Skip to content

feat: pin the Kosli CLI to a major or minor version#24

Merged
AlexKantor87 merged 3 commits into
mainfrom
major-version-pinning
Jun 23, 2026
Merged

feat: pin the Kosli CLI to a major or minor version#24
AlexKantor87 merged 3 commits into
mainfrom
major-version-pinning

Conversation

@AlexKantor87

Copy link
Copy Markdown
Contributor

What

setup-cli-action could only install an exact CLI version or latest. This adds a third option: pin the CLI to a major (or minor) line and pick up every update within it, without ever rolling onto the next breaking major.

  • version: "2" resolves to the newest stable 2.x release
  • version: "2.11" resolves to the newest stable 2.11.z release
- uses: kosli-dev/setup-cli-action@v5
  with:
    version: "2"   # newest stable 2.x, never 3.x

How

  • src/download.js: a partial spec lists kosli-dev/cli releases, drops drafts and pre-releases, and picks the highest match numerically (so 2.27.3 beats 2.9.0), never crossing into a higher major.
  • latest and exact pins are unchanged. Exact pins stay API-free; a partial pin uses the GitHub API like latest already does, through the existing retry wrapper.
  • Purely additive, so it ships as a v5 minor and every @v5 consumer picks it up automatically.

Heads up for users

Quote partial versions in YAML: version: 2.10 unquoted is parsed as the float 2.1. Documented in the README.

Tests

  • New ava cases cover major and major.minor resolution, pre-release/draft exclusion, numeric ordering, and the no-match error. Full suite green (33 tests).
  • CI matrix now exercises "2" and "2.11" end to end; the pinned-version check fails if an install ever crosses a major.

Tracking: kosli-dev/server#5996

The version input now accepts a partial version in addition to an exact semver and latest: "2" resolves to the newest stable 2.x release and "2.11" to the newest stable 2.11.z. A partial pin lists kosli-dev/cli releases, ignores drafts and pre-releases, and picks the highest match numerically, so it never crosses into the next major. latest and exact pins are unchanged; exact pins stay API-free.

Refs kosli-dev/server#5996

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@AlexKantor87 AlexKantor87 requested a review from a team as a code owner June 23, 2026 09:07
AlexKantor87 and others added 2 commits June 23, 2026 10:09
kosli version --short prints a v-prefixed string (v2.11.27); the stricter equality/prefix check must normalise it. The resolver and download path are unaffected.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…or-pin test

- action.yml: document the "2" / "2.11" partial-pin forms on the version
  input, and note that a major/minor pin also consumes github-token. The
  README already documented both; the action metadata had drifted.
- test: assert a major pin stays on major 2 (not just !startsWith("3.")),
  and add a higher major (v10.0.0) to the fixture so the never-cross-major
  property is genuinely exercised rather than coincidentally satisfied.

Addresses review nits on #24.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@AlexKantor87

Copy link
Copy Markdown
Contributor Author

Ran a detailed multi-agent review over this before merging: seven dimensions (resolution correctness, input edge cases, tests, the CI workflow, packaging/release, docs, and security), with every finding independently re-checked by a second pass to weed out false positives. Short version: the resolution logic holds up really well and it's correctly shipped as a v5 minor. No blocker or major issues, just three small consistency nits, all now fixed.

Fixed in c223b65

  • action.yml: the version input description only mentioned latest, so I've documented the "2" and "2.11" partial-pin forms to match the README.
  • action.yml: the github-token description still said it was only used for latest. Partial pins hit the API too now, so I've aligned the wording.
  • test/download.test.js: the "never cross a major" test only asserted !startsWith("3."), which a regression to a lower wrong major would have slipped past. It now asserts the resolved major is 2, and I've added a higher major (v10.0.0) to the fixture so the property is genuinely exercised rather than coincidentally satisfied.

Considered, deliberately left alone

  • The downloaded CLI tarball still isn't checksum or signature verified. That's pre-existing and out of scope here, but worth its own hardening ticket given our supply-chain focus.
  • The "Capture kosli version installed" step has some pre-existing cruft (an unused export and an echo "\n" that writes a literal \n). It's harmless because the verify step reads .splitlines()[0], so I've left it for a separate tidy-up rather than widening this diff.
  • A few other things came up and were ruled out as non-issues. The partial-pin path lists the full release history rather than making a single call, but that's a handful of requests against a 1000/hr quota and the version is author-controlled, so there's no real rate-limit or abuse concern. The YAML float trap (2.10 parsed as 2.1) is already mitigated by the README warning and the quoted examples, and it can't be fixed in code anyway.

Tests are green locally (33) and CI's re-running on the new head. Happy to merge once it's green.

@mbevc1 mbevc1 self-requested a review June 23, 2026 10:28
Comment thread .github/workflows/test.yaml
@AlexKantor87 AlexKantor87 merged commit 36ce997 into main Jun 23, 2026
12 checks passed
@AlexKantor87 AlexKantor87 deleted the major-version-pinning branch June 23, 2026 10:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants