Skip to content

Make 0.5.0 a coordinated, verifiable package release#90

Merged
mingyooagi merged 1 commit into
mainfrom
codex/release-0.5.0
Jul 13, 2026
Merged

Make 0.5.0 a coordinated, verifiable package release#90
mingyooagi merged 1 commit into
mainfrom
codex/release-0.5.0

Conversation

@mingyooagi

@mingyooagi mingyooagi commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

  • move all 15 public @opentag/* packages to the coordinated 0.5.0 version
  • replace both drifting release arrays with manifest discovery, runtime dependency closure validation, lockstep-version validation, cycle detection, and deterministic dependency-first ordering
  • make next the safe publish default, require real publication from main, and fail closed on empty publication sets or mismatched recovery dist-tags
  • add publication-set consistency and packed clean-install release:check gates to CI
  • document Discord, Linear, and Teams adapters; ACP execution; Attempt lease/fencing; material-action safety; and Client/Runner migration
  • document the staged next → registry smoke → latest → matching git tag/GitHub Release procedure and rollback path

Verification

  • pnpm install --frozen-lockfile
  • pnpm release:publication-set — 15 packages, all 0.5.0
  • pnpm build
  • pnpm lint
  • pnpm typecheck
  • pnpm test — 119 files, 1510 tests
  • pnpm smoke:governance -- --all — 7/7 cases passed
  • standalone privacy scan — 22 files, no findings
  • pnpm release:check — packed all 15 packages, clean npm install, installed CLI help/doctor checks
  • release-plan regression suite — 9/9 tests
  • 15-package release:publish --dry-run --skip-check --tag next — all npm tarball previews passed
  • independent Standards and Spec reviews — approved

Rollout after merge

  1. publish the merge commit from clean main to npm dist-tag next
  2. install @opentag/cli@0.5.0 from the public registry and run setup/doctor/start plus a credentialed Lark smoke
  3. promote the same immutable 0.5.0 artifacts to latest
  4. create and push v0.5.0 and publish the matching GitHub Release from the exact release commit

latest remains untouched until the registry and live-platform gates pass.

Summary by CodeRabbit

  • New Features

    • Released the coordinated OpenTag package family as v0.5.0, including Discord, Linear, Microsoft Teams, and ACP-backed integrations.
    • Introduced governed, durable attempt/claiming behavior and updated runner ownership semantics.
  • Migration / Breaking Changes

    • Updated client and custom runner migration to require lease/fencing-token propagation and runner-scoped endpoints (with deprecated unscoped endpoints returning 410).
  • Documentation

    • Updated README and changelog for v0.5.0.
    • Rewrote the npm release and versioning guides, including publication-set gating, topological publish order, canary/rollback, and immutable promotion to latest.
  • Quality Improvements

    • CI now runs additional release validation steps.
    • Added automated tests for public release package planning and ordering, plus installed CLI smoke checks.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e7129b6b-7a8f-41fd-ad2e-6e58adaf49e8

📥 Commits

Reviewing files that changed from the base of the PR and between f9f8cbc and fc00a91.

📒 Files selected for processing (27)
  • .github/workflows/ci.yml
  • CHANGELOG.md
  • README.md
  • README.zh-CN.md
  • docs/npm-release.md
  • docs/versioning.md
  • package.json
  • packages/cli/package.json
  • packages/cli/test/release-package-plan.test.ts
  • packages/client/package.json
  • packages/core/package.json
  • packages/discord/package.json
  • packages/dispatcher/package.json
  • packages/github/package.json
  • packages/gitlab/package.json
  • packages/lark/package.json
  • packages/linear/package.json
  • packages/local-runtime/package.json
  • packages/runner/package.json
  • packages/slack/package.json
  • packages/store/package.json
  • packages/teams/package.json
  • packages/telegram/package.json
  • scripts/release/check-cli-package.mjs
  • scripts/release/check-publication-set.mjs
  • scripts/release/package-plan.mjs
  • scripts/release/publish-local.mjs

📝 Walkthrough

Walkthrough

The release process derives and validates a coordinated public package set, verifies packed CLI artifacts, publishes through next-first dist-tags, adds CI release checks, bumps packages to 0.5.0, and updates release documentation.

Changes

Coordinated release

Layer / File(s) Summary
Publication plan and coverage
scripts/release/package-plan.mjs, packages/cli/test/release-package-plan.test.ts, package.json
Public packages are discovered, validated for lockstep versions and runtime dependencies, topologically ordered, and covered by planner tests.
Release validation and publishing
scripts/release/check-cli-package.mjs, scripts/release/check-publication-set.mjs, scripts/release/publish-local.mjs
Release checks use the computed package plan, validate installed opentag doctor behavior, default publishing to next, and verify selected dist-tags.
Version alignment and CI wiring
packages/*/package.json, .github/workflows/ci.yml
Coordinated package manifests are updated to 0.5.0, and CI runs publication-set and release checks after tests.
Release documentation and migration notes
CHANGELOG.md, README*.md, docs/npm-release.md, docs/versioning.md
Release procedures, migration and security notes, package lists, promotion, rollback, and version references are updated for 0.5.0.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant ReleaseOperator
  participant publish_local_mjs
  participant npmRegistry
  participant check_cli_package_mjs
  ReleaseOperator->>publish_local_mjs: run release using computed package plan
  publish_local_mjs->>npmRegistry: inspect versions and dist-tags
  npmRegistry-->>publish_local_mjs: return package publication state
  ReleaseOperator->>check_cli_package_mjs: verify packed packages in isolated install
  check_cli_package_mjs->>check_cli_package_mjs: run opentag doctor validation
Loading

Possibly related PRs

Suggested reviewers: lumpinif

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and directly summarizes the coordinated 0.5.0 package release.
Description check ✅ Passed It covers the required summary, validation, and notes content, though the section headings are renamed.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/release-0.5.0

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request prepares the OpenTag package family for the v0.5.0 release, which introduces Discord, Linear, and Microsoft Teams adapters, durable Attempt leases, and a dynamic, topologically sorted release package plan. The hardcoded package lists in the release scripts are replaced with automated discovery and validation logic, accompanied by new unit tests. A high-severity issue was identified in check-cli-package.mjs where calling process.exit() on command failures bypasses the finally block, preventing the cleanup of temporary directories; throwing an error instead is recommended.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +28 to 30
if (result.status !== 0 && !options.allowFailure) {
process.exit(result.status ?? 1);
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

In check-cli-package.mjs, the main execution block is wrapped in a try...finally block to ensure that the temporary directory tempRoot is cleaned up. However, the run helper function calls process.exit() directly when a command fails. Since process.exit() immediately terminates the Node.js process without unwinding the stack, the finally block is bypassed, leaving the temporary directory and its contents (including packed tarballs and installed node_modules) on the disk.

To ensure proper cleanup on failure, the run function should throw an Error instead of calling process.exit(). This allows the exception to propagate, triggering the finally block for cleanup before the process exits.

Suggested change
if (result.status !== 0 && !options.allowFailure) {
process.exit(result.status ?? 1);
}
if (result.status !== 0 && !options.allowFailure) {
throw new Error("Command failed with exit code " + (result.status ?? 1) + ": " + command + " " + args.join(" "));
}

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in fc00a91: command failures now throw, so the enclosing finally block always removes the temporary pack/install directory. The full release:check passed after the change.

@mingyooagi
mingyooagi force-pushed the codex/release-0.5.0 branch from 7f70b1b to f9f8cbc Compare July 13, 2026 16:45

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/release/publish-local.mjs`:
- Around line 119-133: Update publishedVersionForTag() to return stdout only
when the npm command succeeds and produces a non-empty value, otherwise
normalize it to undefined; when result.ok is false, surface the raw npm error
instead of silently returning undefined. Preserve the existing tag lookup
behavior while ensuring unset dist-tags do not produce misleading output or
release decisions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0ac9a137-2b88-4c91-afb8-e827a6f4bc05

📥 Commits

Reviewing files that changed from the base of the PR and between 2087411 and 7f70b1b.

📒 Files selected for processing (27)
  • .github/workflows/ci.yml
  • CHANGELOG.md
  • README.md
  • README.zh-CN.md
  • docs/npm-release.md
  • docs/versioning.md
  • package.json
  • packages/cli/package.json
  • packages/cli/test/release-package-plan.test.ts
  • packages/client/package.json
  • packages/core/package.json
  • packages/discord/package.json
  • packages/dispatcher/package.json
  • packages/github/package.json
  • packages/gitlab/package.json
  • packages/lark/package.json
  • packages/linear/package.json
  • packages/local-runtime/package.json
  • packages/runner/package.json
  • packages/slack/package.json
  • packages/store/package.json
  • packages/teams/package.json
  • packages/telegram/package.json
  • scripts/release/check-cli-package.mjs
  • scripts/release/check-publication-set.mjs
  • scripts/release/package-plan.mjs
  • scripts/release/publish-local.mjs

Comment thread scripts/release/publish-local.mjs
@mingyooagi
mingyooagi force-pushed the codex/release-0.5.0 branch from f9f8cbc to 9636df0 Compare July 13, 2026 16:49
OpenTag's CLI installation closes over every public workspace package, so the 0.5.0 family must be released atomically from one discovered dependency graph. The release gate now validates that graph, exercises the packed CLI in a clean npm project, and records the migration and staged rollout contract.

Constraint: The CLI runtime dependency closure requires all 15 public packages at one lockstep version.
Rejected: Maintain another hand-written package list | the existing check and publish lists had already drifted from the manifests.
Confidence: high
Scope-risk: moderate
Reversibility: clean
Directive: Treat publishConfig.access=public as the sole release-set source and promote immutable versions with dist-tags only.
Tested: build, lint, typecheck, 1510 unit/integration tests, governance matrix, privacy scan, 9 release-plan tests, publication-set checks, 15-package pack and clean npm install, installed CLI help and doctor.
Not-tested: Public-registry install, foreground start, live provider callback, and npm dist-tag promotion remain post-publish gates.
@mingyooagi
mingyooagi force-pushed the codex/release-0.5.0 branch from 9636df0 to fc00a91 Compare July 13, 2026 16:50
@mingyooagi
mingyooagi merged commit 79ce5d4 into main Jul 13, 2026
1 of 2 checks passed

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
docs/npm-release.md (1)

131-140: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Failed version assertion is silent — loop won't stop or report on a broken canary.

test "$(npm view "$package@0.5.0" version)" = "0.5.0" produces no output on failure and the loop keeps iterating over the remaining packages. An operator following this doc could miss a package that failed to publish correctly and proceed to promote a broken release to latest.

Proposed fix to fail loudly on mismatch
 for manifest in packages/*/package.json; do
   [ "$(jq -r '.publishConfig.access // ""' "$manifest")" = "public" ] || continue
   package="$(jq -r '.name' "$manifest")"
-  test "$(npm view "$package@0.5.0" version)" = "0.5.0"
+  actual="$(npm view "$package@0.5.0" version)"
+  [ "$actual" = "0.5.0" ] || { echo "FAIL: $package resolved to '$actual', expected 0.5.0"; exit 1; }
   npm view "$package" dist-tags --json
 done
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/npm-release.md` around lines 131 - 140, Update the verification loop
around the version assertion to fail loudly when a package’s canary version does
not match 0.5.0, including the package name and expected/actual versions in the
error output, and stop the loop with a nonzero status so promotion cannot
continue unnoticed.
packages/cli/test/release-package-plan.test.ts (1)

159-166: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider adding tests for malformed publishConfig and runtime dependency field types.

The existing malformed manifest test covers invalid JSON, but readPackageManifest in package-plan.mjs also validates that publishConfig and each runtime dependency field are objects, throwing structured errors. Adding test cases for non-object publishConfig (e.g., publishConfig: "invalid") or non-object dependencies (e.g., dependencies: []) would cover these validation paths and prevent regressions.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cli/test/release-package-plan.test.ts` around lines 159 - 166, Add
test coverage in the release-package-plan tests for readPackageManifest
validation of non-object publishConfig and runtime dependency fields, such as
string publishConfig and array dependencies. Create valid JSON manifests with
these malformed values, assert buildPublicPackagePlan throws structured errors
identifying the relevant field/package directory, and keep the existing
invalid-JSON test unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/npm-release.md`:
- Around line 131-140: Update the verification loop around the version assertion
to fail loudly when a package’s canary version does not match 0.5.0, including
the package name and expected/actual versions in the error output, and stop the
loop with a nonzero status so promotion cannot continue unnoticed.

In `@packages/cli/test/release-package-plan.test.ts`:
- Around line 159-166: Add test coverage in the release-package-plan tests for
readPackageManifest validation of non-object publishConfig and runtime
dependency fields, such as string publishConfig and array dependencies. Create
valid JSON manifests with these malformed values, assert buildPublicPackagePlan
throws structured errors identifying the relevant field/package directory, and
keep the existing invalid-JSON test unchanged.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9c66f0a1-2043-47ab-bd1a-37c37096ae3e

📥 Commits

Reviewing files that changed from the base of the PR and between 7f70b1b and f9f8cbc.

📒 Files selected for processing (27)
  • .github/workflows/ci.yml
  • CHANGELOG.md
  • README.md
  • README.zh-CN.md
  • docs/npm-release.md
  • docs/versioning.md
  • package.json
  • packages/cli/package.json
  • packages/cli/test/release-package-plan.test.ts
  • packages/client/package.json
  • packages/core/package.json
  • packages/discord/package.json
  • packages/dispatcher/package.json
  • packages/github/package.json
  • packages/gitlab/package.json
  • packages/lark/package.json
  • packages/linear/package.json
  • packages/local-runtime/package.json
  • packages/runner/package.json
  • packages/slack/package.json
  • packages/store/package.json
  • packages/teams/package.json
  • packages/telegram/package.json
  • scripts/release/check-cli-package.mjs
  • scripts/release/check-publication-set.mjs
  • scripts/release/package-plan.mjs
  • scripts/release/publish-local.mjs
🚧 Files skipped from review as they are similar to previous changes (21)
  • packages/gitlab/package.json
  • packages/client/package.json
  • packages/slack/package.json
  • README.md
  • packages/store/package.json
  • packages/cli/package.json
  • packages/telegram/package.json
  • packages/discord/package.json
  • packages/github/package.json
  • package.json
  • packages/dispatcher/package.json
  • packages/linear/package.json
  • packages/local-runtime/package.json
  • scripts/release/check-publication-set.mjs
  • packages/lark/package.json
  • packages/core/package.json
  • packages/runner/package.json
  • .github/workflows/ci.yml
  • scripts/release/package-plan.mjs
  • scripts/release/check-cli-package.mjs
  • scripts/release/publish-local.mjs

@mingyooagi
mingyooagi deleted the codex/release-0.5.0 branch July 13, 2026 16:57
@coderabbitai coderabbitai Bot mentioned this pull request Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant