Skip to content

build(release): pre-tag gates + automated post-release bump in cut-release#397

Merged
DemchaAV merged 5 commits into
developfrom
harden/release-process-8
Jul 13, 2026
Merged

build(release): pre-tag gates + automated post-release bump in cut-release#397
DemchaAV merged 5 commits into
developfrom
harden/release-process-8

Conversation

@DemchaAV

Copy link
Copy Markdown
Owner

Why

The GA surfaced two release-process gaps. After a release the train poms stay at the release version, so the japicmp gate is a silent no-op until someone manually opens the next -SNAPSHOT (the gap hit in the japicmp PR — done by hand there). And the README "Latest stable" prose block has no test guarding it, so a tag can be cut while it still names the previous version (the recurring stale-tag-README bug). This hardens cut-release.ps1 so the next release can't repeat either.

What

scripts/cut-release.ps1

  • -PostReleaseOnly opens the next development line. It now bumps every train pom to the next patch -SNAPSHOT (via the existing Update-PomVersion; idempotent — skipped when already a SNAPSHOT or when there's no core/pom.xml) and restores the /blob/develop showcase links. It deliberately leaves the README/showcase install snippets on the just-published releaseVersionConsistencyGuardTest requires snippets to advertise the on-Central version during a -SNAPSHOT cycle.
  • Fast pre-tag metadata gate (Step 2b). Fails the cut in milliseconds if the CHANGELOG isn't dated for the target, the README "Latest stable" block doesn't name it, the install snippet lags, or a train pom's version is wrong — the only automated guard against a stale release-status line. A dry run warns on a stale "Latest stable" (the one check needing no mutation).
  • Binary-compatibility gate (Step 5b). Runs japicmp against the published baseline before commit/tag, independent of the PR-time CI gate (which a direct push could bypass). Skipped by -SkipVerify and on the 1.x layout.
  • Post-tag reminders point at the release-smoke suite (post-publish) and the -PostReleaseOnly follow-up.

docs/contributing/release-process.md — documents the new gates, the automated SNAPSHOT bump, the post-publish release-smoke step, and a release-publication failure-recovery table (failed GitHub Release, failed Central validation with the module deploy order, partial publication, stale-tag documentation, and the patch-release criteria).

Tests

Verified via -DryRun of a full cut and of -PostReleaseOnly; the Assert-ReleaseMetadata regexes against the real CHANGELOG/README (matches a dated entry + Latest stable, rejects an undated/stale one, em-dash handled); and Get-NextSnapshotVersion across final (2.0.02.0.1-SNAPSHOT), patch-carry (2.3.92.3.10-SNAPSHOT), pre-release (2.0.0-rc.1→skip), and already-SNAPSHOT inputs. A cold review pass ran; its findings (1.x-layout guard, dry-run "Latest stable" preview, baseline precondition, doc scope wording) are applied. No tag, no publish — the project stays on 2.0.1-SNAPSHOT.

DemchaAV added 5 commits July 13, 2026 13:26
…lease

Automate the post-release version bump and gate the tag on the metadata and binary
compatibility that a stale README or an accidental break would otherwise slip past.

cut-release.ps1:
- -PostReleaseOnly now opens the next development line: bumps every train pom to the
  next patch -SNAPSHOT (idempotent — skipped when already a SNAPSHOT, and when there
  is no core/pom.xml) and restores the /blob/develop showcase links, leaving the
  README/showcase install snippets on the just-published release (the version guard
  requires snippets to advertise the version on Central during a -SNAPSHOT cycle).
- Fast pre-tag metadata gate (Step 2b): fails the cut if the CHANGELOG is not dated
  for the target, the README "Latest stable" prose block does not name it, the README
  install snippet lags, or a train pom's version is wrong. That prose block has no
  test guarding it, so this is the only automated guard against tagging with a stale
  release-status line; a dry run warns on it (the one check needing no mutation).
- Binary-compatibility gate (Step 5b): runs japicmp against the published baseline
  before commit/tag, independent of the PR-time CI gate. Skipped by -SkipVerify and
  on the legacy 1.x layout.
- Post-tag reminders point at the release-smoke suite (post-publish) and the
  -PostReleaseOnly follow-up.

release-process.md: document the new gates and the automated SNAPSHOT bump, the
post-publish release-smoke step, and a release-publication failure-recovery table
(failed GitHub Release, failed Central validation with the module deploy order,
partial publication, stale-tag documentation, and the patch-release criteria).

Verified via -DryRun of a full cut and of -PostReleaseOnly, the Assert-ReleaseMetadata
regexes against the real CHANGELOG/README, and Get-NextSnapshotVersion across final /
patch-carry / pre-release / already-SNAPSHOT inputs. No tag, no publish; project stays
on 2.0.1-SNAPSHOT.
Close six release-safety gaps in the cut-release / publish tooling:

- Extract the branch / clean-tree (incl. staged) / origin-sync preflight into
  Assert-BranchPreflight and run it from both a real cut and -PostReleaseOnly, so the
  post-release path can no longer commit + push from the wrong branch, a dirty tree,
  or out of sync with origin.
- -PostReleaseOnly now runs `mvnw validate` + VersionConsistencyGuardTest after the
  SNAPSHOT bump, before committing/pushing. The Maven args go through splatted arrays,
  not inline: the call operator re-tokenizes an inline -Djacoco.skip=true at the dot
  into a bogus Maven phase.
- publish.yml gains a start_at choice input, a plan step, and per-module `if:` guards
  so a partial Central publication can resume from the first unpublished module. A full
  re-dispatch always starts at core and Central rejects re-uploading an already-validated
  coordinate, so it must not be blindly rerun — the recovery doc is corrected to match.
- Assert-ReleaseMetadata now fails when the graph-compose README install snippet is
  missing, not only when its version differs.
- New release-script-check.yml runs cut-release.ps1's dry-runs and a unit check of
  Get-NextSnapshotVersion on any change to the script (the main CI path filters skip it).
- Script help text documents that -PostReleaseOnly opens the next SNAPSHOT line.

Verified: both dry-runs exit 0; the splat passes -Djacoco.skip=true intact (inline
splits it); the publish plan-step start_at logic and the missing-snippet check tested.
No tag, no publish; develop stays 2.0.1-SNAPSHOT.
…ale-README check

Three release-safety fixes on top of the release-process hardening:

- Assert-BranchPreflight now checks the exit code of `git fetch` and both `git
  rev-parse` calls (capturing before .Trim() so a failure surfaces the real
  message, not a null-method error). A silently-failed fetch (network/auth) would
  otherwise compare against a stale origin ref and wrongly report the branch in
  sync — a real gap for a release script.
- publish.yml's deploy planner rejects an unknown start_at: an unrecognised value
  would leave every module skipped and publish nothing while the job stayed green.
  Empty (a tag-triggered run) still means "all".
- The README "Latest stable" check moves to Step 0, BEFORE any file is mutated
  (extracted into Test-ReadmeLatestStable). A stale line now aborts with a clean
  tree instead of failing at Step 2b after Steps 1-2 dirtied the tree — which the
  next preflight would then refuse to run over. Assert-ReleaseMetadata keeps the
  post-mutation checks (CHANGELOG date, install snippet, pom versions).

release-script-check.yml now runs the real Test-ReadmeLatestStable against the
actual README (not just a dry-run print), so the stale-tag guard's regex is
exercised in CI.

Verified: both dry-runs exit 0; the Step-0 Latest-stable warning fires before
Step 1; start_at accepts empty/all/<module> and rejects unknown values;
Test-ReadmeLatestStable matches the README's version and rejects a bogus one. No
tag, no publish; develop stays 2.0.1-SNAPSHOT.
…heck

Two release-safety fixes:

- Pre-release path. The script supports X.Y.Z-rc.N / -alpha / -beta, but publish.yml
  never ships a hyphenated tag to Maven Central — pre-releases go only to the GitHub
  Release pre-release surface. So gate the Central-facing work on
  $isFinalRelease = $Version -match '^\d+\.\d+\.\d+$': only a final release checks the
  README 'Latest stable' block, rewrites the README / module / showcase install
  snippets, and validates them in Assert-ReleaseMetadata. A pre-release still bumps the
  train poms (the tag builds at that version) but leaves 'Latest stable' and the Central
  snippets on the last stable, on-Central version — rewriting them to an RC would
  advertise a coordinate that 404s for anyone who copies it. VersionConsistencyGuardTest
  matches: snippets must equal the pom only for a concrete final version; for a -SNAPSHOT
  or pre-release pom they must equal the latest published release.

- Origin-tag check. The check used `git fetch refs/tags/...`, which exits 128 for a
  legitimately-absent tag (the normal pre-cut case), so its exit code could never
  distinguish "tag free" from a network failure. Switched to `git ls-remote --tags`
  (empty output = free; non-zero = network/auth error), so a broken connection can no
  longer be mistaken for "tag is free".

release-script-check.yml adds a 2.1.0-rc.1 dry-run asserting the pre-release path (no
'Latest stable' check, no install-snippet bump).

Verified: final (2.0.2) and pre-release (2.1.0-rc.1) dry-runs both exit 0 with the
correct split; VersionConsistencyGuardTest 12/12; ls-remote distinguishes an absent tag
(exit 0, empty) from a network error. No tag, no publish; develop stays 2.0.1-SNAPSHOT.
…elease notes

Ensure a pre-release (X.Y.Z-rc.N / -alpha / -beta) never reaches Maven Central,
consistent with cut-release.ps1's final-vs-pre-release split.

- publish.yml: a manual workflow_dispatch bypassed the job `if:` (its first operand
  is unconditionally true for dispatch), so a dispatched pre-release tag could
  publish. Add a first-stage step that rejects any tag not matching ^vX.Y.Z$ (tag is
  passed via env, not inlined, to avoid ref-name injection).
- cut-release.ps1: validate the version up front against
  ^\d+\.\d+\.\d+(-(rc|alpha|beta)\.\d+)?$, so an arbitrary suffix like 2.1.0-preview.1
  is rejected rather than silently taken as a pre-release. Only print the "verify
  Maven Central" / "smoke published artifacts" reminders for a final release.
- release.yml: a pre-release has no CHANGELOG section of its own, so it now uses the
  upcoming final version's notes (NOTES_TAG=${TAG%%-*}) instead of a generic fallback.
- VersionConsistencyGuardTest.latestPublishedRelease(): restrict to a final semver
  header (\d+\.\d+\.\d+), so a dated pre-release header is never treated as the
  published Central version.
- release-script-check.yml: add a 2.1.0-preview.1 rejection assertion (trapping the
  script's terminating throw with try/catch — *>&1 does not catch a throw in-process).

Verified: final (2.0.2) and pre-release (2.1.0-rc.1) dry-runs exit 0; 2.1.0-preview.1
is rejected in-process; VersionConsistencyGuardTest 12/12; the publish tag guard
accepts v2.0.2 and rejects hyphenated/malformed tags; ${TAG%%-*} yields the final
tag; both workflow YAMLs valid. No tag, no publish; develop stays 2.0.1-SNAPSHOT.
@DemchaAV DemchaAV merged commit 39eaa04 into develop Jul 13, 2026
14 checks passed
@DemchaAV DemchaAV deleted the harden/release-process-8 branch July 13, 2026 14:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant