Skip to content

fix(release): land version bumps on main, undraft last, surface silent registry failures#64

Merged
Aayam Bansal (aayambansal) merged 1 commit into
mainfrom
fix/release-pipeline
Jul 5, 2026
Merged

fix(release): land version bumps on main, undraft last, surface silent registry failures#64
Aayam Bansal (aayambansal) merged 1 commit into
mainfrom
fix/release-pipeline

Conversation

@aayambansal

Copy link
Copy Markdown
Member

Fixes #27. Fixes #29. Fixes #31. Fixes #33. Addresses the code side of #26 and #28.

Release-pipeline batch:

Orphaned release commits (#26): the release push ran git push origin HEAD --tags under .nothrow(). Branch protection rejects the branch ref, tags slip through, and nothing fails — so every release commit is orphaned (v1.2.4 is not an ancestor of main) and main's package versions are permanently stale. Now the tag is pushed explicitly, the main push is attempted, and on rejection the script pushes a release/vX.Y.Z branch and opens a release PR so the bumps land through the normal checks. (The remaining half of #26 is a repo-settings decision: add the workflow identity as a bypass actor if direct pushes are preferred.)

Cherry-pick landmine (#27): git cherry-pick HEAD..origin/dev is gone. No dev branch exists; the day one appeared, every release would have shipped its commits unreviewed.

Homebrew (#29): org slug corrected to synthetic-sciences, the tap push now uses a dedicated HOMEBREW_TAP_TOKEN (the workflow's github.token is repo-scoped and can never push to the tap), and both the missing-token and failure paths emit ::warning:: annotations instead of a swallowed console.warn. Needs the HOMEBREW_TAP_TOKEN secret (fine-grained PAT with push to the tap repo) to actually start working — and the tap repo to exist.

Release goes public too early (#31): gh release edit --draft=false moved from before the npm publishes to after all of them succeed, so releases/latest (which the install script resolves) can't get ahead of npm. On failure the release stays draft and the run says so.

Dispatch footguns (#33): single concurrency group (a patch and a minor dispatch used to run concurrently and race on tags), and an empty dispatch now fails fast instead of publishing 0.0.0-main-<sha> to npm as a production deployment. The deployment record is also guarded to real releases and points at the release tag instead of the pre-release sha.

Launcher visibility (#28, partial): the E403 and already-on-registry downgrades now emit workflow annotations on the run summary. The root cause (npm ownership of synsci) still needs npm owner add <token-account> synsci — leaving #28 open for that.

…t registry failures

- drop the origin/dev cherry-pick landmine (no dev branch exists; if one
  ever appeared, every release would ship its commits unreviewed)
- push the release tag explicitly, then try main; when branch protection
  rejects the push (previously swallowed by .nothrow, leaving every
  release commit orphaned and main's versions stale), open a release PR
  instead
- undraft the GitHub release only after all npm publishes succeed, so
  releases/latest (which the install script resolves) can't get ahead of
  npm
- launcher E403/already-published downgrades now emit workflow
  annotations instead of log lines nobody reads on a green run
- homebrew tap: correct org slug, use a dedicated HOMEBREW_TAP_TOKEN
  (github.token can't push cross-repo), annotate on failure
- publish workflow: single concurrency group (patch+minor dispatches
  raced), fail fast on an empty dispatch (previously published a
  0.0.0-main preview as production), record the deployment against the
  release tag and skip it for previews
@vercel

vercel Bot commented Jul 5, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
openscience Ready Ready Preview, Comment Jul 5, 2026 11:15am

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment