wu-sheng opened a new pull request, #134:
URL: https://github.com/apache/skywalking-nodejs/pull/134

   ## What
   
   Makes `release.sh` manage the version end-to-end (horizon-ui style) and 
migrates the project to the `-dev` convention, so the release manager runs 
**one command** instead of a separate manual version-bump PR.
   
   - **`master` now carries `0.9.0-dev`** (package.json + lockfile). Between 
releases master always holds `X.Y.Z-dev`, like SkyWalking's `-SNAPSHOT`.
   - **`npm run release`** (in a fresh recursive clone): cut a 
`prepare-release-X.Y.Z` branch → strip `-dev` and commit + **tag** the release 
commit → build + sign + verify the source tarball → **push the tag only after 
verify** → add a `Prepare next release X.(Y+1).0-dev` commit → open the release 
PR → upload the RC to svn dev → print the `[VOTE]` email. Merge the PR after 
the vote; master returns to `-dev`, the tag stays pinned to the release commit.
   - **New `--dry-run`** (`npm run release -- --dry-run` or 
`SW_RELEASE_DRY_RUN=1`): runs the whole **local** pipeline (clone, strip, 
build, sign, verify, print the vote email) with **zero remote mutations** — no 
tag/branch push, no svn upload, no PR. For rehearsing against the apache repo 
with nothing to undo (committers release from the apache repo, not a fork).
   - `docs/How-to-release.md`: documents the `-dev` flow + dry-run and fixes 
the stale manual fallback.
   
   ## Adversarially reviewed
   
   A multi-agent red-team (version-math / git-PR-mechanics / integration) 
verified the core invariant — the tag is pushed **only after** build+verify and 
stays pinned to the version-strip commit even after the next-dev commit — and 
surfaced fixes that are included here:
   
   - **Bug:** `git rev-parse "$TAG"` returned the *annotated-tag object* sha 
(would 404 in the vote email's `tree/<sha>` link) → use `"$TAG^{commit}"`.
   - Validate the manual version-override path.
   - `git push --atomic` for branch+tag (no half-state).
   - Install deps **before** committing so the tagged lockfile is exactly the 
one the tarball ships (no post-build drift).
   
   Verified locally: `bash -n` clean; version math (incl. `-SNAPSHOT`, 
rejecting a non-`-dev` master); the tag-pointer invariant; `^{commit}` returns 
a commit sha; the `--dry-run` conditionals are `set -e`-safe; `npm version 
--no-git-tag-version` bumps package.json + lockfile.
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to