscut-release.ps1so the next release can't repeat either.What
scripts/cut-release.ps1-PostReleaseOnlyopens the next development line. It now bumps every train pom to the next patch-SNAPSHOT(via the existingUpdate-PomVersion; idempotent — skipped when already a SNAPSHOT or when there's nocore/pom.xml) and restores the/blob/developshowcase links. It deliberately leaves the README/showcase install snippets on the just-published release —VersionConsistencyGuardTestrequires snippets to advertise the on-Central version during a-SNAPSHOTcycle.-SkipVerifyand on the 1.x layout.-PostReleaseOnlyfollow-up.docs/contributing/release-process.md— documents the new gates, the automated SNAPSHOT bump, the post-publish release-smoke step, and a release-publication failure-recovery table (failed GitHub Release, failed Central validation with the module deploy order, partial publication, stale-tag documentation, and the patch-release criteria).Tests
Verified via
-DryRunof a full cut and of-PostReleaseOnly; theAssert-ReleaseMetadataregexes against the real CHANGELOG/README (matches a dated entry +Latest stable, rejects an undated/stale one, em-dash handled); andGet-NextSnapshotVersionacross final (2.0.0→2.0.1-SNAPSHOT), patch-carry (2.3.9→2.3.10-SNAPSHOT), pre-release (2.0.0-rc.1→skip), and already-SNAPSHOT inputs. A cold review pass ran; its findings (1.x-layout guard, dry-run "Latest stable" preview, baseline precondition, doc scope wording) are applied. No tag, no publish — the project stays on2.0.1-SNAPSHOT.