Skip to content

Commit 6221942

Browse files
committed
chore(release): make just set-version bump Cargo + npm + all lockfiles
just set-version now updates every workspace crate and the root Cargo.lock, the excluded extended_runtime fixture Cargo.lock, and the npm main package, 3 platform packages, optionalDependencies and package-lock.json in one atomic step, so a version bump cannot leave a stale lockfile that breaks CI (cargo --locked and npm ci --omit=optional). Add a check-fixture-lock recipe wired into test-native-modules to fail fast on fixture-lock drift instead of a cryptic poisoned-LazyLock panic. Rewrite docs/release.md to match the real flow: pushing a vX.Y.Z tag triggers CreateRelease.yml, which creates the release branch and publishes to crates.io and npm via OIDC trusted publishing; use just set-version for bumps. Signed-off-by: Simon Davies <simongdavies@users.noreply.github.com>
1 parent fa79912 commit 6221942

2 files changed

Lines changed: 69 additions & 25 deletions

File tree

Justfile

Lines changed: 46 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -178,7 +178,7 @@ test-js-host-api target=default-target features="": (build-js-host-api target fe
178178
# Base path to the extended runtime fixture target directory
179179
extended_runtime_target := replace(justfile_dir(), "\\", "/") + "/src/hyperlight-js-runtime/tests/fixtures/extended_runtime/target/x86_64-hyperlight-none"
180180

181-
test-native-modules target=default-target: (ensure-tools) (_test-native-modules-unit target) (_test-native-modules-build-guest target) (_test-native-modules-vm target) (_test-native-modules-restore target)
181+
test-native-modules target=default-target: (ensure-tools) (check-fixture-lock) (_test-native-modules-unit target) (_test-native-modules-build-guest target) (_test-native-modules-vm target) (_test-native-modules-restore target)
182182

183183
[private]
184184
_test-native-modules-unit target=default-target:
@@ -200,6 +200,51 @@ _test-native-modules-restore target=default-target:
200200
@echo "Rebuilding hyperlight-js with default guest runtime..."
201201
cd src/hyperlight-js && cargo build --profile={{ if target == "debug" {"dev"} else { target } }}
202202

203+
# ── Version bumping & fixture-lock consistency ──────────────────────────────
204+
# The extended_runtime test fixture is a separate `[workspace]` that is excluded
205+
# from the root workspace (see the root Cargo.toml `exclude`), so it keeps its
206+
# OWN committed Cargo.lock. `cargo set-version` bumps the workspace crates + the
207+
# root lock but cannot reach the excluded fixture, leaving its lock pinning the
208+
# old version — which then fails the native_modules `--locked` build. These two
209+
# recipes keep them in lockstep.
210+
211+
# Bump the version of EVERYTHING in lockstep so a release PR can't end up in a
212+
# half-bumped, CI-breaking state. In one step this updates:
213+
# * all workspace crates + the root Cargo.lock (via cargo-edit)
214+
# * the excluded extended_runtime fixture's own Cargo.lock (cargo can't reach it)
215+
# * the npm main package, the 3 platform packages, and their optionalDependencies
216+
# * the npm package-lock.json (regenerated; the not-yet-published platform
217+
# optionals are omitted, matching CI's `npm ci --omit=optional`)
218+
# Requires cargo-edit (`cargo install cargo-edit`). ALWAYS use this instead of a
219+
# bare `cargo set-version` / `npm version` when preparing a release.
220+
set-version version:
221+
# Rust: workspace crates + root lock, then the excluded fixture lock
222+
cargo set-version {{ version }}
223+
cargo update \
224+
--manifest-path src/hyperlight-js-runtime/tests/fixtures/extended_runtime/Cargo.toml \
225+
-p hyperlight-js-runtime -p hyperlight-js-common
226+
# npm: main + the 3 platform package.json versions (--ignore-scripts avoids needing node_modules)
227+
cd src/js-host-api && npm version {{ version }} --no-git-tag-version --allow-same-version --ignore-scripts
228+
cd src/js-host-api/npm/linux-x64-gnu && npm version {{ version }} --no-git-tag-version --allow-same-version --ignore-scripts
229+
cd src/js-host-api/npm/linux-x64-musl && npm version {{ version }} --no-git-tag-version --allow-same-version --ignore-scripts
230+
cd src/js-host-api/npm/win32-x64-msvc && npm version {{ version }} --no-git-tag-version --allow-same-version --ignore-scripts
231+
# npm: point the main package's optionalDependencies at the new version
232+
cd src/js-host-api && npm pkg set \
233+
"optionalDependencies.@hyperlight-dev/js-host-api-linux-x64-gnu={{ version }}" \
234+
"optionalDependencies.@hyperlight-dev/js-host-api-linux-x64-musl={{ version }}" \
235+
"optionalDependencies.@hyperlight-dev/js-host-api-win32-x64-msvc={{ version }}"
236+
# npm: regenerate package-lock.json so `npm ci --omit=optional` stays in sync
237+
cd src/js-host-api && npm install --package-lock-only --omit=optional --ignore-scripts
238+
239+
# Fail fast if the excluded fixture lock has drifted from the workspace version.
240+
# Without this, drift only surfaces as a cryptic poisoned-LazyLock panic inside
241+
# the native_modules unit tests. Fix drift with `just set-version <version>`.
242+
# Wired into `test-native-modules` so CI catches it before the confusing failure.
243+
check-fixture-lock:
244+
cargo metadata --locked --format-version 1 \
245+
--manifest-path src/hyperlight-js-runtime/tests/fixtures/extended_runtime/Cargo.toml \
246+
{{ if os() == "windows" { "> $null" } else { "> /dev/null" } }}
247+
203248
# Run js-host-api examples (simple.js, calculator.js, unload.js, interrupt.js, cpu-timeout.js, host-functions.js)
204249
run-js-host-api-examples target=default-target features="": (build-js-host-api target features)
205250
@echo "Running js-host-api examples..."

