Skip to content

Release automation#127

Merged
kevincodex1 merged 16 commits into
mainfrom
release-automation
Jun 30, 2026
Merged

Release automation#127
kevincodex1 merged 16 commits into
mainfrom
release-automation

Conversation

@kevincodex1

@kevincodex1 kevincodex1 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Makes release-please actually cut releases (its manifest baseline was broken) and fans every release out to npm, Homebrew, Windows, and the website — so a single merge of the release PR ships all channels.

Motivation & context

release-please never cut a release here: the manifest said 0.3.8 but the only tag is a manual lightweight v0.3.9 (PR #12) and Cargo.toml is 0.3.9, so there was no valid baseline (v0.3.8 doesn't exist) and no release PR was ever opened. On top of that, releases only shipped a Docker image + tarballs — npm/Homebrew were manual and drifting (the standalone gl-npm repo and the web install.sh pointed at a stale gitlawb/releases repo with the wrong archive naming).
Closes #

Kind of change

  • Bug fix
  • Feature
  • Security fix
  • Docs
  • Tests / CI
  • Refactor (no behavior change)
  • Breaking or protocol change (issue required first)

What changed

No Rust crates are touched — this is CI/release tooling plus a vendored npm wrapper.

  • fix: reconcile .release-please-manifest.json 0.3.8 → 0.3.9 so release-please diffs v0.3.9..main and opens a proper release PR; bump release-please-action v4.3.0 → v5.0.0 (matches the openclaude pipeline).
  • CI: add Windows target x86_64-pc-windows-msvc to release-binaries (ships .zip; unix keeps .tar.gz) with a portable sha256 helper; Windows builds only gl + git-remote-gitlawb so a daemon compile failure can't block the release.
  • npm: vendor the @gitlawb/gl wrapper + 4 platform packages into npm/ (replaces the standalone gl-npm repo); new npm-publish job downloads the release tarballs, lays in binaries, stamps versions, and npm publish --provenance.
  • Homebrew: homebrew-bump job regenerates Formula/gl.rb in Gitlawb/homebrew-tap from the release checksums (brew install gitlawb/tap/gl).
  • web: add install.ps1 (Windows installer); web-sync job opens a PR to Gitlawb/web syncing install.sh + install.ps1 + public/version.json, removing orphaned public/bin, and fixing the stale skill.md releases link.
  • All new jobs are gated on release_created and guarded on their secret, so they no-op until configured.
  • docs: README documents npm/brew/curl/PowerShell installs.

How a reviewer can verify

# Workflow + manifest are valid and all jobs are release-gated
ruby -ryaml -e "YAML.load_file('.github/workflows/release.yml'); puts 'YAML OK'"
grep -n "release_created == 'true'" .github/workflows/release.yml   # docker, binaries, npm, brew, web

# Vendored npm package is well-formed
node --check npm/packages/gl/install.js
for f in npm/packages/*/package.json; do node -e "JSON.parse(require('fs').readFileSync('$f'))"; done

# Manifest now matches the real released version + tag
cat .release-please-manifest.json   # -> "0.3.9"
git tag --list 'v*'                 # -> v0.3.9

After merge, release-please should open a chore(main): release … PR; merging that PR is what triggers the full pipeline.

Before you request review

- [x] Scope is one logical change; no unrelated churn
- [ ] cargo test --workspace passes locally — N/A, no Rust changed
- [ ] New behavior is covered by tests (required for fixes) — N/A, CI/release tooling
- [x] cargo fmt --all and cargo clippy --workspace --all-targets -- -D warnings are clean — N/A, no Rust changed
- [x] Commit titles use Conventional Commits (feat(...), fix(...), docs(...))
- [x] Docs / .env.example updated if behavior or config changed (or N/A)
- [x] Checked existing PRs so this isn't a duplicate

Notes for reviewers

Required setup before channels activate (jobs stay dormant until then): create repo Gitlawb/homebrew-tap; add secrets NPM_TOKEN, HOMEBREW_TAP_PAT, WEB_SYNC_PAT; confirm Gitlawb/node is public; reserve the @gitlawb npm scope.

<!-- This is an auto-generated comment: release notes by coderabbit.ai -->
## Summary by CodeRabbit

* **New Features**
  * Added a Windows PowerShell CLI installer with `-Version` resolution, SHA-256 verification, and binary validation (plus PATH updates).
  * Expanded README install commands across npm, Homebrew, curl, and Windows PowerShell.
  * Introduced platform-specific npm packages (macOS/Linux) with a wrapper that installs only the matching binaries.
* **Bug Fixes**
  * Updated packaging/publishing and automation to align with the new artifact layout and platform-specific availability.
* **Documentation**
  * Added npm documentation for how the CLI binaries are distributed.
* **Chores**
  * Hardened release workflow with least-privilege permissions and more resilient Windows handling (including SHA256 sidecars).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Add x86_64-pc-windows-msvc to the release matrix. Windows ships a .zip
(7z) while unix keeps .tar.gz; a portable sha256 helper handles
sha256sum/shasum/certutil. Smoke test and packaging now resolve the
.exe suffix on Windows. Release attach uses globs to cover both formats.
Vendor the @gitlawb/gl npm wrapper (optionalDependencies platform-package
pattern) into npm/, replacing the standalone gl-npm repo. A new npm-publish
job downloads the four unix release tarballs from the GitHub release, lays in
the binaries, stamps every package.json with the release version, and runs
npm publish --provenance. Guarded on NPM_TOKEN so it no-ops until the secret
is configured.
Add a homebrew-bump job that regenerates Formula/gl.rb in Gitlawb/homebrew-tap
from the release tarballs' sha256 checksums (macOS+Linux, arm64+x64) and pushes
the bump. Guarded on HOMEBREW_TAP_PAT so it no-ops until the secret and tap repo
exist. Enables 'brew install gitlawb/tap/gl'.
Add install.ps1 (Windows PowerShell installer, source of truth in node).
Add a web-sync job that opens a PR to Gitlawb/web on each release syncing
install.sh + install.ps1 + public/version.json, plus idempotent drift fixes
(remove orphaned public/bin, fix stale skill.md releases link). Guarded on
WEB_SYNC_PAT. Vercel deploys on merge.
The gitlawb-node daemon targets Linux/macOS; building it on Windows risks
a compile failure that would block the whole release (npm/brew/web jobs all
depend on release-binaries). Windows now builds only gl + git-remote-gitlawb;
the smoke-test and package loops follow the per-target binary list.
…action to v5

The manifest still said 0.3.8 while the only tag is a manual v0.3.9 and
Cargo.toml is 0.3.9, so release-please had no valid baseline (no v0.3.8 tag)
and never cut a release. Set the manifest to 0.3.9 so release-please diffs
v0.3.9..main and opens a proper release PR for the next version. Also pin
release-please-action to v5.0.0 to match the openclaude pipeline.
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds cross-platform release artifacts, a Windows installer, npm platform packages with a postinstall copier, and updated install instructions. The release-please manifest and root version reference are also bumped to 0.3.9.

Changes

Release pipeline and distribution changes

Layer / File(s) Summary
Cross-target release build and packaging
.github/workflows/release.yml
Adds explicit workflow permissions, pins release-please-action v5, includes Windows in the release matrix, builds only the binaries selected for each target, verifies version output, and creates per-target archives plus .sha256 files under dist/.
Release consumers and publish guards
.github/workflows/release.yml
Updates npm-publish, homebrew-bump, and web-sync to consume the new archive layout, require the matching secret tokens, and handle versioned artifacts and generated output updates.
npm wrapper and platform packages
npm/.gitignore, npm/README.md, npm/packages/gl/..., npm/packages/gl-*/package.json
Adds the wrapper package, platform-specific package manifests, the postinstall binary copier, generated-file ignores, and npm distribution documentation for the optional-dependency layout.
Windows PowerShell installer
install.ps1
Adds a Windows installer that resolves the release tag, downloads and verifies the ZIP, extracts binaries, updates PATH, and prints follow-up commands.
Install docs and release version
README.md, .release-please-manifest.json
Expands the install instructions with npm, Homebrew, curl, and PowerShell commands, and bumps the release-please manifest version to 0.3.9.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

  • Gitlawb/node#59: Modifies the release flow’s binary smoke-test path, which is directly extended here for per-target binaries and Windows .exe handling.

