cool-workflow 0.2.3 → 0.2.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +1 -1
- package/.codex-plugin/plugin.json +1 -1
- package/apps/architecture-review/app.json +1 -1
- package/apps/architecture-review-fast/app.json +1 -1
- package/apps/end-to-end-golden-path/app.json +1 -1
- package/apps/pr-review-fix-ci/app.json +1 -1
- package/apps/release-cut/app.json +1 -1
- package/apps/research-synthesis/app.json +1 -1
- package/dist/cli/dispatch.js +2 -1
- package/dist/cli/io.js +6 -20
- package/dist/core/capability-data.js +2 -2
- package/dist/core/format/help.js +7 -1
- package/dist/core/util/cli-args.js +33 -0
- package/dist/core/version.js +1 -1
- package/dist/shell/drive.js +14 -6
- package/dist/shell/execution-backend/agent.js +10 -1
- package/dist/shell/execution-backend/local.js +15 -10
- package/dist/shell/pipeline-cli.js +20 -2
- package/dist/shell/reclamation-io.js +74 -6
- package/dist/shell/registry-cli.js +4 -0
- package/dist/shell/run-registry-io.js +1 -0
- package/dist/shell/workflow-app-loader.js +67 -1
- package/dist/wiring/capability-table/basics.js +2 -2
- package/dist/wiring/capability-table/exec-backend.js +9 -9
- package/dist/wiring/capability-table/multi-agent.js +69 -69
- package/dist/wiring/capability-table/pipeline.js +28 -28
- package/dist/wiring/capability-table/registry-core.js +3 -3
- package/dist/wiring/capability-table/reporting.js +38 -38
- package/dist/wiring/capability-table/scheduling-registry.js +58 -58
- package/dist/wiring/capability-table/state.js +34 -34
- package/dist/wiring/capability-table/trust-ledger.js +12 -12
- package/dist/wiring/capability-table/workflow-apps.js +15 -15
- package/docs/agent-delegation-drive.7.md +2 -0
- package/docs/cli-mcp-parity.7.md +18 -13
- package/docs/contract-migration-tooling.7.md +2 -0
- package/docs/control-plane-scheduling.7.md +2 -0
- package/docs/durable-state-and-locking.7.md +2 -0
- package/docs/evidence-adoption-reasoning-chain.7.md +2 -0
- package/docs/execution-backends.7.md +2 -0
- package/docs/multi-agent-cli-mcp-surface.7.md +2 -0
- package/docs/multi-agent-eval-replay-harness.7.md +2 -0
- package/docs/multi-agent-operator-ux.7.md +2 -0
- package/docs/node-snapshot-diff-replay.7.md +2 -0
- package/docs/observability-cost-accounting.7.md +2 -0
- package/docs/project-index.md +8 -4
- package/docs/real-execution-backends.7.md +2 -0
- package/docs/release-and-migration.7.md +2 -0
- package/docs/release-tooling.7.md +20 -0
- package/docs/run-registry-control-plane.7.md +2 -0
- package/docs/run-retention-reclamation.7.md +22 -3
- package/docs/state-explosion-management.7.md +2 -0
- package/docs/team-collaboration.7.md +2 -0
- package/docs/trust-audit-anchor.7.md +2 -0
- package/docs/web-desktop-workbench.7.md +2 -0
- package/manifest/plugin.manifest.json +1 -1
- package/package.json +2 -1
- package/scripts/block-unapproved-tag.sh +19 -4
- package/scripts/bump-version.js +27 -10
- package/scripts/canonical-apps.js +4 -4
- package/scripts/dogfood-release.js +1 -1
- package/scripts/golden-path.js +4 -4
- package/scripts/purity-baseline.json +0 -30
- package/scripts/release-flow.js +137 -12
- package/scripts/release-oneclick.js +407 -0
- package/scripts/version-sync-check.js +39 -22
|
@@ -0,0 +1,407 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
"use strict";
|
|
3
|
+
|
|
4
|
+
// release-oneclick.js — the operator's ONE command for a full release.
|
|
5
|
+
//
|
|
6
|
+
// npm run release -- X.Y.Z
|
|
7
|
+
// node scripts/release-oneclick.js X.Y.Z [--dry-run]
|
|
8
|
+
//
|
|
9
|
+
// This is a pure orchestrator over EXISTING tools (release-flow.js,
|
|
10
|
+
// bump-version.js, sync-project-index.js, gh, git) — it adds no new release
|
|
11
|
+
// logic of its own, only sequencing, resumability, and fail-fast checks.
|
|
12
|
+
//
|
|
13
|
+
// The two-step release model this implements:
|
|
14
|
+
// 1. Ask the agent to "prepare release X.Y.Z" — it drafts the CHANGELOG
|
|
15
|
+
// entry and opens/merges the version-bump PR. This step never touches
|
|
16
|
+
// CW_RELEASE_VERDICT_PRIVKEY.
|
|
17
|
+
// 2. The OPERATOR runs this script, in a shell where
|
|
18
|
+
// CW_RELEASE_VERDICT_PRIVKEY is set. Nothing in this file reads that
|
|
19
|
+
// env var directly — it is forwarded to `release-flow.js`'s existing
|
|
20
|
+
// signVerdictIfConfigured(), unchanged.
|
|
21
|
+
//
|
|
22
|
+
// Stages (each is idempotent — probes current state before acting, so a
|
|
23
|
+
// re-run after a failure resumes rather than repeats):
|
|
24
|
+
// 0. preflight — release-flow.js --cut --preflight-only (fail in seconds,
|
|
25
|
+
// before the gate/vendor-preflight/reviewer spend anything)
|
|
26
|
+
// 1. bump PR — only if package.json is not already at the target
|
|
27
|
+
// version; skipped when the agent's prep PR already landed
|
|
28
|
+
// 2. cut — release-flow.js --cut --version X --push (gate, live
|
|
29
|
+
// vendor preflight, reviewer, sign, tag-only push, Release)
|
|
30
|
+
// 3. record+wait — PR landing the verdict+.sig onto main (informational,
|
|
31
|
+
// no gate implications) + poll release-gate/npm-publish +
|
|
32
|
+
// confirm `npm view` shows the new version
|
|
33
|
+
//
|
|
34
|
+
// Resume: when the vX.Y.Z tag already exists (local or on origin), the cut
|
|
35
|
+
// already happened — stages 0-2 are skipped and the run goes STRAIGHT to
|
|
36
|
+
// stage 3. This is what makes a re-run after a stage-3 death (a red CI run,
|
|
37
|
+
// a network drop, a Ctrl-C mid-wait) pick the release back up instead of
|
|
38
|
+
// being refused by the preflight's own already-tagged check. Every wait has
|
|
39
|
+
// a hard deadline and dies loudly after repeated gh/git failures — a hung
|
|
40
|
+
// wait is indistinguishable from a dead release otherwise.
|
|
41
|
+
//
|
|
42
|
+
// Test seam: CW_ONECLICK_GH_CMD / CW_ONECLICK_GIT_CMD override the gh/git
|
|
43
|
+
// binaries (single executable token, spawned shell:false) for smoke stubs.
|
|
44
|
+
|
|
45
|
+
const fs = require("node:fs");
|
|
46
|
+
const path = require("node:path");
|
|
47
|
+
const { spawnSync } = require("node:child_process");
|
|
48
|
+
|
|
49
|
+
const scriptsDir = __dirname;
|
|
50
|
+
const pluginRoot = path.resolve(scriptsDir, "..");
|
|
51
|
+
const repoRoot = path.resolve(pluginRoot, "..", "..");
|
|
52
|
+
|
|
53
|
+
const argv = process.argv.slice(2);
|
|
54
|
+
const DRY_RUN = argv.includes("--dry-run");
|
|
55
|
+
const version = argv.find((a) => /^\d+\.\d+\.\d+$/.test(a));
|
|
56
|
+
|
|
57
|
+
const GIT_BIN = (process.env.CW_ONECLICK_GIT_CMD || "git").trim();
|
|
58
|
+
const GH_BIN = (process.env.CW_ONECLICK_GH_CMD || "gh").trim();
|
|
59
|
+
|
|
60
|
+
function die(msg, extra) {
|
|
61
|
+
process.stderr.write(`release-oneclick: ${msg}\n`);
|
|
62
|
+
if (extra) process.stderr.write(`${extra}\n`);
|
|
63
|
+
process.exit(1);
|
|
64
|
+
}
|
|
65
|
+
function say(msg) {
|
|
66
|
+
process.stdout.write(`${msg}\n`);
|
|
67
|
+
}
|
|
68
|
+
function stage(n, label) {
|
|
69
|
+
say(`\n[${n}/4] ${label}`);
|
|
70
|
+
}
|
|
71
|
+
function git(args, opts = {}) {
|
|
72
|
+
const r = spawnSync(GIT_BIN, args, { cwd: repoRoot, encoding: "utf8", shell: false, ...opts });
|
|
73
|
+
return { code: r.status, out: (r.stdout || "").trim(), err: (r.stderr || "").trim() };
|
|
74
|
+
}
|
|
75
|
+
// Like git(), but stdout is returned VERBATIM — no trim. The record stage
|
|
76
|
+
// copies verdict/.sig bytes out of the tag commit, and those bytes must stay
|
|
77
|
+
// exactly what was signed (a trimmed copy next to the same .sig could never
|
|
78
|
+
// verify again).
|
|
79
|
+
function gitRaw(args, opts = {}) {
|
|
80
|
+
const r = spawnSync(GIT_BIN, args, { cwd: repoRoot, encoding: "buffer", shell: false, ...opts });
|
|
81
|
+
return { code: r.status, out: r.stdout || Buffer.alloc(0), err: (r.stderr || "").toString().trim() };
|
|
82
|
+
}
|
|
83
|
+
function gh(args, opts = {}) {
|
|
84
|
+
const r = spawnSync(GH_BIN, args, { cwd: repoRoot, encoding: "utf8", shell: false, ...opts });
|
|
85
|
+
return { code: r.status, out: (r.stdout || "").trim(), err: (r.stderr || "").trim() };
|
|
86
|
+
}
|
|
87
|
+
function sleep(ms) {
|
|
88
|
+
Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, ms);
|
|
89
|
+
}
|
|
90
|
+
// Shared poll helper: every wait in this script has a hard deadline (a wait
|
|
91
|
+
// that can spin forever hides a dead release) and dies after too many gh/git
|
|
92
|
+
// failures in a row (an expired auth or dead network must surface, not hang).
|
|
93
|
+
function poll({ label, timeoutMs, intervalMs, probe }) {
|
|
94
|
+
const deadline = Date.now() + timeoutMs;
|
|
95
|
+
let consecutiveErrors = 0;
|
|
96
|
+
for (;;) {
|
|
97
|
+
const r = probe();
|
|
98
|
+
if (r && r.done) return r.value;
|
|
99
|
+
consecutiveErrors = r && r.error ? consecutiveErrors + 1 : 0;
|
|
100
|
+
if (consecutiveErrors >= 10) die(`${label}: 10 gh/git probes in a row failed — check network/auth and re-run to resume.`);
|
|
101
|
+
if (Date.now() > deadline) die(`${label}: still not done after ${Math.round(timeoutMs / 60000)} minutes — inspect manually, then re-run to resume.`);
|
|
102
|
+
sleep(intervalMs);
|
|
103
|
+
}
|
|
104
|
+
}
|
|
105
|
+
|
|
106
|
+
if (!version) {
|
|
107
|
+
die("usage: node scripts/release-oneclick.js X.Y.Z [--dry-run]");
|
|
108
|
+
}
|
|
109
|
+
|
|
110
|
+
// ---- resume detection (before anything else) --------------------------------
|
|
111
|
+
// After a successful cut, the vX.Y.Z tag exists — release-flow's preflight
|
|
112
|
+
// would then (correctly, for a FRESH cut) refuse to run. But a re-run of THIS
|
|
113
|
+
// script after a stage-3 failure (a red CI run, a network drop, a Ctrl-C
|
|
114
|
+
// during the wait) must not be told "pick the next version": the release is
|
|
115
|
+
// mid-flight, not done. So: tag already cut -> skip straight to stage 3.
|
|
116
|
+
function alreadyCut() {
|
|
117
|
+
if (git(["tag", "-l", `v${version}`]).out) return true;
|
|
118
|
+
if (DRY_RUN) return false; // offline decision only in dry-run
|
|
119
|
+
const remote = git(["ls-remote", "origin", `refs/tags/v${version}`]);
|
|
120
|
+
return remote.code === 0 && Boolean(remote.out);
|
|
121
|
+
}
|
|
122
|
+
|
|
123
|
+
// ---- stage 0: preflight -----------------------------------------------------
|
|
124
|
+
function runPreflight() {
|
|
125
|
+
stage(0, "preflight");
|
|
126
|
+
const args = ["scripts/release-flow.js", "--cut", "--version", version, "--push", "--preflight-only"];
|
|
127
|
+
const r = spawnSync("node", args, { cwd: pluginRoot, encoding: "utf8", stdio: "inherit" });
|
|
128
|
+
if (r.status !== 0) {
|
|
129
|
+
die("preflight failed — fix the issue above before re-running (nothing was done yet).");
|
|
130
|
+
}
|
|
131
|
+
if (gh(["--version"]).code !== 0) die("gh CLI not found — required for the bump/verdict PRs and the GitHub Release.");
|
|
132
|
+
if (gh(["auth", "status"]).code !== 0) die("gh is not authenticated — run `gh auth login` first.");
|
|
133
|
+
say("preflight OK");
|
|
134
|
+
}
|
|
135
|
+
|
|
136
|
+
// ---- stage 1: bump PR (skipped if already at target version) ---------------
|
|
137
|
+
function currentPackageVersion() {
|
|
138
|
+
const pkg = JSON.parse(fs.readFileSync(path.join(pluginRoot, "package.json"), "utf8"));
|
|
139
|
+
return pkg.version;
|
|
140
|
+
}
|
|
141
|
+
|
|
142
|
+
function runBumpStage() {
|
|
143
|
+
stage(1, "version bump");
|
|
144
|
+
if (currentPackageVersion() === version) {
|
|
145
|
+
say(`package.json already at ${version} — assuming the prep PR already landed, skipping.`);
|
|
146
|
+
return;
|
|
147
|
+
}
|
|
148
|
+
if (DRY_RUN) {
|
|
149
|
+
say(`[dry-run] would: branch off origin/main, bump:version -- ${version} --content, sync:project-index, open + auto-merge a bump PR.`);
|
|
150
|
+
return;
|
|
151
|
+
}
|
|
152
|
+
|
|
153
|
+
const fetch = git(["fetch", "origin", "main", "--quiet"]);
|
|
154
|
+
if (fetch.code !== 0) die("git fetch origin main failed — the bump branch must start from the REAL main tip", fetch.err);
|
|
155
|
+
const branch = `release/v${version}-bump`;
|
|
156
|
+
const co = git(["checkout", "-B", branch, "origin/main"]);
|
|
157
|
+
if (co.code !== 0) die("could not branch from origin/main for the bump PR", co.err);
|
|
158
|
+
|
|
159
|
+
const bump = spawnSync("npm", ["run", "bump:version", "--", version, "--content"], { cwd: pluginRoot, stdio: "inherit" });
|
|
160
|
+
if (bump.status !== 0) die("bump:version --content failed");
|
|
161
|
+
|
|
162
|
+
const sync = spawnSync("npm", ["run", "sync:project-index", "--", "--repo-only"], { cwd: pluginRoot, stdio: "inherit" });
|
|
163
|
+
if (sync.status !== 0) die("sync:project-index failed");
|
|
164
|
+
|
|
165
|
+
// tsc's incremental cache can ship a stale dist/version.js after a version
|
|
166
|
+
// edit (documented gotcha) — force a clean rebuild before committing.
|
|
167
|
+
fs.rmSync(path.join(pluginRoot, ".cache"), { recursive: true, force: true });
|
|
168
|
+
const build = spawnSync("npm", ["run", "build"], { cwd: pluginRoot, stdio: "inherit" });
|
|
169
|
+
if (build.status !== 0) die("npm run build failed after bump");
|
|
170
|
+
|
|
171
|
+
const logPath = path.join(repoRoot, "ITERATION_LOG.md");
|
|
172
|
+
const log = fs.readFileSync(logPath, "utf8");
|
|
173
|
+
const entry = [
|
|
174
|
+
"# CW Iteration Log",
|
|
175
|
+
"",
|
|
176
|
+
`## Batch — v${version} version bump (Unreleased)`,
|
|
177
|
+
"",
|
|
178
|
+
`> Release prep for v${version}: bump every structured surface with`,
|
|
179
|
+
`> \`bump:version -- ${version} --content\` and fill the gated content`,
|
|
180
|
+
"> surfaces (CHANGELOG.md, RELEASE.md, docs version lists). The bump",
|
|
181
|
+
"> lands as its own PR before the cut so the cut's own bump:version step",
|
|
182
|
+
"> is a no-op. No behavior change; the version constant is the only src",
|
|
183
|
+
"> edit. Generated by release-oneclick.js's bump stage.",
|
|
184
|
+
"",
|
|
185
|
+
"| cycle | goal | files | tests | gate | tagged |",
|
|
186
|
+
"|-------|------|-------|-------|------|--------|",
|
|
187
|
+
`| - | Bump to v${version} across all structured + content surfaces via release-oneclick.js. | ` +
|
|
188
|
+
"package.json + lockfile + manifests + src/core/version.ts + matching dist/**, CHANGELOG.md, RELEASE.md, docs/*.7.md version lists. | " +
|
|
189
|
+
"Full local gate before PR. | BUILD OK; content-surface gate OK. | no (bump PR; the tag comes from release-flow --cut) |"
|
|
190
|
+
].join("\n");
|
|
191
|
+
fs.writeFileSync(logPath, `${entry}\n\n${log.replace(/^# CW Iteration Log\n\n?/, "")}`);
|
|
192
|
+
|
|
193
|
+
// Tracked files only — NEVER `git add -A` here. Everything the bump stage
|
|
194
|
+
// touches is already tracked (bump surfaces, docs appends, ITERATION_LOG,
|
|
195
|
+
// dist), and an untracked stray (a scratch file, a reviewer transcript with
|
|
196
|
+
// the operator's home path) must not ride into a PR onto main — the exact
|
|
197
|
+
// incident cut()'s staging comment documents from v0.1.96.
|
|
198
|
+
git(["add", "-u"], { cwd: repoRoot });
|
|
199
|
+
const commit = git(["commit", "-m", `chore(release): bump version to ${version}`], { cwd: repoRoot });
|
|
200
|
+
if (commit.code !== 0) die("bump commit failed", commit.err);
|
|
201
|
+
|
|
202
|
+
// --force-with-lease: a prior run may have pushed this branch and then died
|
|
203
|
+
// before the PR merged; the re-run rebuilds the branch from origin/main with
|
|
204
|
+
// a new sha, and a plain push would be rejected non-fast-forward. The lease
|
|
205
|
+
// keeps this safe: it only replaces the remote branch we saw at fetch time.
|
|
206
|
+
const push = git(["push", "-u", "--force-with-lease", "origin", branch], { cwd: repoRoot });
|
|
207
|
+
if (push.code !== 0) die("bump branch push failed", push.err);
|
|
208
|
+
|
|
209
|
+
const pr = gh(["pr", "create", "--base", "main", "--head", branch, "--title", `chore(release): bump version to ${version}`, "--body", "Automated version bump ahead of the gated cut. Generated by release-oneclick.js."]);
|
|
210
|
+
if (pr.code !== 0) die("gh pr create failed for the bump PR", pr.err);
|
|
211
|
+
say(pr.out);
|
|
212
|
+
|
|
213
|
+
const merge = gh(["pr", "merge", branch, "--auto", "--squash"]);
|
|
214
|
+
if (merge.code !== 0) die("gh pr merge --auto failed for the bump PR", merge.err);
|
|
215
|
+
|
|
216
|
+
say("waiting for the bump PR to merge...");
|
|
217
|
+
poll({
|
|
218
|
+
label: "bump PR merge wait",
|
|
219
|
+
timeoutMs: 30 * 60 * 1000,
|
|
220
|
+
intervalMs: 15000,
|
|
221
|
+
probe: () => {
|
|
222
|
+
const view = gh(["pr", "view", branch, "--json", "state"]);
|
|
223
|
+
if (view.code !== 0) return { error: true };
|
|
224
|
+
let state;
|
|
225
|
+
try {
|
|
226
|
+
state = JSON.parse(view.out).state;
|
|
227
|
+
} catch {
|
|
228
|
+
return { error: true };
|
|
229
|
+
}
|
|
230
|
+
if (state === "MERGED") return { done: true };
|
|
231
|
+
if (state === "CLOSED") die("the bump PR was closed without merging");
|
|
232
|
+
return {};
|
|
233
|
+
}
|
|
234
|
+
});
|
|
235
|
+
say("bump PR merged.");
|
|
236
|
+
}
|
|
237
|
+
|
|
238
|
+
// ---- stage 2: cut ------------------------------------------------------------
|
|
239
|
+
function runCutStage() {
|
|
240
|
+
stage(2, "cut (gate + vendor preflight + reviewer + sign + tag + push)");
|
|
241
|
+
if (DRY_RUN) {
|
|
242
|
+
say(`[dry-run] would: node scripts/release-flow.js --cut --version ${version} --push`);
|
|
243
|
+
return;
|
|
244
|
+
}
|
|
245
|
+
git(["fetch", "origin", "main", "--quiet"], { cwd: repoRoot });
|
|
246
|
+
const co = git(["checkout", "-B", `release/v${version}-cut`, "origin/main"], { cwd: repoRoot });
|
|
247
|
+
if (co.code !== 0) die("could not branch from origin/main for the cut", co.err);
|
|
248
|
+
|
|
249
|
+
const r = spawnSync("node", ["scripts/release-flow.js", "--cut", "--version", version, "--push"], {
|
|
250
|
+
cwd: pluginRoot,
|
|
251
|
+
encoding: "utf8",
|
|
252
|
+
stdio: "inherit"
|
|
253
|
+
});
|
|
254
|
+
if (r.status !== 0) die("cut failed — see the release-flow.js output above.");
|
|
255
|
+
say("cut complete: tag pushed, GitHub Release created.");
|
|
256
|
+
}
|
|
257
|
+
|
|
258
|
+
// ---- stage 3: record on main + wait for CI + confirm npm -------------------
|
|
259
|
+
function verdictPaths() {
|
|
260
|
+
const dir = path.join(repoRoot, ".cw-release");
|
|
261
|
+
const tagCommit = git(["rev-parse", `v${version}^{commit}`]).out;
|
|
262
|
+
const reviewedParent = git(["rev-parse", `v${version}~1`]).out;
|
|
263
|
+
// cut() commits the verdict directly on the reviewed parent, so the
|
|
264
|
+
// filename is keyed on THAT sha, not the tag commit's own sha.
|
|
265
|
+
const verdict = path.join(dir, `review-${reviewedParent}.verdict`);
|
|
266
|
+
const sig = `${verdict}.sig`;
|
|
267
|
+
return { tagCommit, reviewedParent, verdict, sig, dir };
|
|
268
|
+
}
|
|
269
|
+
|
|
270
|
+
function runRecordAndWaitStage() {
|
|
271
|
+
stage(3, "record on main + wait for CI + confirm npm");
|
|
272
|
+
if (DRY_RUN) {
|
|
273
|
+
say("[dry-run] would: open a PR landing the verdict+.sig onto main, then poll release-gate/npm-publish/npm view.");
|
|
274
|
+
return;
|
|
275
|
+
}
|
|
276
|
+
|
|
277
|
+
const { tagCommit, reviewedParent, verdict, sig } = verdictPaths();
|
|
278
|
+
const relVerdict = path.relative(repoRoot, verdict);
|
|
279
|
+
const relSig = path.relative(repoRoot, sig);
|
|
280
|
+
// Byte-exact copies from the TAG commit — the .sig was made over the
|
|
281
|
+
// verdict file's exact bytes, so a trimmed/normalized copy on main could
|
|
282
|
+
// never verify against the same signature again.
|
|
283
|
+
const verdictBytes = gitRaw(["show", `${tagCommit}:${relVerdict}`], { cwd: repoRoot });
|
|
284
|
+
if (verdictBytes.code === 0) {
|
|
285
|
+
const fetch = git(["fetch", "origin", "main", "--quiet"], { cwd: repoRoot });
|
|
286
|
+
if (fetch.code !== 0) {
|
|
287
|
+
say(`WARN: git fetch failed (${fetch.err}) — skipping the main-record PR (informational only).`);
|
|
288
|
+
} else {
|
|
289
|
+
const branch = `release/v${version}-record`;
|
|
290
|
+
const co = git(["checkout", "-B", branch, "origin/main"], { cwd: repoRoot });
|
|
291
|
+
if (co.code === 0) {
|
|
292
|
+
fs.mkdirSync(path.dirname(verdict), { recursive: true });
|
|
293
|
+
fs.writeFileSync(verdict, verdictBytes.out);
|
|
294
|
+
const sigBytes = gitRaw(["show", `${tagCommit}:${relSig}`], { cwd: repoRoot });
|
|
295
|
+
if (sigBytes.code === 0) fs.writeFileSync(sig, sigBytes.out);
|
|
296
|
+
git(["add", "--", relVerdict], { cwd: repoRoot });
|
|
297
|
+
if (fs.existsSync(sig)) git(["add", "--", relSig], { cwd: repoRoot });
|
|
298
|
+
const status = git(["status", "--porcelain"], { cwd: repoRoot });
|
|
299
|
+
if (status.out) {
|
|
300
|
+
const commit = git(["commit", "-m", `chore(release): record the v${version} reviewer verdict on main`], { cwd: repoRoot });
|
|
301
|
+
if (commit.code === 0) {
|
|
302
|
+
git(["push", "-u", "--force-with-lease", "origin", branch], { cwd: repoRoot });
|
|
303
|
+
const pr = gh(["pr", "create", "--base", "main", "--head", branch, "--title", `chore(release): record the v${version} reviewer verdict on main`, "--body", `Informational — lands the tagged v${version} verdict + signature onto main for the repo's own audit trail. No gate implications (main's required checks don't include release-gate). Reviewed commit: ${reviewedParent}.`]);
|
|
304
|
+
if (pr.code === 0) {
|
|
305
|
+
say(pr.out);
|
|
306
|
+
gh(["pr", "merge", branch, "--auto", "--squash"]);
|
|
307
|
+
} else {
|
|
308
|
+
say(`WARN: could not open the record PR (${pr.err}) — continuing, this is informational only.`);
|
|
309
|
+
}
|
|
310
|
+
}
|
|
311
|
+
} else {
|
|
312
|
+
say("main already has this verdict recorded — nothing to do.");
|
|
313
|
+
}
|
|
314
|
+
}
|
|
315
|
+
}
|
|
316
|
+
} else {
|
|
317
|
+
say(`WARN: no verdict at ${relVerdict} in the tag commit — skipping the main-record PR (informational only, not release-blocking).`);
|
|
318
|
+
}
|
|
319
|
+
|
|
320
|
+
say(`waiting for release-gate on tag v${version}...`);
|
|
321
|
+
const gateRunId = poll({
|
|
322
|
+
label: "release-gate wait",
|
|
323
|
+
timeoutMs: 45 * 60 * 1000,
|
|
324
|
+
intervalMs: 20000,
|
|
325
|
+
probe: () => {
|
|
326
|
+
const list = gh(["run", "list", "--workflow", "release-gate", "--limit", "10", "--json", "databaseId,headBranch,status,conclusion"]);
|
|
327
|
+
if (list.code !== 0) return { error: true };
|
|
328
|
+
let runs;
|
|
329
|
+
try {
|
|
330
|
+
runs = JSON.parse(list.out);
|
|
331
|
+
} catch {
|
|
332
|
+
return { error: true };
|
|
333
|
+
}
|
|
334
|
+
const gateRun = runs.find((r) => r.headBranch === `v${version}`);
|
|
335
|
+
if (gateRun && gateRun.status === "completed") {
|
|
336
|
+
if (gateRun.conclusion === "success") return { done: true, value: gateRun.databaseId };
|
|
337
|
+
die(`release-gate FAILED — inspect: gh run view ${gateRun.databaseId} --log-failed`);
|
|
338
|
+
}
|
|
339
|
+
return {};
|
|
340
|
+
}
|
|
341
|
+
});
|
|
342
|
+
say(`release-gate: SUCCESS (run ${gateRunId})`);
|
|
343
|
+
|
|
344
|
+
// npm-publish is created only AFTER release-gate completes (workflow_run
|
|
345
|
+
// trigger), so the run to wait for may not exist yet — and the newest
|
|
346
|
+
// completed npm-publish run at this moment is usually the PREVIOUS
|
|
347
|
+
// release's. Only accept a run created at-or-after the moment the gate
|
|
348
|
+
// finished (small clock-skew allowance), and keep waiting until that run
|
|
349
|
+
// exists and completes.
|
|
350
|
+
say("waiting for npm-publish...");
|
|
351
|
+
const gateDoneMs = Date.now();
|
|
352
|
+
poll({
|
|
353
|
+
label: "npm-publish wait",
|
|
354
|
+
timeoutMs: 30 * 60 * 1000,
|
|
355
|
+
intervalMs: 20000,
|
|
356
|
+
probe: () => {
|
|
357
|
+
const list = gh(["run", "list", "--workflow", "npm-publish", "--limit", "5", "--json", "databaseId,status,conclusion,createdAt"]);
|
|
358
|
+
if (list.code !== 0) return { error: true };
|
|
359
|
+
let runs;
|
|
360
|
+
try {
|
|
361
|
+
runs = JSON.parse(list.out);
|
|
362
|
+
} catch {
|
|
363
|
+
return { error: true };
|
|
364
|
+
}
|
|
365
|
+
const fresh = runs
|
|
366
|
+
.filter((r) => Date.parse(r.createdAt) >= gateDoneMs - 120000)
|
|
367
|
+
.sort((a, b) => (a.createdAt < b.createdAt ? 1 : -1))[0];
|
|
368
|
+
if (fresh && fresh.status === "completed") {
|
|
369
|
+
if (fresh.conclusion === "success") return { done: true };
|
|
370
|
+
die(`npm-publish FAILED (conclusion: ${fresh.conclusion}) — inspect: gh run view ${fresh.databaseId} --log-failed`);
|
|
371
|
+
}
|
|
372
|
+
return {};
|
|
373
|
+
}
|
|
374
|
+
});
|
|
375
|
+
say("npm-publish: SUCCESS");
|
|
376
|
+
|
|
377
|
+
say("confirming npm...");
|
|
378
|
+
poll({
|
|
379
|
+
label: "npm registry confirmation",
|
|
380
|
+
timeoutMs: 10 * 60 * 1000,
|
|
381
|
+
intervalMs: 15000,
|
|
382
|
+
probe: () => {
|
|
383
|
+
const view = spawnSync("npm", ["view", "cool-workflow", "version"], { encoding: "utf8" });
|
|
384
|
+
if (view.status !== 0) return { error: true };
|
|
385
|
+
return view.stdout.trim() === version ? { done: true } : {};
|
|
386
|
+
}
|
|
387
|
+
});
|
|
388
|
+
say(`npm view cool-workflow version -> ${version} — confirmed live.`);
|
|
389
|
+
const releaseUrl = gh(["release", "view", `v${version}`, "--json", "url", "--jq", ".url"]);
|
|
390
|
+
say(`\nRELEASE COMPLETE: v${version}`);
|
|
391
|
+
if (releaseUrl.code === 0) say(`GitHub Release: ${releaseUrl.out}`);
|
|
392
|
+
say(`npm: https://www.npmjs.com/package/cool-workflow/v/${version}`);
|
|
393
|
+
}
|
|
394
|
+
|
|
395
|
+
if (alreadyCut()) {
|
|
396
|
+
say(`tag v${version} already exists — the cut already happened; resuming at stage 3 (CI wait + record + confirm).`);
|
|
397
|
+
if (DRY_RUN) {
|
|
398
|
+
say("[dry-run] would resume at stage 3: record PR + wait for release-gate/npm-publish + npm view confirmation.");
|
|
399
|
+
} else {
|
|
400
|
+
runRecordAndWaitStage();
|
|
401
|
+
}
|
|
402
|
+
} else {
|
|
403
|
+
runPreflight();
|
|
404
|
+
runBumpStage();
|
|
405
|
+
runCutStage();
|
|
406
|
+
runRecordAndWaitStage();
|
|
407
|
+
}
|
|
@@ -106,68 +106,68 @@ function main() {
|
|
|
106
106
|
// above (version.ts/dist/package.json/manifests/docs) still pin the release.
|
|
107
107
|
checkIncludes("plugins/cool-workflow/docs/index.md", "release and migration", checks);
|
|
108
108
|
checkIncludes("plugins/cool-workflow/docs/multi-agent-topologies.7.md", "Multi-Agent Topologies", checks);
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
109
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/multi-agent-cli-mcp-surface.7.md", VERSION, checks);
|
|
110
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/multi-agent-operator-ux.7.md", VERSION, checks);
|
|
111
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/multi-agent-eval-replay-harness.7.md", VERSION, checks);
|
|
112
112
|
checkIncludes("plugins/cool-workflow/docs/state-explosion-management.7.md", "State Explosion Management", checks);
|
|
113
|
-
|
|
113
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/state-explosion-management.7.md", VERSION, checks);
|
|
114
114
|
checkIncludes("plugins/cool-workflow/docs/evidence-adoption-reasoning-chain.7.md", "Evidence Adoption Reasoning Chain", checks);
|
|
115
|
-
|
|
115
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/evidence-adoption-reasoning-chain.7.md", VERSION, checks);
|
|
116
116
|
checkIncludes("plugins/cool-workflow/docs/coordinator-blackboard.7.md", "Coordinator / Blackboard", checks);
|
|
117
117
|
checkIncludes("plugins/cool-workflow/docs/cli-mcp-parity.7.md", "CLI", checks);
|
|
118
|
-
|
|
118
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/cli-mcp-parity.7.md", VERSION, checks);
|
|
119
119
|
checkIncludes("plugins/cool-workflow/docs/index.md", "cli-mcp-parity.7.md", checks);
|
|
120
120
|
checkIncludes("plugins/cool-workflow/docs/run-registry-control-plane.7.md", "Run Registry / Control Plane", checks);
|
|
121
|
-
|
|
121
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/run-registry-control-plane.7.md", VERSION, checks);
|
|
122
122
|
checkIncludes("plugins/cool-workflow/docs/index.md", "run-registry-control-plane.7.md", checks);
|
|
123
123
|
checkIncludes("plugins/cool-workflow/test/run-registry-control-plane-smoke.js", "run-registry-control-plane-smoke", checks);
|
|
124
124
|
checkIncludes("plugins/cool-workflow/docs/execution-backends.7.md", "Execution Backends", checks);
|
|
125
|
-
|
|
125
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/execution-backends.7.md", VERSION, checks);
|
|
126
126
|
checkIncludes("plugins/cool-workflow/docs/index.md", "execution-backends.7.md", checks);
|
|
127
127
|
checkIncludes("plugins/cool-workflow/test/execution-backends-smoke.js", "execution-backends-smoke", checks);
|
|
128
128
|
checkIncludes("plugins/cool-workflow/docs/web-desktop-workbench.7.md", "Web / Desktop Workbench", checks);
|
|
129
|
-
|
|
129
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/web-desktop-workbench.7.md", VERSION, checks);
|
|
130
130
|
checkIncludes("plugins/cool-workflow/docs/index.md", "web-desktop-workbench.7.md", checks);
|
|
131
131
|
checkIncludes("plugins/cool-workflow/test/web-desktop-workbench-smoke.js", "web-desktop-workbench-smoke", checks);
|
|
132
132
|
checkIncludes("plugins/cool-workflow/docs/observability-cost-accounting.7.md", "Observability + Cost Accounting", checks);
|
|
133
|
-
|
|
133
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/observability-cost-accounting.7.md", VERSION, checks);
|
|
134
134
|
checkIncludes("plugins/cool-workflow/docs/index.md", "observability-cost-accounting.7.md", checks);
|
|
135
135
|
checkIncludes("plugins/cool-workflow/test/observability-cost-accounting-smoke.js", "observability-cost-accounting-smoke", checks);
|
|
136
136
|
checkIncludes("plugins/cool-workflow/docs/team-collaboration.7.md", "Team Collaboration", checks);
|
|
137
|
-
|
|
137
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/team-collaboration.7.md", VERSION, checks);
|
|
138
138
|
checkIncludes("plugins/cool-workflow/docs/index.md", "team-collaboration.7.md", checks);
|
|
139
139
|
checkIncludes("plugins/cool-workflow/test/team-collaboration-smoke.js", "team-collaboration-smoke", checks);
|
|
140
140
|
checkIncludes("plugins/cool-workflow/docs/release-tooling.7.md", "Release Tooling", checks);
|
|
141
|
-
|
|
141
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/release-tooling.7.md", VERSION, checks);
|
|
142
142
|
checkIncludes("plugins/cool-workflow/docs/index.md", "release-tooling.7.md", checks);
|
|
143
143
|
checkIncludes("plugins/cool-workflow/test/release-tooling-smoke.js", "release-tooling-smoke", checks);
|
|
144
144
|
checkIncludes("plugins/cool-workflow/docs/real-execution-backends.7.md", "Real Execution Backend Integrations", checks);
|
|
145
|
-
|
|
145
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/real-execution-backends.7.md", VERSION, checks);
|
|
146
146
|
checkIncludes("plugins/cool-workflow/docs/index.md", "real-execution-backends.7.md", checks);
|
|
147
147
|
checkIncludes("plugins/cool-workflow/test/real-execution-backends-smoke.js", "real-execution-backends-smoke", checks);
|
|
148
148
|
checkIncludes("plugins/cool-workflow/docs/node-snapshot-diff-replay.7.md", "Node Snapshot / Diff / Replay", checks);
|
|
149
|
-
|
|
149
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/node-snapshot-diff-replay.7.md", VERSION, checks);
|
|
150
150
|
checkIncludes("plugins/cool-workflow/docs/index.md", "node-snapshot-diff-replay.7.md", checks);
|
|
151
151
|
checkIncludes("plugins/cool-workflow/test/node-snapshot-diff-replay-smoke.js", "node-snapshot-diff-replay-smoke", checks);
|
|
152
152
|
checkIncludes("plugins/cool-workflow/docs/contract-migration-tooling.7.md", "Contract Migration Tooling", checks);
|
|
153
|
-
|
|
153
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/contract-migration-tooling.7.md", VERSION, checks);
|
|
154
154
|
checkIncludes("plugins/cool-workflow/docs/index.md", "contract-migration-tooling.7.md", checks);
|
|
155
155
|
checkIncludes("plugins/cool-workflow/test/contract-migration-tooling-smoke.js", "contract-migration-tooling-smoke", checks);
|
|
156
156
|
checkIncludes("plugins/cool-workflow/docs/control-plane-scheduling.7.md", "Control-Plane Scheduling", checks);
|
|
157
|
-
|
|
157
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/control-plane-scheduling.7.md", VERSION, checks);
|
|
158
158
|
checkIncludes("plugins/cool-workflow/docs/index.md", "control-plane-scheduling.7.md", checks);
|
|
159
159
|
checkIncludes("plugins/cool-workflow/test/control-plane-scheduling-smoke.js", "control-plane-scheduling-smoke", checks);
|
|
160
160
|
checkIncludes("plugins/cool-workflow/docs/agent-delegation-drive.7.md", "Agent Delegation Drive", checks);
|
|
161
|
-
|
|
161
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/agent-delegation-drive.7.md", VERSION, checks);
|
|
162
162
|
checkIncludes("plugins/cool-workflow/docs/index.md", "agent-delegation-drive.7.md", checks);
|
|
163
163
|
checkIncludes("plugins/cool-workflow/test/agent-delegation-drive-smoke.js", "agent-delegation-drive-smoke", checks);
|
|
164
164
|
checkIncludes("plugins/cool-workflow/docs/run-retention-reclamation.7.md", "Run Retention & Provable Reclamation", checks);
|
|
165
|
-
|
|
165
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/run-retention-reclamation.7.md", VERSION, checks);
|
|
166
166
|
checkIncludes("plugins/cool-workflow/docs/index.md", "run-retention-reclamation.7.md", checks);
|
|
167
167
|
checkIncludes("plugins/cool-workflow/test/run-retention-reclamation-smoke.js", "run-retention-reclamation-smoke", checks);
|
|
168
168
|
checkIncludes("plugins/cool-workflow/src/wiring/capability-table/scheduling-registry.ts", "gc.plan", checks);
|
|
169
169
|
checkIncludes("plugins/cool-workflow/docs/durable-state-and-locking.7.md", "Durable State & Locking", checks);
|
|
170
|
-
|
|
170
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/durable-state-and-locking.7.md", VERSION, checks);
|
|
171
171
|
checkIncludes("plugins/cool-workflow/docs/index.md", "durable-state-and-locking.7.md", checks);
|
|
172
172
|
checkIncludes("plugins/cool-workflow/test/durable-atomic-write-smoke.js", "durable-atomic-write-smoke", checks);
|
|
173
173
|
checkIncludes("plugins/cool-workflow/src/shell/fs-atomic.ts", "withFileLock", checks);
|
|
@@ -201,12 +201,12 @@ function main() {
|
|
|
201
201
|
checkIncludes("plugins/cool-workflow/docs/getting-started.md", "npm run release:check", checks);
|
|
202
202
|
checkIncludes("plugins/cool-workflow/package.json", "eval:replay", checks);
|
|
203
203
|
checkIncludes("plugins/cool-workflow/docs/trust-audit-anchor.7.md", "Trust Audit Anchor", checks);
|
|
204
|
-
|
|
204
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/trust-audit-anchor.7.md", VERSION, checks);
|
|
205
205
|
checkIncludes("plugins/cool-workflow/docs/index.md", "trust-audit-anchor.7.md", checks);
|
|
206
206
|
checkIncludes("plugins/cool-workflow/test/trust-audit-anchor-smoke.js", "trust-audit-anchor-smoke", checks);
|
|
207
|
-
|
|
207
|
+
checkIncludesOwnLine("plugins/cool-workflow/docs/release-and-migration.7.md", VERSION, checks);
|
|
208
208
|
checkIncludes("CHANGELOG.md", `## ${VERSION}`, checks);
|
|
209
|
-
|
|
209
|
+
checkIncludesOwnLine("RELEASE.md", VERSION, checks);
|
|
210
210
|
// Homebrew formula (repo root): git-tag formula. Homebrew scans the version
|
|
211
211
|
// from the tag, so the tag is the single version surface to gate (an explicit
|
|
212
212
|
// `version` line would be redundant and brew audit rejects it). bump-version.js
|
|
@@ -266,4 +266,21 @@ function checkIncludes(relativePath, needle, checks) {
|
|
|
266
266
|
checks.push({ path: relativePath, includes: needle });
|
|
267
267
|
}
|
|
268
268
|
|
|
269
|
+
// A bare version number (e.g. "0.2.4") can appear anywhere in a doc's
|
|
270
|
+
// prose — an example command, a cross-reference — without the doc's own
|
|
271
|
+
// version-history footer (a blank-line-separated list, one release per
|
|
272
|
+
// line, appended by bump-version.js's --content step) actually having
|
|
273
|
+
// been updated. A plain substring check would silently pass on the
|
|
274
|
+
// coincidental prose match and never notice the real footer line is
|
|
275
|
+
// missing (found live: v0.2.4's bump left release-tooling.7.md's footer
|
|
276
|
+
// stuck at 0.2.3, masked by an unrelated "npm run release -- 0.2.4"
|
|
277
|
+
// example a few lines up). Require the needle on its own line instead.
|
|
278
|
+
function checkIncludesOwnLine(relativePath, needle, checks) {
|
|
279
|
+
const src = readReleaseSource(relativePath);
|
|
280
|
+
assert.ok(src.exists, `${relativePath} must exist`);
|
|
281
|
+
const hasOwnLine = src.text.split("\n").some((line) => line.trim() === needle);
|
|
282
|
+
assert.ok(hasOwnLine, `${relativePath} must include ${needle} as its own line (not just as a substring)`);
|
|
283
|
+
checks.push({ path: relativePath, includesOwnLine: needle });
|
|
284
|
+
}
|
|
285
|
+
|
|
269
286
|
main();
|