ci(jetbrains): lock release source before reviewed publish

[kirillk]

Issue

No linked issue; release infrastructure follow-up.

Context

JetBrains production builds derive their version from a jetbrains/v... tag that points at HEAD, while JetBrains Marketplace change notes are injected from packages/kilo-jetbrains/CHANGELOG.md during Gradle publish. The release flow therefore needs two guarantees: the source code being released is locked before changelog review begins, and the reviewed changelog is present before Marketplace publishing.

Release Flow

1. A maintainer runs prepare-jetbrains-release manually with kind, version, and optional from_tag.
2. The prepare script fetches origin/main, resolves its exact SHA, and creates or verifies jetbrains/v<version> at that SHA immediately.
3. The same prepare run creates or updates jetbrains/release/v<version> with package.json and CHANGELOG.md release metadata.
4. The release PR body records durable markers: JetBrains-Version, JetBrains-Kind, JetBrains-From-Tag, JetBrains-Tag, and JetBrains-Commit.
5. Maintainers review and edit the changelog in the release PR, then merge it.
6. Merging the release PR triggers publish-jetbrains; tag pushes no longer trigger publishing.
7. The publish workflow validates the merged PR, markers, package version, changelog section, and that the existing tag points exactly at JetBrains-Commit.
8. The workflow saves the reviewed changelog from the merge commit, checks out jetbrains/v<version> for the build, and restores that reviewed changelog into the tag checkout.
9. Gradle verifies and publishes from the immutable tag checkout, while Marketplace change notes and GitHub Release notes come from the reviewed changelog.

Implementation

• Moves release tag locking into script/jetbrains-release-pr.ts before PR branch creation.
• Replaces the post-merge tag creator with script/jetbrains-release-validate.ts, which validates only and never creates, moves, deletes, or pushes tags.
• Changes publish-jetbrains from a tag-push workflow to a merged-release-PR workflow.
• Removes tag-jetbrains-release.yml and updates the workflow allowlist.
• Updates JetBrains release docs and checklist to describe immediate source locking plus PR-gated publishing.

Failure And Recovery Model

• Re-running prepare for the same version reuses the tag if it points at the same locked SHA.
• If the tag exists at a different SHA, prepare and publish validation fail loudly and do not move it.
• If main moves after prepare, publishing is still safe because the build source is the existing tag, not latest main or the release PR merge commit.
• Publish reruns remain idempotent for GitHub Releases via existing upload clobber/edit behavior, but Marketplace may reject duplicate version publishes after a successful Marketplace upload.

Screenshots / Video

N/A, workflow and release-infrastructure changes only.

How to Test

Manual/local verification

• Agent ran bun run script/check-workflows.ts successfully.
• Agent ran bun script/jetbrains-release-validate.ts --help successfully.
• Agent ran bun script/jetbrains-release-pr.ts --kind rc --version 7.3.13-rc.1 --from-tag jetbrains/v7.0.1-rc.1 --dry successfully.
• Agent ran bun run script/check-opencode-annotations.ts successfully.
• Agent ran bun run script/check-md-table-padding.ts successfully.
• Agent ran bun run lint; it completed with 0 errors and existing warnings.
• Agent ran git diff --check successfully.
• Pre-push hook ran bun turbo typecheck successfully.

Reviewer test steps

1. Inspect prepare-jetbrains-release and confirm it still exposes kind, version, and optional from_tag.
2. Inspect script/jetbrains-release-pr.ts and confirm it creates/verifies jetbrains/v<version> at resolved origin/main before PR branch work.
3. Inspect publish-jetbrains and confirm it triggers on merged release PRs, checks out the validated tag, and restores the reviewed changelog before getChangelog and publishPlugin.
4. Confirm no active workflow remains that creates jetbrains/v<version> after PR merge.
5. Optionally run bun script/jetbrains-release-pr.ts --kind rc --version 7.3.13-rc.1 --from-tag jetbrains/v7.0.1-rc.1 --dry locally to inspect generated changelog output without creating tags, branches, commits, pushes, or PRs.

Blocked checks and substitute verification

• Full end-to-end GitHub workflow execution was not run locally because it requires repository Actions, GitHub App credentials, and Marketplace secrets. Substitute verification was local workflow/script validation, lint, markdown table checks, annotation checks, and typecheck through the pre-push hook.

Checklist

• Issue linked above, or exception explained
• Tests/verification described
• Screenshots/video included for visual changes, or marked N/A
• Changeset considered for user-facing changes
• I personally reviewed the diff and can explain the changes, including any AI-assisted work.

Get in Touch

Kilo team internal.

[kilo-code-bot]

Code Review Summary

Status: No New Issues | Recommendation: Merge

Incremental review covers commits since 070d82c833cf823632b9d6532f40e49f20245947. The only change is a revert of the previous test stabilization commit in packages/opencode/test/session/prompt.test.ts, restoring Effect.sleep(50) in place of the waitFor poll. Since the net diff for that file vs. the base branch is zero (the stabilization was added and then reverted within this PR), the file does not appear in the PR diff and no inline comment can be placed.

Note: Effect.sleep(50) is a timing-based guard that may be flaky on slower CI hosts. The waitFor approach that was reverted was a more reliable alternative. If the test proves unstable in CI after merge, the stabilization can be re-applied.

Previous Issues (carried forward, unchanged code)

File	Issue
script/jetbrains-release-pr.ts	WARNING: target is computed from semver.parse(ver)! — null assertion
script/jetbrains-release-pr.ts	SUGGESTION: section() always puts generated notes ahead of any hand-edited content
script/jetbrains-release-pr.ts	WARNING: .catch() fallback swallows any read error
script/jetbrains-release-pr.ts	WARNING: Regex uses m flag but [\ character class may be wider than intended
script/jetbrains-release-validate.ts	WARNING: data is cast with as Pull but gh output is unvalidated
.github/workflows/publish-jetbrains.yml	WARNING: getChangelog runs after verifyPlugin but changelog restore happens before it

Files Reviewed (1 file in this round)

• packages/opencode/test/session/prompt.test.ts — 0 issues (revert of stabilization; net change vs. base is zero)

---

_{Reviewed by claude-sonnet-4.6 · 391,580 tokens}

_{Review guidance: REVIEW.md from base branch main}