docs/release.md

Lines changed: 23 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1,29 +1,36 @@
11
# Create a new hyperlight-js release
22

3-
This document details the process of releasing a new version of hyperlight-js to [crates.io](https://crates.io/). It's intended to be used as a checklist for the developer doing the release. The checklist is represented in the below sections.
3+
This document details the process of releasing a new version of hyperlight-js to [crates.io](https://crates.io/) and [npmjs.com](https://www.npmjs.com/). It's intended to be used as a checklist for the developer doing the release.
44

5-
## Update cargo.toml Versions
5+
## Update versions
66

7-
The first step in the release process is to update the version numbers of the crates you are releasing.
7+
The first step in the release process is to bump the version numbers the Rust crates **and** the npm packages — keeping them all in sync.
88

9-
Update the `version` field in the `[workspace.package]` section of the root `Cargo.toml`, as well as the `hyperlight-js-runtime` entry in `[workspace.dependencies]`.
9+
Do this with the `just set-version` recipe. **Always use this instead of bumping by hand** (`cargo set-version`, `npm version`, editing `package.json`): piecemeal bumps are exactly what leaves a lockfile stale and breaks CI mid-release. In one step it updates:
1010

11-
The easiest way to do this is with the `cargo-edit` crate, which provides a `cargo set-version` command. Install it with:
11+
- every workspace crate's `version` and the root `Cargo.lock`,
12+
- the excluded `extended_runtime` fixture's own `Cargo.lock` (a bare `cargo set-version` can't reach it, and a stale one fails the `native_modules --locked` build),
13+
- the npm main package, the three platform packages, and their `optionalDependencies`,
14+
- `src/js-host-api/package-lock.json` (a stale one fails `npm ci` in the publish job).
15+
16+
It uses `cargo set-version` from the `cargo-edit` crate under the hood, so install that first:
1217

1318
```console
1419
cargo install cargo-edit
1520
```
1621

17-
Then update the version number:
22+
Then bump everything:
1823

1924
```console
20-
cargo set-version 0.18.0
25+
just set-version 0.18.0
2126
```
2227

23-
For simplicity, we keep the version number consistent across all crates in the repository.
28+
We keep the version number consistent across all crates and npm packages in the repository.
2429

2530
Create a PR with these changes and merge it into the `main` branch.
2631

32+
> **Note:** The `CreateRelease` workflow *also* sets the npm packages to the tag's version at publish time (via `npm version`), so the published artifacts always match the tag regardless. Bumping them in the repo with `just set-version` is what keeps `npm ci` from failing *during* the release — don't skip it.
33+
2734
## Create a tag
2835

2936
When the `main` branch has reached a state in which you want to release a new Cargo version, you should create a tag. Although you can do this from the GitHub releases page, we currently recommend doing the tag from the command line. Do so with the following commands:
@@ -36,26 +43,18 @@ git push origin v0.18.0 # if you've named your git remote for the hyperlight-dev
3643
>Note: we'll use `v0.18.0` as the version for the above and all subsequent instructions. You should replace this with the version you're releasing. Make sure your version follows [SemVer](https://semver.org) conventions as closely as possible, and is prefixed with a `v` character. *In particular do not use a patch version unless you are patching an issue in a release branch, releases from main should always be minor or major versions*.
3744
If you are creating a patch release see the instructions [here](#patching-a-release).
3845

39-
## Create a release branch (no manual steps)
40-
41-
After you push your new tag in the previous section, the ["Create a Release Branch"](https://github.com/hyperlight-dev/hyperlight-js/blob/main/.github/workflows/CreateReleaseBranch.yml) CI job will automatically run. When this job completes, a new `release/v0.18.0` branch will be automatically created for you.
42-
43-
## Create a new GitHub release and publish the crates
44-
45-
After the previous CI job runs to create the new release branch, go to the ["Create a Release"](https://github.com/hyperlight-dev/hyperlight-js/actions/workflows/CreateRelease.yml) Github actions workflow and do the following:
46-
1. Click the "Run workflow" button near the top right
47-
1. In the Use workflow from dropdown, select the `release/v0.18.0` branch
48-
1. Click the green **Run workflow** button
49-
50-
When this job is done, a new [GitHub release](https://github.com/hyperlight-dev/hyperlight-js/releases) will be created for you.
46+
## What happens when you push the tag
5147

52-
This release contains the benchmark results and the source code for the release along with automatically generated release notes.
48+
Pushing a `vX.Y.Z` tag is the **only** manual trigger you need — you do **not** run any workflow by hand. The tag push starts the ["Create a Release"](https://github.com/hyperlight-dev/hyperlight-js/actions/workflows/CreateRelease.yml) workflow ([`CreateRelease.yml`](https://github.com/hyperlight-dev/hyperlight-js/blob/main/.github/workflows/CreateRelease.yml)), which reads the version from the tag and then does everything else automatically:
5349

54-
In addition, the hyperlight-js crates will be published to crates.io in dependency order (`hyperlight-js-common``hyperlight-js-runtime``hyperlight-js`). You can verify this by going to the [hyperlight-js page on crates.io](https://crates.io/crates/hyperlight-js) and checking that the new version is listed.
50+
1. **Creates the release branch** — a `release/v0.18.0` branch is created and pushed for you.
51+
2. **Creates the GitHub release** — a new [GitHub release](https://github.com/hyperlight-dev/hyperlight-js/releases) is published with automatically generated release notes and the benchmark results attached.
52+
3. **Publishes the crates to crates.io** — in dependency order (`hyperlight-js-common``hyperlight-js-runtime``hyperlight-js`). Verify on the [hyperlight-js page on crates.io](https://crates.io/crates/hyperlight-js).
53+
4. **Publishes the npm packages to npmjs.com**`@hyperlight-dev/js-host-api` and its platform-specific binary packages, with their versions set from the tag. Verify on the [npmjs.com package page](https://www.npmjs.com/package/@hyperlight-dev/js-host-api).
5554

56-
The npm packages (`@hyperlight-dev/js-host-api` and platform-specific binaries) are also published automatically as part of this workflow. Publishing uses [npm trusted publishing (OIDC)](https://docs.npmjs.com/trusted-publishers) no `NPM_TOKEN` secret is needed for the `CreateRelease` workflow. Provenance attestations are generated automatically.
55+
Both crates.io and npm publishing use trusted publishing (OIDC), so no `NPM_TOKEN` or crates.io token secret is needed for the `CreateRelease` workflow. Provenance attestations are generated automatically for the npm packages.
5756

58-
You can verify the npm publish by checking the [npmjs.com package page](https://www.npmjs.com/package/@hyperlight-dev/js-host-api).
57+
> **Note:** Only a `vX.Y.Z` **tag** push triggers a real release. Pushing to `main`, or running the workflow manually with **Run workflow**, performs a **dry run** — it builds and validates everything but publishes nothing.
5958
6059
### npm trusted publishing setup
6160

0 commit comments

Comments
 (0)