@wipcomputer/wip-release 1.9.72 → 1.9.74

package/cli.js

@@ -24,6 +24,7 @@ const skipWorktreeCheck = args.includes('--skip-worktree-check');
 const skipTechDocsCheck = args.includes('--skip-tech-docs-check');
 const skipCoverageCheck = args.includes('--skip-coverage-check');
 const allowSubToolDrift = args.includes('--allow-sub-tool-drift');
+const noDeployPublic = args.includes('--no-deploy-public');
 const wantReleaseNotes = args.includes('--release-notes');
 const noReleaseNotes = args.includes('--no-release-notes');
 const notesFilePath = flag('notes-file');
@@ -174,6 +175,7 @@ Flags:
   --skip-stale-check       Skip stale remote branch check
   --skip-worktree-check    Skip main-branch + worktree guard (break-glass only)
   --allow-sub-tool-drift   Allow release even if a sub-tool's files changed since the last tag without a version bump (error by default)
+  --no-deploy-public       Skip the deploy-public.sh step at the end of stable and prerelease flows (runs by default for -private repos)
 
 Release notes (REQUIRED for stable, optional for other tracks):
   1. --notes-file=path          Explicit file path
@@ -224,6 +226,7 @@ if (level === 'alpha' || level === 'beta') {
     publishReleaseNotes: level === 'alpha' ? wantReleaseNotes : !noReleaseNotes,
     skipWorktreeCheck,
     allowSubToolDrift,
+    noDeployPublic,
   }).catch(err => {
     console.error(`  \u2717 ${err.message}`);
     process.exit(1);
@@ -258,6 +261,7 @@ if (level === 'alpha' || level === 'beta') {
     skipTechDocsCheck,
     skipCoverageCheck,
     allowSubToolDrift,
+    noDeployPublic,
   }).catch(err => {
     console.error(`  \u2717 ${err.message}`);
     process.exit(1);

package/core.mjs

@@ -1507,6 +1507,198 @@ function checkTagCollision(repoPath, newVersion) {
   return { ok: true };
 }
 
+/**
+ * Push the release commit + tag, handling protected-main rejection via
+ * automatic PR flow.
+ *
+ * If `git push origin main` succeeds directly, we also push tags and return.
+ * If it fails with a "protected branch" error (GH006), create a temporary
+ * release branch from the current HEAD, push the branch, open a PR targeting
+ * main, auto-merge it via `gh pr merge --merge --delete-branch`, then push
+ * the tag separately (tags bypass branch protection).
+ *
+ * Phase 4 of the release-pipeline master plan. Earlier today this entire
+ * flow was done manually every time, adding 2-3 minutes per release.
+ *
+ * Returns `{ ok: true, via }` on success where `via` is `"direct"` or `"pr"`.
+ * Returns `{ ok: false, reason, detail }` on failure; caller logs and
+ * continues (matches prior non-fatal push behavior).
+ */
+function pushReleaseWithAutoPr(repoPath, newVersion, level) {
+  const tag = `v${newVersion}`;
+  // 1. Try direct push first. Most repos allow it.
+  try {
+    execFileSync('git', ['push'], { cwd: repoPath, stdio: 'pipe' });
+    execFileSync('git', ['push', 'origin', tag], { cwd: repoPath, stdio: 'pipe' });
+    return { ok: true, via: 'direct' };
+  } catch (err) {
+    const msg = String(err?.stderr ?? err?.message ?? err);
+    const isProtected = /protected branch|GH006|Changes must be made through a pull request/i.test(msg);
+    if (!isProtected) {
+      return { ok: false, reason: 'push-failed', detail: msg };
+    }
+  }
+
+  // 2. Protected main. Open auto-PR flow.
+  const releaseBranch = `cc-mini/release-${tag}`;
+  console.log(`  - Direct push to main refused (protected). Opening release PR...`);
+  try {
+    // Create branch at current HEAD
+    execFileSync('git', ['branch', releaseBranch], { cwd: repoPath, stdio: 'pipe' });
+    execFileSync('git', ['push', '-u', 'origin', releaseBranch], {
+      cwd: repoPath, stdio: 'pipe'
+    });
+  } catch (err) {
+    return {
+      ok: false,
+      reason: 'branch-push-failed',
+      detail: String(err?.stderr ?? err?.message ?? err),
+    };
+  }
+
+  // 3. Create and merge PR via gh CLI
+  try {
+    const prTitle = `release: ${tag}`;
+    const prBody = `Release commit for ${tag} (${level}). Auto-generated by wip-release.`;
+    execFileSync('gh', [
+      'pr', 'create',
+      '--base', 'main',
+      '--head', releaseBranch,
+      '--title', prTitle,
+      '--body', prBody,
+    ], { cwd: repoPath, stdio: 'pipe' });
+    execFileSync('gh', [
+      'pr', 'merge', releaseBranch,
+      '--merge', '--delete-branch',
+    ], { cwd: repoPath, stdio: 'pipe' });
+    console.log(`  ✓ Release PR merged`);
+  } catch (err) {
+    return {
+      ok: false,
+      reason: 'gh-pr-failed',
+      detail: String(err?.stderr ?? err?.message ?? err),
+    };
+  }
+
+  // 4. Push the tag separately. Tags bypass branch protection on most
+  //    GitHub setups, but if this fails the user can push the tag manually.
+  try {
+    execFileSync('git', ['push', 'origin', tag], { cwd: repoPath, stdio: 'pipe' });
+    console.log(`  ✓ Pushed tag ${tag}`);
+  } catch (err) {
+    return {
+      ok: false,
+      reason: 'tag-push-failed',
+      detail: String(err?.stderr ?? err?.message ?? err),
+      partialSuccess: 'pr-merged',
+    };
+  }
+
+  // 5. Pull latest main so local HEAD reflects the merge commit. This
+  //    keeps subsequent git operations (like deploy-public) happy.
+  try {
+    execFileSync('git', ['fetch', 'origin', 'main'], { cwd: repoPath, stdio: 'pipe' });
+    execFileSync('git', ['merge', '--ff-only', 'origin/main'], {
+      cwd: repoPath, stdio: 'pipe'
+    });
+  } catch {
+    // Non-fatal: main may have diverged (unlikely here). Deploy-public
+    // will handle its own state.
+  }
+
+  return { ok: true, via: 'pr' };
+}
+
+function logPushFailure(result, tag) {
+  console.log(`  ! Push failed: ${result.reason}`);
+  if (result.detail) {
+    console.log(`    ${result.detail.split('\n')[0]}`);
+  }
+  console.log(`  Manual recovery:`);
+  if (result.reason === 'push-failed' || result.reason === 'branch-push-failed') {
+    console.log(`    git push && git push origin ${tag}`);
+  } else if (result.reason === 'gh-pr-failed') {
+    console.log(`    Open a PR for cc-mini/release-${tag} targeting main, merge, then:`);
+    console.log(`    git push origin ${tag}`);
+  } else if (result.reason === 'tag-push-failed') {
+    console.log(`    PR already merged. Just push the tag:`);
+    console.log(`    git push origin ${tag}`);
+  }
+}
+
+/**
+ * Resolve the public GitHub repo name for a private-to-public mirror setup.
+ *
+ * Strategy:
+ *   1. Read `origin` remote URL (e.g. git@github.com:owner/repo-private.git)
+ *   2. Strip `-private` suffix to get the public repo name
+ *   3. Return `owner/repo` format suitable for gh CLI
+ *
+ * Returns null if the remote URL cannot be parsed or the repo name does not
+ * end in `-private` (in which case the caller should skip deploy-public as a
+ * no-op rather than error).
+ */
+function resolvePublicRepoName(repoPath) {
+  try {
+    const remoteUrl = execFileSync('git', ['remote', 'get-url', 'origin'], {
+      cwd: repoPath, encoding: 'utf8'
+    }).trim();
+    // Match owner/repo from either SSH (git@github.com:owner/repo.git) or HTTPS
+    const match = remoteUrl.match(/github\.com[:/]([^/]+)\/(.+?)(\.git)?$/);
+    if (!match) return null;
+    const [, owner, repoName] = match;
+    if (!repoName.endsWith('-private')) {
+      return null;
+    }
+    return `${owner}/${repoName.replace(/-private$/, '')}`;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Run deploy-public.sh as the final step of the release pipeline.
+ *
+ * Previously deploy-public was a separate manual step. Every release that
+ * forgot it left the public mirror stale, so `ldm install` pulled old code
+ * from the public repo. Now wip-release invokes it automatically for stable
+ * and prerelease tracks (hotfix still skips, per prior convention).
+ *
+ * Callable with `--no-deploy-public` to opt out.
+ *
+ * Skips silently if:
+ *   - The repo has no tools/deploy-public/deploy-public.sh (not a toolbox-
+ *     style repo, or deploy-public is provided by a parent install)
+ *   - The origin remote is not a -private repo (no public mirror to sync)
+ *
+ * Related: `ai/product/bugs/release-pipeline/2026-04-05--cc-mini--release-pipeline-master-plan.md` Phase 6.
+ */
+function runDeployPublic(repoPath, { skip } = {}) {
+  if (skip) {
+    return { ok: true, skipped: true, reason: 'flag' };
+  }
+  const scriptPath = join(repoPath, 'tools', 'deploy-public', 'deploy-public.sh');
+  if (!existsSync(scriptPath)) {
+    return { ok: true, skipped: true, reason: 'no-script' };
+  }
+  const publicRepo = resolvePublicRepoName(repoPath);
+  if (!publicRepo) {
+    return { ok: true, skipped: true, reason: 'not-private-repo' };
+  }
+  try {
+    execFileSync('bash', [scriptPath, repoPath, publicRepo], {
+      cwd: repoPath, stdio: 'inherit',
+    });
+    return { ok: true, publicRepo };
+  } catch (err) {
+    return {
+      ok: false,
+      detail: String(err?.stderr ?? err?.message ?? err),
+      publicRepo,
+    };
+  }
+}
+
 function logMainBranchGuardFailure(result) {
   if (result.reason === 'linked-worktree') {
     console.log(`  \u2717 wip-release must run from the main working tree, not a worktree.`);
@@ -1526,7 +1718,7 @@ function logMainBranchGuardFailure(result) {
 /**
  * Run the full release pipeline.
  */
-export async function release({ repoPath, level, notes, notesSource, dryRun, noPublish, skipProductCheck, skipStaleCheck, skipWorktreeCheck, skipTechDocsCheck, skipCoverageCheck, allowSubToolDrift }) {
+export async function release({ repoPath, level, notes, notesSource, dryRun, noPublish, skipProductCheck, skipStaleCheck, skipWorktreeCheck, skipTechDocsCheck, skipCoverageCheck, allowSubToolDrift, noDeployPublic }) {
   repoPath = repoPath || process.cwd();
   const currentVersion = detectCurrentVersion(repoPath);
   const newVersion = bumpSemver(currentVersion, level);
@@ -1898,12 +2090,14 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
   gitCommitAndTag(repoPath, newVersion, notes);
   console.log(`  ✓ Committed and tagged v${newVersion}`);
 
-  // 5. Push commit + tag
-  try {
-    execSync('git push && git push --tags', { cwd: repoPath, stdio: 'pipe' });
-    console.log(`  ✓ Pushed to remote`);
-  } catch {
-    console.log(`  ! Push failed (maybe branch protection). Push manually.`);
+  // 5. Push commit + tag (with auto-PR fallback on protected main, Phase 4)
+  {
+    const pushResult = pushReleaseWithAutoPr(repoPath, newVersion, level);
+    if (pushResult.ok) {
+      console.log(`  ✓ Pushed to remote (${pushResult.via})`);
+    } else {
+      logPushFailure(pushResult, `v${newVersion}`);
+    }
   }
 
   // Distribution results collector (#104)
@@ -2167,6 +2361,29 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
     }) + '\n');
   } catch {}
 
+  // 12. deploy-public: sync private -> public mirror (Phase 6)
+  // Runs at the end of every stable release unless --no-deploy-public is set
+  // or the repo has no deploy-public.sh script. Skips silently for non-
+  // -private repos (no public mirror to sync).
+  {
+    const dp = runDeployPublic(repoPath, { skip: noDeployPublic });
+    if (dp.skipped) {
+      if (dp.reason === 'flag') {
+        console.log(`  - deploy-public: skipped (--no-deploy-public)`);
+      } else if (dp.reason === 'no-script') {
+        console.log(`  - deploy-public: skipped (no tools/deploy-public/deploy-public.sh)`);
+      } else if (dp.reason === 'not-private-repo') {
+        console.log(`  - deploy-public: skipped (origin is not a -private repo)`);
+      }
+    } else if (dp.ok) {
+      console.log(`  \u2713 deploy-public: synced to ${dp.publicRepo}`);
+    } else {
+      console.log(`  \u2717 deploy-public failed for ${dp.publicRepo}`);
+      if (dp.detail) console.log(`    ${dp.detail.split('\n')[0]}`);
+      console.log(`    Manual recovery: bash tools/deploy-public/deploy-public.sh ${repoPath} ${dp.publicRepo}`);
+    }
+  }
+
   console.log('');
   console.log(`  Done. ${repoName} v${newVersion} released.`);
   console.log('');
@@ -2185,7 +2402,7 @@ export async function release({ repoPath, level, notes, notesSource, dryRun, noP
  * No deploy-public. No code sync. No CHANGELOG gate. No product docs gate.
  * Lightweight: bump version, npm publish with tag, optional GitHub prerelease.
  */
-export async function releasePrerelease({ repoPath, track, notes, dryRun, noPublish, publishReleaseNotes, skipWorktreeCheck, allowSubToolDrift }) {
+export async function releasePrerelease({ repoPath, track, notes, dryRun, noPublish, publishReleaseNotes, skipWorktreeCheck, allowSubToolDrift, noDeployPublic }) {
   repoPath = repoPath || process.cwd();
   const currentVersion = detectCurrentVersion(repoPath);
   const newVersion = bumpPrerelease(currentVersion, track);
@@ -2260,12 +2477,14 @@ export async function releasePrerelease({ repoPath, track, notes, dryRun, noPubl
   execFileSync('git', ['tag', `v${newVersion}`], { cwd: repoPath, stdio: 'pipe' });
   console.log(`  \u2713 Committed and tagged v${newVersion}`);
 
-  // 4. Push commit + tag
-  try {
-    execSync('git push && git push --tags', { cwd: repoPath, stdio: 'pipe' });
-    console.log(`  \u2713 Pushed to remote`);
-  } catch {
-    console.log(`  ! Push failed. Push manually.`);
+  // 4. Push commit + tag (with auto-PR fallback on protected main, Phase 4)
+  {
+    const pushResult = pushReleaseWithAutoPr(repoPath, newVersion, track);
+    if (pushResult.ok) {
+      console.log(`  \u2713 Pushed to remote (${pushResult.via})`);
+    } else {
+      logPushFailure(pushResult, `v${newVersion}`);
+    }
   }
 
   const distResults = [];
@@ -2307,6 +2526,30 @@ export async function releasePrerelease({ repoPath, track, notes, dryRun, noPubl
     }
   }
 
+  // deploy-public: sync private -> public mirror (Phase 6)
+  // Prerelease tracks (alpha/beta) also run deploy-public so the public
+  // mirror stays current. Flagged in the bridge master plan and the
+  // release-pipeline master plan: forgetting deploy-public left the public
+  // repo stale across multiple days of alpha releases.
+  {
+    const dp = runDeployPublic(repoPath, { skip: noDeployPublic });
+    if (dp.skipped) {
+      if (dp.reason === 'flag') {
+        console.log(`  - deploy-public: skipped (--no-deploy-public)`);
+      } else if (dp.reason === 'no-script') {
+        console.log(`  - deploy-public: skipped (no deploy-public.sh)`);
+      } else if (dp.reason === 'not-private-repo') {
+        console.log(`  - deploy-public: skipped (origin is not a -private repo)`);
+      }
+    } else if (dp.ok) {
+      console.log(`  \u2713 deploy-public: synced to ${dp.publicRepo}`);
+    } else {
+      console.log(`  \u2717 deploy-public failed for ${dp.publicRepo}`);
+      if (dp.detail) console.log(`    ${dp.detail.split('\n')[0]}`);
+      console.log(`    Manual recovery: bash tools/deploy-public/deploy-public.sh ${repoPath} ${dp.publicRepo}`);
+    }
+  }
+
   console.log('');
   console.log(`  Done. ${repoName} v${newVersion} (${track}) released.`);
   console.log('');
@@ -2470,12 +2713,14 @@ export async function releaseHotfix({ repoPath, notes, notesSource, dryRun, noPu
   gitCommitAndTag(repoPath, newVersion, notes);
   console.log(`  \u2713 Committed and tagged v${newVersion}`);
 
-  // 5. Push commit + tag
-  try {
-    execSync('git push && git push --tags', { cwd: repoPath, stdio: 'pipe' });
-    console.log(`  \u2713 Pushed to remote`);
-  } catch {
-    console.log(`  ! Push failed. Push manually.`);
+  // 5. Push commit + tag (with auto-PR fallback on protected main, Phase 4)
+  {
+    const pushResult = pushReleaseWithAutoPr(repoPath, newVersion, 'hotfix');
+    if (pushResult.ok) {
+      console.log(`  \u2713 Pushed to remote (${pushResult.via})`);
+    } else {
+      logPushFailure(pushResult, `v${newVersion}`);
+    }
   }
 
   const distResults = [];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-release",
-  "version": "1.9.72",
+  "version": "1.9.74",
   "type": "module",
   "description": "One-command release pipeline. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.",
   "main": "core.mjs",