Poem

🐇 I hopped through tarballs, zip, and shell,
With checksums sung, the release went well.
gl now leaps on Windows too,
And npm packages bloom with a cross-platform view.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check ❓ Inconclusive The title is too generic and does not convey the main release-automation changes. Use a specific title like "Automate release publishing across npm, Homebrew, Windows, and web".
✅ Passed checks (3 passed)
Check name Status Explanation
Description check ✅ Passed The description matches the template closely with summary, motivation, change list, verification, and reviewer notes.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch release-automation

Comment @coderabbitai help to get the list of available commands.

Comment thread .github/workflows/release.yml Fixed
Comment thread .github/workflows/release.yml Fixed
…b-sync

CodeQL flagged both jobs for lacking a permissions block, leaving GITHUB_TOKEN
at broad default scopes. Both only need contents: read (cross-repo writes use
dedicated PATs).

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (2)
npm/README.md (1)

12-19: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add a language tag to the fenced block.

Lines 12-19 match the markdownlint warning in this PR. Marking the tree as text keeps the rendering the same and removes the lint noise.

Proposed fix
-```
+```text
 packages/
   gl/                  `@gitlawb/gl`            wrapper (postinstall, bin shims)
   gl-darwin-arm64/     `@gitlawb/gl-darwin-arm64`   aarch64-apple-darwin
   gl-darwin-x64/       `@gitlawb/gl-darwin-x64`     x86_64-apple-darwin
   gl-linux-arm64/      `@gitlawb/gl-linux-arm64`    aarch64-unknown-linux-musl
   gl-linux-x64/        `@gitlawb/gl-linux-x64`      x86_64-unknown-linux-musl
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @npm/README.md around lines 12 - 19, The fenced package tree block in the
README is missing a language tag, which triggers markdownlint noise. Update the
fenced block in the README section showing the packages list to use the
appropriate text language tag so the rendering stays the same while satisfying
the linter.


</details>

<!-- cr-comment:v1:ba804630984688934a113062 -->

_Source: Linters/SAST tools_

</blockquote></details>
<details>
<summary>.github/workflows/release.yml (1)</summary><blockquote>

`249-252`: _🔒 Security & Privacy_ | _🔵 Trivial_ | _⚡ Quick win_

**Disable credential persistence on the read-only checkouts.**  
These steps only read the release tag; the later `git push` runs from the separate `web` checkout. Set `persist-credentials: false` on both `actions/checkout` invocations to avoid leaving the default token in `.git/config`.

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 249 - 252, The read-only checkout
steps are still persisting the default GitHub token in .git/config, which is
unnecessary here. Update both actions/checkout usages in the release workflow,
including the Checkout release tag step and the other read-only checkout, to set
persist-credentials to false. Keep the separate web checkout unchanged for the
later git push flow.


</details>

<!-- cr-comment:v1:2b33ee6c080b1aadf38634ba -->

_Source: Linters/SAST tools_

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @install.ps1:

  • Around line 50-62: The checksum verification block in install.ps1 is failing
    open by treating a checksum download error as optional, which allows unverified
    installs. Update the try/catch around Invoke-WebRequest and the SHA256
    comparison so that checksum fetch or parse failures abort the installation
    instead of printing the “skipping verification” message; keep the success path
    in the checksum block and make the Install script fail closed when $url.sha256
    cannot be retrieved.

In @npm/packages/gl/install.js:

  • Around line 55-82: The install flow in install.js can still report success
    even when the supported-platform payload is missing or incomplete. Update the
    packageDir lookup branch and the BINARIES copy loop so that missing the platform
    package or any required binary fails the install instead of warning and
    continuing; use the existing install path around packageDir, BINARIES, and the
    final success log to ensure @gitlawb/gl only finishes when every expected binary
    is present and copied.

In @npm/packages/gl/README.md:

  • Line 57: The Windows support note in the README is inconsistent with the
    installer flow used by install.js and the later Windows section of the README.
    Update the wording in README.md so native Windows users are directed to
    install.ps1 via PowerShell, and keep curl/WSL only for non-native or Unix-like
    paths. Use the existing Windows guidance around install.js and the later README
    Windows instructions as the source of truth.

Nitpick comments:
In @.github/workflows/release.yml:

  • Around line 249-252: The read-only checkout steps are still persisting the
    default GitHub token in .git/config, which is unnecessary here. Update both
    actions/checkout usages in the release workflow, including the Checkout release
    tag step and the other read-only checkout, to set persist-credentials to false.
    Keep the separate web checkout unchanged for the later git push flow.

