hatchkit 0.1.4 → 0.1.6

package/scripts/release-prep.mjs

@@ -1,30 +1,29 @@
 #!/usr/bin/env node
 /*
- * release-prep — run before `npm version` so any dangling working-tree
- * changes get committed and shipped with the release instead of hanging
- * around on main afterwards.
+ * release-prep — strict pre-release verification.
  *
- * Runs from cli/ (where the release scripts live). Finds the repo root
- * via `git rev-parse --show-toplevel` and operates on the whole repo,
- * not just cli/ — if you've left changes under infra/ or docs/ they get
- * picked up too.
+ * Refuses to release if any of the three repos (hatchkit main,
+ * infra submodule, starter submodule) has uncommitted or untracked
+ * changes. Exits with a clear list of which repos need handling and
+ * what's dirty in each — release scripts assume a clean baseline so
+ * the version commit + tag, the npm publish, and the cross-repo push
+ * all line up against the same set of trees.
  *
- * Safety rails:
- *   - Refuses to run if any staged/untracked path looks like a secret
- *     (.env*, *.pem, *.key, *credentials*, *secret*).
- *   - Submodule pointer changes (git shows as ` M infra` vs `M  infra`)
- *     are fine, but untracked content INSIDE a submodule is NOT auto-
- *     committed from the parent repo — you'd want to commit that inside
- *     the submodule yourself first. We warn + bail in that case.
- *   - Interactive: prompts for a commit message (default:
- *     "chore: pre-release changes").
- *   - Non-interactive (no TTY): uses the default message and proceeds.
- *     Skip the whole thing with RELEASE_SKIP_PREP=1.
+ * ALSO refuses when the local cli/package.json version is at-or-
+ * behind the version published to npm. `npm version patch` increments
+ * from the LOCAL version, not the registry's, so drift between the
+ * two leads to the script generating a number that's already taken
+ * and the publish step crashing after build/typecheck. Catch it up
+ * front instead.
+ *
+ * Skip with RELEASE_SKIP_PREP=1 (e.g. a CI-driven release that's
+ * already vouched for cleanliness). RELEASE_SKIP_NPM_CHECK=1 only
+ * skips the npm-version comparison, useful offline.
  */
 
-import { execSync, spawnSync } from "node:child_process";
-import { createInterface } from "node:readline";
-import { stdin as input, stdout as output } from "node:process";
+import { execSync } from "node:child_process";
+import { existsSync, readFileSync } from "node:fs";
+import { join, relative } from "node:path";
 
 if (process.env.RELEASE_SKIP_PREP === "1") {
   console.log("  release-prep: RELEASE_SKIP_PREP=1 — skipping.");
@@ -35,96 +34,132 @@ function sh(cmd, opts = {}) {
   return execSync(cmd, { encoding: "utf8", ...opts }).trim();
 }
 
-// Find the repo root so git commands work no matter where the script was
-// launched from (pnpm invokes scripts with cwd=cli/).
 let repoRoot;
 try {
   repoRoot = sh("git rev-parse --show-toplevel");
-} catch (err) {
+} catch {
   console.error("  release-prep: not inside a git repo. Aborting.");
   process.exit(1);
 }
 
-const porcelain = sh("git status --porcelain", { cwd: repoRoot });
-if (!porcelain) {
-  console.log("  release-prep: working tree clean. Nothing to commit.");
-  process.exit(0);
-}
+const repos = [
+  { label: "hatchkit (main)", path: repoRoot, hint: `cd ${repoRoot}` },
+  {
+    label: "infra (submodule)",
+    path: join(repoRoot, "infra"),
+    hint: `cd ${join(repoRoot, "infra")}`,
+  },
+  {
+    label: "starter (submodule)",
+    path: join(repoRoot, "starter"),
+    hint: `cd ${join(repoRoot, "starter")}`,
+  },
+];
 
-const entries = porcelain.split("\n").map((l) => {
-  // Porcelain format: "XY path". X = index, Y = worktree. Submodules
-  // show up with `m`/`M` in position Y + 1 for content changes.
-  const code = l.slice(0, 2);
-  const path = l.slice(3);
-  return { code, path };
-});
+const dirty = [];
+for (const r of repos) {
+  // Submodule may not be initialized — skip silently rather than fail.
+  // (`.git` is a file inside an initialized submodule, a dir at the root.)
+  if (!existsSync(join(r.path, ".git"))) continue;
 
-console.log("\n  release-prep: working tree isn't clean.\n");
-console.log(sh("git status --short", { cwd: repoRoot }));
-
-// Refuse secret-looking paths. Keep the pattern conservative — better a
-// false positive that requires manual commit than a leaked token.
-const SECRET_RE = /(^|\/)(\.env(\.|$)|[^/]*credentials[^/]*|[^/]*secret[^/]*|[^/]*\.(pem|key|pfx|p12)$)/i;
-const secretsFound = entries.filter((e) => SECRET_RE.test(e.path));
-if (secretsFound.length > 0) {
-  console.error("\n  release-prep: refusing — these paths look like secrets:\n");
-  for (const e of secretsFound) console.error(`    ${e.path}`);
-  console.error(
-    "\n  Resolve manually: gitignore, delete, or commit yourself and re-run the release.",
-  );
-  process.exit(1);
+  let status;
+  try {
+    status = sh("git status --porcelain", { cwd: r.path });
+  } catch (err) {
+    console.error(`  release-prep: couldn't read ${r.label}: ${err.message}`);
+    process.exit(1);
+  }
+  if (status) {
+    dirty.push({ ...r, status });
+  }
 }
 
-// Untracked content inside a submodule shows as e.g. ' m infra' with
-// only the second column set to lowercase 'm'. Parent-repo `git add`
-// can't reach inside; bail so the user commits in the submodule first.
-const untrackedInSubmodule = entries.filter((e) => e.code === " m" || e.code === "?m");
-if (untrackedInSubmodule.length > 0) {
-  console.error(
-    "\n  release-prep: submodule has untracked changes inside it:\n",
-  );
-  for (const e of untrackedInSubmodule) {
-    console.error(`    ${e.path} — commit inside the submodule first`);
+if (dirty.length === 0) {
+  // Tree is clean — also check that the local version isn't lagging
+  // behind what's on npm. `npm version patch` would silently bump
+  // into a taken number otherwise.
+  if (process.env.RELEASE_SKIP_NPM_CHECK !== "1") {
+    const driftError = checkNpmDrift(repoRoot);
+    if (driftError) {
+      console.error(`\n  ✗ release-prep: ${driftError}\n`);
+      process.exit(1);
+    }
   }
-  console.error(
-    "\n  cd into each submodule, commit, then `git add <submodule>` + re-run the release.",
-  );
-  process.exit(1);
+  console.log("  ✓ release-prep: all trees clean. Continuing release.");
+  process.exit(0);
 }
 
-// Prompt for a commit message unless we're non-interactive.
-const DEFAULT_MSG = "chore: pre-release changes";
-let message = DEFAULT_MSG;
-if (input.isTTY && output.isTTY) {
-  const rl = createInterface({ input, output });
-  message = await new Promise((resolve) => {
-    rl.question(`  Commit message [${DEFAULT_MSG}]: `, (answer) => {
-      rl.close();
-      resolve(answer.trim() || DEFAULT_MSG);
-    });
-  });
-} else {
-  console.log(`  release-prep: non-interactive — using default message "${DEFAULT_MSG}".`);
+console.error("\n  ✗ release-prep: cannot release — dangling changes.\n");
+for (const r of dirty) {
+  const rel = r.path === repoRoot ? "." : relative(repoRoot, r.path);
+  console.error(`  ── ${r.label}  (${rel}/)`);
+  for (const line of r.status.split("\n")) {
+    console.error(`      ${line}`);
+  }
+  console.error();
 }
-
-// Stage + commit at the repo root. Using `git add -A` here is intentional
-// (the whole point of this helper is to sweep everything into the release
-// commit); the secret-path guard above is what keeps it safe.
-const add = spawnSync("git", ["add", "-A"], { cwd: repoRoot, stdio: "inherit" });
-if (add.status !== 0) {
-  console.error("  release-prep: `git add -A` failed.");
-  process.exit(add.status ?? 1);
+console.error("  Handle each tree before releasing:");
+for (const r of dirty) {
+  console.error(`    ${r.hint} && git status   # commit / stash / discard`);
 }
+console.error("\n  Then re-run the release.\n");
+process.exit(1);
 
-const commit = spawnSync("git", ["commit", "-m", message], {
-  cwd: repoRoot,
-  stdio: "inherit",
-});
-if (commit.status !== 0) {
-  console.error(
-    "  release-prep: `git commit` failed (pre-commit hook? empty diff after filters?).",
-  );
-  process.exit(commit.status ?? 1);
+/** Returns null on success, an error message string when the local
+ *  cli/package.json is at-or-behind what's published on npm. We only
+ *  read the registry — never write — so it's safe to run blind. */
+function checkNpmDrift(repoRoot) {
+  const pkgPath = join(repoRoot, "cli", "package.json");
+  if (!existsSync(pkgPath)) return null; // not the hatchkit monorepo layout
+  let pkg;
+  try {
+    pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
+  } catch (err) {
+    return `couldn't parse cli/package.json — ${err.message}`;
+  }
+  const local = pkg.version;
+  const name = pkg.name;
+  if (!local || !name) return null;
+
+  let registry;
+  try {
+    registry = sh(`npm view ${name} version`, { stdio: ["ignore", "pipe", "ignore"] });
+  } catch {
+    // 404 (package doesn't exist yet on npm) is fine — first publish.
+    return null;
+  }
+  if (!registry) return null;
+
+  // Only refuse when local is BEHIND registry. Equal is the post-sync
+  // state — `npm version patch` increments past it cleanly.
+  if (compareSemver(local, registry) < 0) {
+    return [
+      `local ${name}@${local} is behind the registry's ${registry}.`,
+      "",
+      "  `npm version patch` increments from the LOCAL version, so a release now",
+      "  would try to publish a version that's already taken. Sync first:",
+      "",
+      `      cd ${join(repoRoot, "cli")}`,
+      `      npm version ${registry} --no-git-tag-version    # match the registry`,
+      `      cd ${repoRoot}`,
+      `      git add cli/package.json cli/package-lock.json`,
+      `      git commit -m "chore: release v${registry}"`,
+      `      git tag v${registry}`,
+      "",
+      "  Then re-run the release; it'll bump cleanly past that.",
+    ].join("\n");
+  }
+  return null;
 }
 
-console.log("\n  release-prep: committed. Continuing release.\n");
+/** Tiny semver compare — returns -1 / 0 / 1 for a vs b. We only feed
+ *  it values that come straight out of package.json + npm view, so
+ *  pre-release / build-metadata strings are out of scope. */
+function compareSemver(a, b) {
+  const [aa, bb] = [a, b].map((v) => v.split(".").map((n) => Number(n) || 0));
+  for (let i = 0; i < 3; i++) {
+    if ((aa[i] ?? 0) > (bb[i] ?? 0)) return 1;
+    if ((aa[i] ?? 0) < (bb[i] ?? 0)) return -1;
+  }
+  return 0;
+}