@wipcomputer/wip-ai-devops-toolbox 1.9.71-alpha.7 → 1.9.71-alpha.9

package/CHANGELOG.md

@@ -1,5 +1,111 @@
 # Changelog
 
+## 1.9.71-alpha.9 (2026-04-05)
+
+# v1.9.71-alpha.8
+
+## wip-release: automatic PR flow for protected main (Phase 4)
+
+When `git push origin main` fails with GitHub's "protected branch" rejection (`GH006: Changes must be made through a pull request`), wip-release now automatically:
+
+1. Creates a release branch `cc-mini/release-v<version>` at the current commit
+2. Pushes the branch to origin
+3. Opens a PR via `gh pr create` with title `release: v<version>`
+4. Merges the PR via `gh pr merge --merge --delete-branch`
+5. Pushes the tag separately (tags bypass branch protection on most GitHub setups)
+6. Fast-forwards local main so downstream steps (deploy-public, etc.) have a clean state
+
+Previously this was a 4-command manual workflow every release:
+
+```
+git branch cc-mini/release-alpha-N
+git push -u origin cc-mini/release-alpha-N
+gh pr create --base main --head cc-mini/release-alpha-N --title '...'
+gh pr merge <pr> --merge --delete-branch
+git push origin v<version>
+```
+
+Every release. Every time. Eliminated.
+
+## Fallback behavior
+
+If any step of the auto-PR flow fails (gh CLI missing, PR create failure, merge failure, tag push failure), wip-release logs a concrete recovery command for the exact failure mode and continues (non-fatal, matches prior push-failed behavior). The user can always complete the remaining steps manually.
+
+## Direct push still works
+
+If the repo allows direct push to main (typical for private staging repos), wip-release tries direct push first and only falls back to the PR flow on the specific GH006 / "protected branch" error. No behavioral change for unprotected repos.
+
+## Files changed
+
+- `tools/wip-release/core.mjs`: new `pushReleaseWithAutoPr(repoPath, newVersion, level)` and `logPushFailure(result, tag)` helpers. Three push sites in `release()`, `releaseHotfix()`, `releasePrerelease()` migrated to use the helper.
+- `tools/wip-release/package.json`: 1.9.72 -> 1.9.73
+- `CHANGELOG.md`: entry added
+
+## Verified
+
+- Module imports cleanly via `node -e "import('./tools/wip-release/core.mjs')"`.
+- Error detection regex handles GH006 variants: `/protected branch|GH006|Changes must be made through a pull request/i`.
+- All three release tracks (stable, prerelease, hotfix) use the same helper.
+
+## Cross-references
+
+- `ai/product/bugs/release-pipeline/2026-04-05--cc-mini--release-pipeline-master-plan.md` Phase 4 (Incident 4)
+- `ai/product/bugs/master-plans/bugs-plan-04-05-2026-002.md` Wave 2 phase 7
+- Prior ship: alpha.7 closed Phases 1, 2, 8 of the same plan.
+
+## 1.9.71-alpha.8 (2026-04-05)
+
+# v1.9.71-alpha.8
+
+## wip-release: automatic PR flow for protected main (Phase 4)
+
+When `git push origin main` fails with GitHub's "protected branch" rejection (`GH006: Changes must be made through a pull request`), wip-release now automatically:
+
+1. Creates a release branch `cc-mini/release-v<version>` at the current commit
+2. Pushes the branch to origin
+3. Opens a PR via `gh pr create` with title `release: v<version>`
+4. Merges the PR via `gh pr merge --merge --delete-branch`
+5. Pushes the tag separately (tags bypass branch protection on most GitHub setups)
+6. Fast-forwards local main so downstream steps (deploy-public, etc.) have a clean state
+
+Previously this was a 4-command manual workflow every release:
+
+```
+git branch cc-mini/release-alpha-N
+git push -u origin cc-mini/release-alpha-N
+gh pr create --base main --head cc-mini/release-alpha-N --title '...'
+gh pr merge <pr> --merge --delete-branch
+git push origin v<version>
+```
+
+Every release. Every time. Eliminated.
+
+## Fallback behavior
+
+If any step of the auto-PR flow fails (gh CLI missing, PR create failure, merge failure, tag push failure), wip-release logs a concrete recovery command for the exact failure mode and continues (non-fatal, matches prior push-failed behavior). The user can always complete the remaining steps manually.
+
+## Direct push still works
+
+If the repo allows direct push to main (typical for private staging repos), wip-release tries direct push first and only falls back to the PR flow on the specific GH006 / "protected branch" error. No behavioral change for unprotected repos.
+
+## Files changed
+
+- `tools/wip-release/core.mjs`: new `pushReleaseWithAutoPr(repoPath, newVersion, level)` and `logPushFailure(result, tag)` helpers. Three push sites in `release()`, `releaseHotfix()`, `releasePrerelease()` migrated to use the helper.
+- `tools/wip-release/package.json`: 1.9.72 -> 1.9.73
+- `CHANGELOG.md`: entry added
+
+## Verified
+
+- Module imports cleanly via `node -e "import('./tools/wip-release/core.mjs')"`.
+- Error detection regex handles GH006 variants: `/protected branch|GH006|Changes must be made through a pull request/i`.
+- All three release tracks (stable, prerelease, hotfix) use the same helper.
+
+## Cross-references
+
+- `ai/product/bugs/release-pipeline/2026-04-05--cc-mini--release-pipeline-master-plan.md` Phase 4 (Incident 4)
+- `ai/product/bugs/master-plans/bugs-plan-04-05-2026-002.md` Wave 2 phase 7
+- Prior ship: alpha.7 closed Phases 1, 2, 8 of the same plan.
+
 ## 1.9.71-alpha.7 (2026-04-05)
 
 # v1.9.71-alpha.7

package/RELEASE-NOTES-v1-9-71-alpha-8.md

@@ -0,0 +1,50 @@
+# v1.9.71-alpha.8
+
+## wip-release: automatic PR flow for protected main (Phase 4)
+
+When `git push origin main` fails with GitHub's "protected branch" rejection (`GH006: Changes must be made through a pull request`), wip-release now automatically:
+
+1. Creates a release branch `cc-mini/release-v<version>` at the current commit
+2. Pushes the branch to origin
+3. Opens a PR via `gh pr create` with title `release: v<version>`
+4. Merges the PR via `gh pr merge --merge --delete-branch`
+5. Pushes the tag separately (tags bypass branch protection on most GitHub setups)
+6. Fast-forwards local main so downstream steps (deploy-public, etc.) have a clean state
+
+Previously this was a 4-command manual workflow every release:
+
+```
+git branch cc-mini/release-alpha-N
+git push -u origin cc-mini/release-alpha-N
+gh pr create --base main --head cc-mini/release-alpha-N --title '...'
+gh pr merge <pr> --merge --delete-branch
+git push origin v<version>
+```
+
+Every release. Every time. Eliminated.
+
+## Fallback behavior
+
+If any step of the auto-PR flow fails (gh CLI missing, PR create failure, merge failure, tag push failure), wip-release logs a concrete recovery command for the exact failure mode and continues (non-fatal, matches prior push-failed behavior). The user can always complete the remaining steps manually.
+
+## Direct push still works
+
+If the repo allows direct push to main (typical for private staging repos), wip-release tries direct push first and only falls back to the PR flow on the specific GH006 / "protected branch" error. No behavioral change for unprotected repos.
+
+## Files changed
+
+- `tools/wip-release/core.mjs`: new `pushReleaseWithAutoPr(repoPath, newVersion, level)` and `logPushFailure(result, tag)` helpers. Three push sites in `release()`, `releaseHotfix()`, `releasePrerelease()` migrated to use the helper.
+- `tools/wip-release/package.json`: 1.9.72 -> 1.9.73
+- `CHANGELOG.md`: entry added
+
+## Verified
+
+- Module imports cleanly via `node -e "import('./tools/wip-release/core.mjs')"`.
+- Error detection regex handles GH006 variants: `/protected branch|GH006|Changes must be made through a pull request/i`.
+- All three release tracks (stable, prerelease, hotfix) use the same helper.
+
+## Cross-references
+
+- `ai/product/bugs/release-pipeline/2026-04-05--cc-mini--release-pipeline-master-plan.md` Phase 4 (Incident 4)
+- `ai/product/bugs/master-plans/bugs-plan-04-05-2026-002.md` Wave 2 phase 7
+- Prior ship: alpha.7 closed Phases 1, 2, 8 of the same plan.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ai-devops-toolbox",
-  "version": "1.9.71-alpha.7",
+  "version": "1.9.71-alpha.9",
   "type": "module",
   "description": "The complete AI DevOps toolkit for AI-assisted development teams.",
   "license": "MIT",

package/tools/wip-release/core.mjs

@@ -1507,6 +1507,125 @@ function checkTagCollision(repoPath, newVersion) {
   return { ok: true };
 }
 
+/**
+ * Push the release commit + tag, handling protected-main rejection via
+ * automatic PR flow.
+ *
+ * If `git push origin main` succeeds directly, we also push tags and return.
+ * If it fails with a "protected branch" error (GH006), create a temporary
+ * release branch from the current HEAD, push the branch, open a PR targeting
+ * main, auto-merge it via `gh pr merge --merge --delete-branch`, then push
+ * the tag separately (tags bypass branch protection).
+ *
+ * Phase 4 of the release-pipeline master plan. Earlier today this entire
+ * flow was done manually every time, adding 2-3 minutes per release.
+ *
+ * Returns `{ ok: true, via }` on success where `via` is `"direct"` or `"pr"`.
+ * Returns `{ ok: false, reason, detail }` on failure; caller logs and
+ * continues (matches prior non-fatal push behavior).
+ */
+function pushReleaseWithAutoPr(repoPath, newVersion, level) {
+  const tag = `v${newVersion}`;
+  // 1. Try direct push first. Most repos allow it.
+  try {
+    execFileSync('git', ['push'], { cwd: repoPath, stdio: 'pipe' });
+    execFileSync('git', ['push', 'origin', tag], { cwd: repoPath, stdio: 'pipe' });
+    return { ok: true, via: 'direct' };
+  } catch (err) {
+    const msg = String(err?.stderr ?? err?.message ?? err);
+    const isProtected = /protected branch|GH006|Changes must be made through a pull request/i.test(msg);
+    if (!isProtected) {
+      return { ok: false, reason: 'push-failed', detail: msg };
+    }
+  }
+
+  // 2. Protected main. Open auto-PR flow.
+  const releaseBranch = `cc-mini/release-${tag}`;
+  console.log(`  - Direct push to main refused (protected). Opening release PR...`);
+  try {
+    // Create branch at current HEAD
+    execFileSync('git', ['branch', releaseBranch], { cwd: repoPath, stdio: 'pipe' });
+    execFileSync('git', ['push', '-u', 'origin', releaseBranch], {
+      cwd: repoPath, stdio: 'pipe'
+    });
+  } catch (err) {
+    return {
+      ok: false,
+      reason: 'branch-push-failed',
+      detail: String(err?.stderr ?? err?.message ?? err),
+    };
+  }
+
+  // 3. Create and merge PR via gh CLI
+  try {
+    const prTitle = `release: ${tag}`;
+    const prBody = `Release commit for ${tag} (${level}). Auto-generated by wip-release.`;
+    execFileSync('gh', [
+      'pr', 'create',
+      '--base', 'main',
+      '--head', releaseBranch,
+      '--title', prTitle,
+      '--body', prBody,
+    ], { cwd: repoPath, stdio: 'pipe' });
+    execFileSync('gh', [
+      'pr', 'merge', releaseBranch,
+      '--merge', '--delete-branch',
+    ], { cwd: repoPath, stdio: 'pipe' });
+    console.log(`  ✓ Release PR merged`);
+  } catch (err) {
+    return {
+      ok: false,
+      reason: 'gh-pr-failed',
+      detail: String(err?.stderr ?? err?.message ?? err),
+    };
+  }
+
+  // 4. Push the tag separately. Tags bypass branch protection on most
+  //    GitHub setups, but if this fails the user can push the tag manually.
+  try {
+    execFileSync('git', ['push', 'origin', tag], { cwd: repoPath, stdio: 'pipe' });
+    console.log(`  ✓ Pushed tag ${tag}`);
+  } catch (err) {
+    return {
+      ok: false,
+      reason: 'tag-push-failed',
+      detail: String(err?.stderr ?? err?.message ?? err),
+      partialSuccess: 'pr-merged',
+    };
+  }
+
+  // 5. Pull latest main so local HEAD reflects the merge commit. This
+  //    keeps subsequent git operations (like deploy-public) happy.
+  try {
+    execFileSync('git', ['fetch', 'origin', 'main'], { cwd: repoPath, stdio: 'pipe' });
+    execFileSync('git', ['merge', '--ff-only', 'origin/main'], {
+      cwd: repoPath, stdio: 'pipe'
+    });
+  } catch {
+    // Non-fatal: main may have diverged (unlikely here). Deploy-public
+    // will handle its own state.
+  }
+
+  return { ok: true, via: 'pr' };
+}
+
+function logPushFailure(result, tag) {
+  console.log(`  ! Push failed: ${result.reason}`);
+  if (result.detail) {
+    console.log(`    ${result.detail.split('\n')[0]}`);
+  }
+  console.log(`  Manual recovery:`);
+  if (result.reason === 'push-failed' || result.reason === 'branch-push-failed') {
+    console.log(`    git push && git push origin ${tag}`);
+  } else if (result.reason === 'gh-pr-failed') {
+    console.log(`    Open a PR for cc-mini/release-${tag} targeting main, merge, then:`);
+    console.log(`    git push origin ${tag}`);
+  } else if (result.reason === 'tag-push-failed') {
+    console.log(`    PR already merged. Just push the tag:`);
+    console.log(`    git push origin ${tag}`);
+  }
+}
+
 function logMainBranchGuardFailure(result) {
   if (result.reason === 'linked-worktree') {
     console.log(`  \u2717 wip-release must run from the main working tree, not a worktree.`);
@@ -1898,12 +2017,14 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
   gitCommitAndTag(repoPath, newVersion, notes);
   console.log(`  ✓ Committed and tagged v${newVersion}`);
 
-  // 5. Push commit + tag
-  try {
-    execSync('git push && git push --tags', { cwd: repoPath, stdio: 'pipe' });
-    console.log(`  ✓ Pushed to remote`);
-  } catch {
-    console.log(`  ! Push failed (maybe branch protection). Push manually.`);
+  // 5. Push commit + tag (with auto-PR fallback on protected main, Phase 4)
+  {
+    const pushResult = pushReleaseWithAutoPr(repoPath, newVersion, level);
+    if (pushResult.ok) {
+      console.log(`  ✓ Pushed to remote (${pushResult.via})`);
+    } else {
+      logPushFailure(pushResult, `v${newVersion}`);
+    }
   }
 
   // Distribution results collector (#104)
@@ -2260,12 +2381,14 @@ export async function releasePrerelease({ repoPath, track, notes, dryRun, noPubl
   execFileSync('git', ['tag', `v${newVersion}`], { cwd: repoPath, stdio: 'pipe' });
   console.log(`  \u2713 Committed and tagged v${newVersion}`);
 
-  // 4. Push commit + tag
-  try {
-    execSync('git push && git push --tags', { cwd: repoPath, stdio: 'pipe' });
-    console.log(`  \u2713 Pushed to remote`);
-  } catch {
-    console.log(`  ! Push failed. Push manually.`);
+  // 4. Push commit + tag (with auto-PR fallback on protected main, Phase 4)
+  {
+    const pushResult = pushReleaseWithAutoPr(repoPath, newVersion, track);
+    if (pushResult.ok) {
+      console.log(`  \u2713 Pushed to remote (${pushResult.via})`);
+    } else {
+      logPushFailure(pushResult, `v${newVersion}`);
+    }
   }
 
   const distResults = [];
@@ -2470,12 +2593,14 @@ export async function releaseHotfix({ repoPath, notes, notesSource, dryRun, noPu
   gitCommitAndTag(repoPath, newVersion, notes);
   console.log(`  \u2713 Committed and tagged v${newVersion}`);
 
-  // 5. Push commit + tag
-  try {
-    execSync('git push && git push --tags', { cwd: repoPath, stdio: 'pipe' });
-    console.log(`  \u2713 Pushed to remote`);
-  } catch {
-    console.log(`  ! Push failed. Push manually.`);
+  // 5. Push commit + tag (with auto-PR fallback on protected main, Phase 4)
+  {
+    const pushResult = pushReleaseWithAutoPr(repoPath, newVersion, 'hotfix');
+    if (pushResult.ok) {
+      console.log(`  \u2713 Pushed to remote (${pushResult.via})`);
+    } else {
+      logPushFailure(pushResult, `v${newVersion}`);
+    }
   }
 
   const distResults = [];

package/tools/wip-release/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-release",
-  "version": "1.9.72",
+  "version": "1.9.73",
   "type": "module",
   "description": "One-command release pipeline. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.",
   "main": "core.mjs",