fix(release): dev builds bump off last-released + correct npm dist-tags#3733
fix(release): dev builds bump off last-released + correct npm dist-tags#3733insipx wants to merge 1 commit into
Conversation
|
Claude finished @insipx's task —— View job PR Review — June 5, 2026, 6:57 PM UTCSummaryThis PR fixes two bugs in the dev release workflow: (1) dev builds now correctly bump version numbers off the last-released version instead of just appending Issues Found1. Critical: Inconsistent ref resolution for dev releases (High severity) When Fix recommendation: Pin dev releases to always use with:
ref: ${{ needs.validate.outputs.release-type == 'dev' && 'main' || needs.validate.outputs.ref }}(Note: This was already identified by Macroscope but is critical enough to emphasize) 2. High: Race condition in nightly-dry-run preview-dev-versions job (Medium-High severity) The Fix recommendation: - uses: actions/checkout@v6
with:
ref: ${{ needs.plan.outputs.sha }} # Use exact SHA from plan
fetch-depth: 03. Medium: Potential version string injection in npm-publish dist-tag logic (Low-Medium severity) The dist-tag computation uses substring matching ( Suggestion: Add a validation step or use explicit regex patterns: if [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+-nightly\. ]]; then
echo "tag=nightly" >> "$GITHUB_OUTPUT"
elif [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+-dev\. ]]; then
echo "tag=dev" >> "$GITHUB_OUTPUT"
# ... etc4. Minor: Inconsistent error handling in version computation (Low severity) All SDK release workflows now fail fast with echo "::error::dev resolve called with empty pending version/kind for SDK: android"5. Code quality: Duplicated version resolution logic (Refactoring opportunity) All six SDK release workflows ( Suggestion: Consider extracting this into a composite action or reusable workflow to maintain DRY principle. What Works Well✅ Gateless dev path is correct — dev releases appropriately skip the cross-test gate which is nightly-specific Test CoverageThe PR description mentions that
Recommendation: Consider adding integration tests or at minimum, document the manual verification performed via the fork run. Security ConsiderationsNo significant security issues. The workflows properly use PerformanceNo performance concerns. The changes add minimal overhead (one additional conditional check per workflow). Overall AssessmentThe core fix is sound and addresses real bugs in the dev release flow. The two critical issues (#1 and #2 above) should be addressed before merge to prevent dev releases from computing versions against the wrong commit. The refactoring opportunity (#5) is not blocking but would improve long-term maintainability. Macroscope's approvability verdict of "Needs human review" is appropriate given the unresolved ref-resolution issues. Review completed at 2026-06-05 18:57:03 UTC |
ApprovabilityVerdict: Needs human review 2 blocking correctness issues found. An unresolved high-severity review comment identifies missing output exports ( You can customize Macroscope's approvability policy. Learn more. |
aef33d4 to
457aebd
Compare
Dismissing prior approval to re-evaluate 457aebd
A workflow_dispatch 'dev' release published the already-shipped version under
the wrong npm dist-tag (e.g. @xmtp/node-sdk 6.0.0-dev.<sha> tagged 'prerelease'
instead of 6.1.0-dev.<sha> tagged 'dev').
Bug 1 — dev did not bump. After xmtp-js merged in, independent-track SDK
manifests on main hold the last-released version (node-sdk=6.0.0,
browser-sdk=7.0.0, ios/android=4.10.0), not a next-target. The dev path called
'compute-version --release-type dev', which only appends '-dev.<sha>' to that
base (no bump). The nightly path already solves this via the git-cliff oracle +
resolve-sdk-version; route dev through the same path:
- add a 'gate' input to release-gate-plan.yml (default true); dev runs it
gateless (the cross-test gate is a nightly-only correctness gate)
- run the plan job for dev too; widen the release-* if-gating so dev runs when
the plan succeeded and there is something pending
- change the dev branch of all 6 release-*.yml compute steps from
compute-version to resolve-sdk-version (mirrors the nightly branch)
rc/final are unaffected (they run from release/* branches with pre-bumped
manifests). Bindings (still 1.11.0-dev in-manifest) are unchanged.
Bug 2 — wrong npm dist-tag. npm-publish.yml bucketed dev+rc into 'prerelease';
now nightly->nightly, -dev->dev, -rc->rc, else->latest.
nightly-dry-run.yml gains a release-type input (nightly|dev); the dev path
previews the gateless oracle + resolve-sdk-version per SDK (no publish jobs).
Verified end-to-end via nightly-dry-run on a fork: oracle 1.11.0/minor ->
node-sdk 6.1.0-dev, browser 7.1.0-dev, ios/android 4.11.0-dev, bindings
1.11.0-dev (unchanged).
457aebd to
6d9d746
Compare
|
Addressed the review feedback (head now Macroscope blocker — dead Claude review — SHA drift in the dev dry-run preview (FIXED). Doc clarity (FIXED). Updated the Re-verified end-to-end on a fork after the rebase (run): oracle Left as non-blocking (out of scope for this fix): the theoretical |
Problem
A
workflow_dispatchdev release published the already-shipped version under the wrong npm dist-tag — e.g.@xmtp/node-sdk 6.0.0-dev.<sha>taggedprerelease, when it should be6.1.0-dev.<sha>taggeddev.Bug 1 — dev didn't bump
After xmtp-js merged into the monorepo, the independent-track SDK manifests on
mainnow hold the last-released version (node-sdk=6.0.0, browser-sdk=7.0.0, ios/android=4.10.0), not the old "next-target in manifest" convention. The dev path calledxmtp-release compute-version --release-type dev, which only appends-dev.<sha>to the manifest base (no bump) → it previews the already-shipped version.The nightly path already solves this: run the git-cliff "plan" oracle to compute the pending
{version, kind}, thenresolve-sdk-version(applies the pending bump kind to an independent SDK's own base; uses the pending libxmtp version for follows-libxmtp). This PR routes dev through the same path:gateinput torelease-gate-plan.yml(defaulttrue); dev runs it gateless — the cross-test gate is a nightly-only correctness gate and must not block dev.planjob fordevtoo; widen the sixrelease-*if:clauses so dev runs when the plan succeeded and there is something pending (nothing-pending != 'true').devbranch of all 6release-*.yml"Compute version" steps fromcompute-versiontoresolve-sdk-version(mirrors the existing nightly branch, including the empty-pending guard).rc/final are unaffected — they run from
release/*branches wherecreate-release-branchpre-bumps the manifests, socompute-versionis already correct there. Bindings (node/wasm + Cargo, still1.11.0-devin-manifest) are unchanged.Bug 2 — wrong npm dist-tag
npm-publish.ymlbucketed both*dev*and*rc*intoprerelease. Now each prerelease channel gets its own dist-tag: nightly→nightly,-dev→dev,-rc→rc, else→latest(matches the old xmtp-jsdevdist-tag).Scope
YAML only — no TypeScript change. The lib (
resolveSdkVersion) already handledreleaseType: "dev"correctly.Verification
nightly-dry-run.ymlgains arelease-typeinput (nightly|dev); the dev path previews the gateless oracle +resolve-sdk-versionper SDK and prints the versions — no publish/tag jobs exist, so it structurally cannot mutate any registry.Ran it end-to-end on a fork. Oracle returned
1.11.0/minor; resolved dev versions:6.1.0-dev.<sha>(was6.0.0-dev)7.1.0-dev.<sha>4.11.0-dev.<sha>1.11.0-dev.<sha>(unchanged — no regression)Plus:
release-tools172 tests pass, typecheck clean, all 10 workflow YAMLs parse.🤖 Generated with Claude Code
Note
Fix dev release builds to bump off last-released version and use correct npm dist-tags
xmtp-release resolve-sdk-version(instead ofcompute-version) across all SDK platforms (Android, iOS, Node, WASM, Browser), deriving the dev version from the pending libxmtp version/kind; each job fails early if those inputs are absent.devfor-devversions andrcfor-rcversions, replacing the sharedprereleasetag used previously.gateboolean input (defaulttrue); dev releases passgate=falseto skip cross-test evaluation.release-typeinput (nightly|dev) and apreview-dev-versionsjob that resolves and displays per-SDK dev versions in the job summary.-devand-rcnpm packages that previously shared theprereleasedist-tag are now tagged separately asdevandrc.Macroscope summarized 6d9d746.