fix(release-pr): stage the version-stamped scorecard doc#413
Merged
Conversation
The `version` npm hook (since #409) stamps and `git add`s docs/scorecard/cii-best-practices-answers.md, but release-pr.yml still hard-coded a three-file bump allow-list in two places. The scorecard's `current:` marker changes on every bump, so it always landed as a fourth staged file and tripped the Stage bump assertion, blocking the release PR (run 27491924549). Derive the file set from the index instead of re-hard-coding it: Stage bump asserts a required set (CHANGELOG.md, RELEASES.md, package.json) plus an allowed-but-not-required slot for stamped docs, and Create signed bump commit builds its additions from the staged index so the two lists can no longer drift. The optional treatment matches sync-doc-versions's deliberate "never block on it" tolerance. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What went wrong
The
Prepare Release PRworkflow (run 27491924549) failed at the Stage bump step with exit 1:Root cause: #409 ("stamp version at release") added
scripts/sync-doc-versions.mjsand extended theversionnpm hook to stamp andgit add docs/scorecard/cii-best-practices-answers.md. But it never updatedrelease-pr.yml, which hard-coded a "three bump files" list in two places. The scorecard'scurrent:marker changes on every bump, so it always lands staged as a fourth file and trips the Stage bump allow-list. (A latent second copy of the stale list in Create signed bump commit'sadditionsarray would have silently dropped the scorecard from the commit even if Stage bump had passed.) No release PR could open until this is fixed.The fix
Root-cause the whole "two lists drifted out of sync" class by deriving the file set from the index instead of re-hard-coding it:
Stage bumpasserts a required set (CHANGELOG.md,RELEASES.md,package.json) plus an allowed-but-not-required slot for the stamped scorecard doc, and rejects anything outside the allow-list. The optional treatment matchessync-doc-versions.mjs's deliberate "never block on it" tolerance: if the doc's marker is ever re-worded away, the release still proceeds.Create signed bump commitbuildsadditionsfrom the staged index (git diff --cached --name-only -z), keeping it in lock-step with that assertion. A future stamp target can never silently fall off the commit again.Validation
src/file → fail, missingpackage.json→ fail.End-to-end coverage requires a real
workflow_dispatch; the logic is exercised as closely as possible without one.🤖 Generated with Claude Code