mirror of
https://github.com/paperclipai/paperclip
synced 2026-05-05 22:52:06 +02:00
29401b231b
## Thinking Path > - Paperclip is a control plane for autonomous agent companies, so its release automation is part of the core operator trust boundary. > - The affected subsystem is npm/GitHub Actions release publishing for the public monorepo packages. > - The concrete failure was that a newly added package reached `master`, the canary workflow attempted its first publish, and npm trusted publishing was not yet bootstrapped for that package. > - That means the problem is not just one broken run; it is a missing pre-merge guard that lets release-ineligible packages land and only fail once `publish_canary` runs. > - This pull request makes release enrollment explicit, validates that enrollment in CI, and adds a PR-time bootstrap check against npm for changed release-enabled package manifests. > - The result is that we keep trusted publishing, avoid teaching CI to `npm adduser`, and move this class of failure from post-merge canary time to pre-merge review time. ## What Changed - Added `scripts/release-package-manifest.json` so release-managed public packages are explicitly enrolled instead of being inferred from every non-private workspace package. - Hardened `scripts/release-package-map.mjs` to validate the manifest before release workflows rewrite versions or assemble publish payloads. - Added `scripts/check-release-package-bootstrap.mjs` and wired it into `.github/workflows/pr.yml` so PRs that change a release-enabled package manifest fail if that package does not already exist on npm. - Added release-package manifest coverage tests to `scripts/release-package-map.test.mjs` and included them in `pnpm run test:release-registry`. - Wired manifest validation into `.github/workflows/release.yml` and documented the first-publish bootstrap policy in `doc/PUBLISHING.md` and `doc/RELEASE-AUTOMATION-SETUP.md`. ## Verification - `pnpm run test:release-registry` - `./scripts/release.sh canary --skip-verify --dry-run` - Confirmed the committed diff contains no obvious PII/secrets via targeted pattern scan before pushing. ## Risks - Low risk overall: this is CI/release-policy code, not product runtime logic. - The new PR bootstrap check depends on npm metadata availability, so a transient npm outage could block a PR that changes a release-enabled package manifest. - The manifest introduces a new source of truth that must stay aligned with public package additions, but that is intentional and now enforced. ## Model Used - OpenAI Codex via the `codex_local` Paperclip adapter; GPT-5-based coding agent with tool use, terminal execution, git, and GitHub CLI. Exact served model ID/context window are not exposed by the local runtime. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge
274 lines
7.0 KiB
YAML
274 lines
7.0 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
workflow_dispatch:
|
|
inputs:
|
|
source_ref:
|
|
description: Commit SHA, branch, or tag to publish as stable
|
|
required: true
|
|
type: string
|
|
default: master
|
|
stable_date:
|
|
description: Enter a UTC date in YYYY-MM-DD format, for example 2026-03-18. Do not enter a version string. The workflow will resolve that date to a stable version such as 2026.318.0, then 2026.318.1 for the next same-day stable.
|
|
required: false
|
|
type: string
|
|
dry_run:
|
|
description: Preview the stable release without publishing
|
|
required: true
|
|
type: boolean
|
|
default: false
|
|
|
|
concurrency:
|
|
group: release-${{ github.event_name }}-${{ github.ref }}
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
verify_canary:
|
|
if: github.event_name == 'push'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Setup pnpm
|
|
uses: pnpm/action-setup@v4
|
|
with:
|
|
version: 9.15.4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 24
|
|
cache: pnpm
|
|
|
|
- name: Validate release package manifest
|
|
run: node ./scripts/release-package-map.mjs check
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --no-frozen-lockfile
|
|
|
|
- name: Typecheck
|
|
run: pnpm -r typecheck
|
|
|
|
- name: Run tests
|
|
run: pnpm test:run
|
|
|
|
- name: Build
|
|
run: pnpm build
|
|
|
|
publish_canary:
|
|
if: github.event_name == 'push'
|
|
needs: verify_canary
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 45
|
|
environment: npm-canary
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Setup pnpm
|
|
uses: pnpm/action-setup@v4
|
|
with:
|
|
version: 9.15.4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 24
|
|
cache: pnpm
|
|
|
|
- name: Validate release package manifest
|
|
run: node ./scripts/release-package-map.mjs check
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --no-frozen-lockfile
|
|
|
|
- name: Restore tracked install-time changes
|
|
run: git checkout -- pnpm-lock.yaml
|
|
|
|
- name: Configure git author
|
|
run: |
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
|
|
- name: Publish canary
|
|
env:
|
|
GITHUB_ACTIONS: "true"
|
|
run: ./scripts/release.sh canary --skip-verify
|
|
|
|
- name: Push canary tag
|
|
run: |
|
|
tag="$(git tag --points-at HEAD | grep '^canary/v' | head -1)"
|
|
if [ -z "$tag" ]; then
|
|
echo "Error: no canary tag points at HEAD after release." >&2
|
|
exit 1
|
|
fi
|
|
git push origin "refs/tags/${tag}"
|
|
|
|
verify_stable:
|
|
if: github.event_name == 'workflow_dispatch'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
ref: ${{ inputs.source_ref }}
|
|
|
|
- name: Setup pnpm
|
|
uses: pnpm/action-setup@v4
|
|
with:
|
|
version: 9.15.4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 24
|
|
cache: pnpm
|
|
|
|
- name: Validate release package manifest
|
|
run: node ./scripts/release-package-map.mjs check
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --no-frozen-lockfile
|
|
|
|
- name: Typecheck
|
|
run: pnpm -r typecheck
|
|
|
|
- name: Run tests
|
|
run: pnpm test:run
|
|
|
|
- name: Build
|
|
run: pnpm build
|
|
|
|
preview_stable:
|
|
if: github.event_name == 'workflow_dispatch' && inputs.dry_run
|
|
needs: verify_stable
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 45
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
ref: ${{ inputs.source_ref }}
|
|
|
|
- name: Setup pnpm
|
|
uses: pnpm/action-setup@v4
|
|
with:
|
|
version: 9.15.4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 24
|
|
cache: pnpm
|
|
|
|
- name: Validate release package manifest
|
|
run: node ./scripts/release-package-map.mjs check
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --no-frozen-lockfile
|
|
|
|
- name: Dry-run stable release
|
|
env:
|
|
GITHUB_ACTIONS: "true"
|
|
run: |
|
|
args=(stable --skip-verify --dry-run)
|
|
if [ -n "${{ inputs.stable_date }}" ]; then
|
|
args+=(--date "${{ inputs.stable_date }}")
|
|
fi
|
|
./scripts/release.sh "${args[@]}"
|
|
|
|
publish_stable:
|
|
if: github.event_name == 'workflow_dispatch' && !inputs.dry_run
|
|
needs: verify_stable
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 45
|
|
environment: npm-stable
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
ref: ${{ inputs.source_ref }}
|
|
|
|
- name: Setup pnpm
|
|
uses: pnpm/action-setup@v4
|
|
with:
|
|
version: 9.15.4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 24
|
|
cache: pnpm
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --no-frozen-lockfile
|
|
|
|
- name: Restore tracked install-time changes
|
|
run: git checkout -- pnpm-lock.yaml
|
|
|
|
- name: Configure git author
|
|
run: |
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
|
|
- name: Publish stable
|
|
env:
|
|
GITHUB_ACTIONS: "true"
|
|
run: |
|
|
args=(stable --skip-verify)
|
|
if [ -n "${{ inputs.stable_date }}" ]; then
|
|
args+=(--date "${{ inputs.stable_date }}")
|
|
fi
|
|
./scripts/release.sh "${args[@]}"
|
|
|
|
- name: Push stable tag
|
|
run: |
|
|
tag="$(git tag --points-at HEAD | grep '^v' | head -1)"
|
|
if [ -z "$tag" ]; then
|
|
echo "Error: no stable tag points at HEAD after release." >&2
|
|
exit 1
|
|
fi
|
|
git push origin "refs/tags/${tag}"
|
|
|
|
- name: Create GitHub Release
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
PUBLISH_REMOTE: origin
|
|
run: |
|
|
version="$(git tag --points-at HEAD | grep '^v' | head -1 | sed 's/^v//')"
|
|
if [ -z "$version" ]; then
|
|
echo "Error: no v* tag points at HEAD after stable release." >&2
|
|
exit 1
|
|
fi
|
|
./scripts/create-github-release.sh "$version"
|