In @npm/README.md:

  • Around line 12-19: The fenced package tree block in the README is missing a
    language tag, which triggers markdownlint noise. Update the fenced block in the
    README section showing the packages list to use the appropriate text language
    tag so the rendering stays the same while satisfying the linter.

</details>

<details>
<summary>🪄 Autofix (Beta)</summary>

Fix all unresolved CodeRabbit comments on this PR:

- [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended)
- [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: defaults

**Review profile**: CHILL

**Plan**: Pro

**Run ID**: `eecd954e-2767-48e0-bf47-939b69c63847`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between adc20f9effad7b42fab55002875d209c4ed79518 and 8092c9da38a14f064f19eb6514499eef5fbfca65.

</details>

<details>
<summary>📒 Files selected for processing (14)</summary>

* `.github/workflows/release.yml`
* `.release-please-manifest.json`
* `README.md`
* `install.ps1`
* `npm/.gitignore`
* `npm/README.md`
* `npm/packages/gl-darwin-arm64/package.json`
* `npm/packages/gl-darwin-x64/package.json`
* `npm/packages/gl-linux-arm64/package.json`
* `npm/packages/gl-linux-x64/package.json`
* `npm/packages/gl/README.md`
* `npm/packages/gl/bin/.gitkeep`
* `npm/packages/gl/install.js`
* `npm/packages/gl/package.json`

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

Comment thread install.ps1 Outdated
Comment thread npm/packages/gl/install.js
Comment thread npm/packages/gl/README.md Outdated
- install.ps1: fail closed if the .sha256 cannot be fetched; pure ASCII (no BOM)
- npm install.js: fail (exit 1 / throw) when the platform payload or a binary is
  missing instead of reporting a successful but broken install
- workflow: top-level permissions {} + persist-credentials: false on read-only
  checkouts
- docs: PowerShell-only Windows note; text language tag on npm/README fenced block
@kevincodex1

Copy link
Copy Markdown
Contributor Author

@coderabbitai please do a full review again

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@kevincodex1 I'll do a full review again.

✅ Action performed

Full review finished.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🧹 Nitpick comments (1)
.github/workflows/release.yml (1)

311-319: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Move the npm token guard before checkout/download work.

With NPM_TOKEN unset, this job still checks out, downloads release assets, and rewrites package metadata before skipping. Add the same early guard pattern used by Homebrew/web so npm publishing is truly inactive until configured.

Proposed change
+      - name: Guard on secret
+        id: guard
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          if [ -z "${NPM_TOKEN:-}" ]; then
+            echo "::warning::NPM_TOKEN is not set — skipping npm publish."
+            echo "enabled=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "enabled=true" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Publish
+        if: ${{ steps.guard.outputs.enabled == 'true' }}
         env:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           set -euo pipefail
-          if [ -z "${NPM_TOKEN:-}" ]; then
-            echo "::warning::NPM_TOKEN is not set — skipping npm publish."
-            exit 0
-          fi
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 311 - 319, The Publish step
currently waits until after checkout/download and package metadata rewriting
before checking NPM_TOKEN, so move the guard to the start of the npm publishing
job using the same early-exit pattern used by Homebrew/web. Update the Publish
workflow block in release.yml so it checks NPM_TOKEN before any checkout, asset
download, or mutation work, and exits immediately with the existing warning when
the token is missing.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 153-154: The release workflow’s Windows leg is described as
best-effort, but the current matrix still lets a Windows failure fail the whole
`release-binaries` job and block downstream jobs. In the release workflow,
update the matrix job behavior for the Windows entry using `continue-on-error`
if Windows should remain non-blocking, or revise the existing comment near the
release matrix to remove the best-effort guarantee if failures must still gate
`npm-publish` and `homebrew-bump`. Use the `release-binaries` job and its matrix
definition as the main reference point.
- Around line 347-353: The external-repo checkout steps are persisting the PAT
in the worktree, which leaves cross-repo credentials in .git/config for later
steps. Update the checkout actions used for the tap repo and the other external
repository checkout to set persist-credentials to false, and keep the PAT
available only for the explicit git push step where it is actually needed. Use
the existing Checkout tap repo step and the other checkout block as the anchor
points for the change.
- Around line 431-434: The web-sync job is triggered too early and can update
website install scripts/version metadata before release assets are confirmed.
Update the release workflow so web-sync depends on the release-binaries job
(and/or checks its success) in addition to release-please, using the existing
web-sync and release-binaries job names to locate the workflow condition. Ensure
the website sync only runs after the binaries/assets are available.

In `@install.ps1`:
- Around line 19-22: The architecture check in install.ps1 is using
PROCESSOR_ARCHITECTURE alone, which can misidentify a supported x64 host when
running under 32-bit PowerShell. Update the install script’s architecture
detection logic to first inspect PROCESSOR_ARCHITEW6432 and only fall back to
PROCESSOR_ARCHITECTURE, then keep the existing unsupported-architecture guard
based on the resolved native architecture so x64 installs are not rejected
incorrectly.
- Around line 68-77: The install flow in install.ps1 only treats the release as
invalid when none of the binaries are present, so it can still report success
with an incomplete package. Update the logic around the foreach copy block and
the $installed check to require all CLI binaries needed for the advertised
commands (especially gl.exe and git-remote-gitlawb.exe, plus gitlawb-node.exe if
required) before any PATH/success reporting. If any required binary is missing,
fail early with a clear error instead of copying a partial set and continuing.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 311-319: The Publish step currently waits until after
checkout/download and package metadata rewriting before checking NPM_TOKEN, so
move the guard to the start of the npm publishing job using the same early-exit
pattern used by Homebrew/web. Update the Publish workflow block in release.yml
so it checks NPM_TOKEN before any checkout, asset download, or mutation work,
and exits immediately with the existing warning when the token is missing.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c4879f69-af02-42da-bb68-c1a1b70f0351

📥 Commits

Reviewing files that changed from the base of the PR and between adc20f9 and b0403c8.

📒 Files selected for processing (14)
  • .github/workflows/release.yml
  • .release-please-manifest.json
  • README.md
  • install.ps1
  • npm/.gitignore
  • npm/README.md
  • npm/packages/gl-darwin-arm64/package.json
  • npm/packages/gl-darwin-x64/package.json
  • npm/packages/gl-linux-arm64/package.json
  • npm/packages/gl-linux-x64/package.json
  • npm/packages/gl/README.md
  • npm/packages/gl/bin/.gitkeep
  • npm/packages/gl/install.js
  • npm/packages/gl/package.json

Comment thread .github/workflows/release.yml
Comment thread .github/workflows/release.yml
Comment thread .github/workflows/release.yml
Comment thread install.ps1 Outdated
Comment thread install.ps1 Outdated
install.ps1 only failed when zero binaries were present, so a partial archive
missing gl.exe could still report success. Require gl.exe + git-remote-gitlawb.exe
(gitlawb-node.exe stays optional, matching the Windows build) and fail early if a
required binary is absent.
… PATs

- release-binaries: continue-on-error for the Windows leg so a failure there
  no longer fails the job or blocks npm/Homebrew (matches the best-effort intent)
- homebrew-bump/web-sync: persist-credentials: false on the PAT-backed checkouts;
  supply the token only on the git push via an x-access-token URL
…taller

- web-sync now needs release-binaries so the site never advertises a release
  whose artifacts failed to build
- install.ps1 reads PROCESSOR_ARCHITEW6432 before PROCESSOR_ARCHITECTURE so a
  32-bit PowerShell host on x64 Windows is not wrongly rejected
@kevincodex1

Copy link
Copy Markdown
Contributor Author

@coderabbitai please check again

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@kevincodex1 I'll review the PR again and do another full pass.

✅ Action performed

Full review finished.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 314-328: The Publish step is not idempotent because the npm
publish loop in the workflow always republishes each package and will fail on
reruns once any version is already published. Update the release job logic in
the Publish step to check whether each `@gitlawb` package version already exists
before calling npm publish, and skip already-published packages so reruns can
safely continue without stopping on the first existing package. Use the existing
package loop and publish command as the entry point for this change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 01b9ab93-b496-46fc-a999-a16421f33f88

📥 Commits

Reviewing files that changed from the base of the PR and between adc20f9 and 016e4c0.

📒 Files selected for processing (14)
  • .github/workflows/release.yml
  • .release-please-manifest.json
  • README.md
  • install.ps1
  • npm/.gitignore
  • npm/README.md
  • npm/packages/gl-darwin-arm64/package.json
  • npm/packages/gl-darwin-x64/package.json
  • npm/packages/gl-linux-arm64/package.json
  • npm/packages/gl-linux-x64/package.json
  • npm/packages/gl/README.md
  • npm/packages/gl/bin/.gitkeep
  • npm/packages/gl/install.js
  • npm/packages/gl/package.json

Comment thread .github/workflows/release.yml
Skip any @Gitlawb package version already on the registry so rerunning the
job after a partial publish no longer errors on the first existing package
and leaves the wrapper/platform packages out of sync.
@kevincodex1

Copy link
Copy Markdown
Contributor Author

@coderabbitai please do full review again and approve if all is good

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@kevincodex1 I'll do another full review pass now, and if everything looks good afterward, I'll approve it.

✅ Action performed

Full review finished.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 108-110: The Windows matrix leg in the release workflow is
currently marked best-effort, but the website sync step can still publish
PowerShell installer metadata even when the Windows ZIP is missing. Update the
workflow around the Windows artifact build and the `web-sync` publishing steps
so `install.ps1` and `version.json` are only synced when the Windows ZIP
artifact exists. Use the existing matrix/job identifiers for the Windows release
leg and the `web-sync` job to add an explicit guard that blocks website
publication on a failed/missing Windows build.
- Around line 436-440: The release workflow’s no-op check in the generated-files
step is running before the generated file is staged, so untracked first-time
outputs can be missed. Update the relevant shell block(s) in the release job to
stage the generated file(s) before calling git diff --quiet, and apply the same
ordering to the other matching block referenced by the review. Use the existing
generated-file step around git add Formula/gl.rb and the corresponding duplicate
section to ensure newly created files are included in the commit when changes
exist.
- Around line 514-517: The release workflow’s `gh pr create` fallback is too
broad because `|| echo` treats any failure as benign. Update the logic around
the `gh pr create` step to only suppress the case where an open PR already
exists for the branch, using an explicit pre-check or equivalent `gh pr
view`/list verification before continuing. Keep the change localized to the
release job section that creates the sync PR for `$branch`.

In `@npm/packages/gl/README.md`:
- Around line 5-17: The install commands in the README are presented as
cross-platform, but the package’s install flow explicitly rejects native Windows
in install.js. Update the install section to scope the npm/yarn/pnpm/bun
commands to macOS/Linux/WSL, and add a brief pointer that native Windows users
should use the PowerShell installer instead. Keep the wording aligned with the
existing install.js behavior so the docs match the supported path.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d86e125d-7dc4-4a4e-bb0e-aae36c252622

📥 Commits

Reviewing files that changed from the base of the PR and between adc20f9 and 30a175a.

📒 Files selected for processing (14)
  • .github/workflows/release.yml
  • .release-please-manifest.json
  • README.md
  • install.ps1
  • npm/.gitignore
  • npm/README.md
  • npm/packages/gl-darwin-arm64/package.json
  • npm/packages/gl-darwin-x64/package.json
  • npm/packages/gl-linux-arm64/package.json
  • npm/packages/gl-linux-x64/package.json
  • npm/packages/gl/README.md
  • npm/packages/gl/bin/.gitkeep
  • npm/packages/gl/install.js
  • npm/packages/gl/package.json

Comment thread .github/workflows/release.yml
Comment thread .github/workflows/release.yml Outdated
Comment thread .github/workflows/release.yml Outdated
Comment thread npm/packages/gl/README.md
- web-sync: verify the Windows ZIP + .sha256 exist on the release before
  syncing install.ps1/version.json (Windows is best-effort, so a failed leg
  must not make the site advertise a missing installer)
- stage generated files before the no-op check so brand-new untracked files
  (formula, version.json) are committed instead of skipped
- gh pr create: only swallow the 'PR already exists' case; surface auth/API errors
- npm README: scope npm/yarn/pnpm/bun install to macOS/Linux/WSL, point native
  Windows at the PowerShell installer
@kevincodex1

Copy link
Copy Markdown
Contributor Author

@coderabbitai pleae do a full review again

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@kevincodex1 I'll do another full review pass now.

✅ Action performed

Full review finished.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 248-263: The npm-publish job currently does checkout and
binary/download work before discovering that NPM_TOKEN is missing, so add an
early guard in the npm-publish workflow path to skip the entire job when npm
publishing is not configured. Use the existing npm-publish job and its Publish
step as the location to gate execution, and make sure all subsequent checkout,
release download, extraction, and version rewrite steps only run when the token
is present, matching the inactive behavior already used by Homebrew/web.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1e7106cb-8d3c-4735-ae94-c2b7706918a2

📥 Commits

Reviewing files that changed from the base of the PR and between adc20f9 and 7bed605.

📒 Files selected for processing (14)
  • .github/workflows/release.yml
  • .release-please-manifest.json
  • README.md
  • install.ps1
  • npm/.gitignore
  • npm/README.md
  • npm/packages/gl-darwin-arm64/package.json
  • npm/packages/gl-darwin-x64/package.json
  • npm/packages/gl-linux-arm64/package.json
  • npm/packages/gl-linux-x64/package.json
  • npm/packages/gl/README.md
  • npm/packages/gl/bin/.gitkeep
  • npm/packages/gl/install.js
  • npm/packages/gl/package.json

Comment thread .github/workflows/release.yml
Check NPM_TOKEN in an up-front guard step (like homebrew-bump/web-sync) and
skip checkout, release downloads, extraction, version rewrites, and publish
when it is absent, instead of doing all that work and bailing in Publish.
@kevincodex1

Copy link
Copy Markdown
Contributor Author

can you do a full review again please @coderabbitai . approve it if all is good

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@kevincodex1 I'll do another full review pass now. If everything checks out afterward, I'll approve it.

✅ Action performed

Full review finished.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/release.yml (1)

121-126: 🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

Replace the retired Intel macOS runner label.

macos-13 is retired, so this x86_64 leg will fail before checkout and block the release pipeline. Switch it to a supported Intel label such as macos-15-intel.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 121 - 126, The release workflow’s
x86_64 macOS job is using a retired runner label, so the Intel leg will fail
before checkout and block releases. Update the macOS runner setting in the
release matrix for the x86_64 target in the workflow so it uses a supported
Intel label, keeping the aarch64 and Windows legs unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 553-560: The fallback around gh pr list in the release workflow is
masking auth/API failures because the command substitution result is checked
directly against 0. Update the shell logic in the fallback block to inspect gh
pr list’s exit status separately before evaluating the returned count, and only
print the “PR already exists” message when the command succeeds and the length
is nonzero; otherwise let failures exit nonzero.

In `@install.ps1`:
- Around line 70-88: In install.ps1, the binary copy logic in the
install/upgrade block leaves stale executables behind when an optional binary
disappears from the new archive, causing mixed-version installs. Update the flow
around $requiredBins, $optionalBins, and the foreach copy loop so $InstallDir is
cleaned of previously installed shipped binaries before copying the current
package contents, then copy only what exists in the new archive and report
success from that refreshed set.

---

Outside diff comments:
In @.github/workflows/release.yml:
- Around line 121-126: The release workflow’s x86_64 macOS job is using a
retired runner label, so the Intel leg will fail before checkout and block
releases. Update the macOS runner setting in the release matrix for the x86_64
target in the workflow so it uses a supported Intel label, keeping the aarch64
and Windows legs unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9557a1cc-c1a8-4a0f-8c8b-8d719809f6a1

📥 Commits

Reviewing files that changed from the base of the PR and between adc20f9 and 475a018.

📒 Files selected for processing (14)
  • .github/workflows/release.yml
  • .release-please-manifest.json
  • README.md
  • install.ps1
  • npm/.gitignore
  • npm/README.md
  • npm/packages/gl-darwin-arm64/package.json
  • npm/packages/gl-darwin-x64/package.json
  • npm/packages/gl-linux-arm64/package.json
  • npm/packages/gl-linux-x64/package.json
  • npm/packages/gl/README.md
  • npm/packages/gl/bin/.gitkeep
  • npm/packages/gl/install.js
  • npm/packages/gl/package.json

Comment thread .github/workflows/release.yml
Comment thread install.ps1
…ening

- web-sync: capture gh pr list output so a real API/auth failure surfaces
  instead of being misread as 'PR already exists'
- install.ps1: enforce TLS 1.2 and use -UseBasicParsing so downloads work on
  stock Windows PowerShell 5.1; remove binaries no longer shipped on upgrade so
  an in-place update can't leave a mixed-version install; handle an empty user
  PATH without a leading separator
@kevincodex1 kevincodex1 merged commit 3f08d99 into main Jun 30, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants