ci(release): self-contained archives + harden the release path#55
Merged
Conversation
Adapt the remaining release-process fixes from mbo's 0.11.1 (the BCR auto-publish half already landed in #54), so proto can cut a working release. - release_prep.sh: archive the patched/generated worktree via a throwaway index instead of `git archive "${TAG}"`. The latter reads the committed tree and silently dropped the edits release_prep makes (the bazelmod.patch hunk that comments out the dev-only includes, the generated empty root BUILD.bazel) -- so released tarballs shipped with the dev includes active and did not build standalone. Verified: the archive's MODULE.bazel now has the includes commented and dev dirs are export-ignored. - Drop .bcr/patches/bazelmod.patch and its `bcr-bazelmod-patch-applies` pre-commit hook: the tarball is now self-contained, so publish-to-bcr needs no patch (removes the stale-patch failure mode that broke prior publishes; the BCR entry's MODULE.bazel is the tarball's directly). - trigger_release.sh: require running on main at exactly origin/main; validate the version arg is numeric X.Y.Z; portable BSD/GNU sed for the version bump and CHANGELOG prepend; pre-flight that .github/workflows/bazelmod.patch still applies. Keep the simple flow -- open the version-bump PR and stop, leaving review+merge to another maintainer (no self-approve/admin-merge). - release.yml: trigger on numeric-semver tags only ([0-9]+.[0-9]+.[0-9]+). - main.yml: trigger on branch pushes only, so release tags don't re-run the full matrix.
Fab-Cat
approved these changes
Jun 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adapts the remaining release-process fixes from mbo's path to a working
0.11.1release. The BCR auto-publish half (mbo #191) already landed onmainvia #54, so this PR is the rest (mbo #194 + #196).The core bug (why prior releases would ship broken)
release_prep.shapplied.github/workflows/bazelmod.patchto the worktree (commenting out the dev-onlyinclude("//bazelmod:...")lines) and generated the empty rootBUILD.bazel— but then rangit archive "${TAG}", which archives the committed tree and silently dropped both edits. So every release tarball shipped with the dev includes active and wouldn't build standalone (and the separate.bcrpatch then double-commented at BCR-publish time).Fix: archive the patched worktree via a throwaway index (
GIT_INDEX_FILE→git read-tree/git add --all/git write-tree), leaving the real index/checkout untouched.export-ignorestill applies via the staged.gitattributes+--worktree-attributes.Verified locally: the produced
proto-1.2.1.tar.gzhasMODULE.bazelwith the includes commented, an empty rootBUILD.bazel, dev dirs (.github/.bcr/tools) export-ignored, andVERSION+ sources present.Changes
release_prep.sh— self-contained archive (throwaway-index), as above..bcr/patches/bazelmod.patch+ itsbcr-bazelmod-patch-appliespre-commit hook — the tarball is now self-contained, sopublish-to-bcrneeds no patch (removes the stale-patch failure mode).trigger_release.sh— require running onmainat exactlyorigin/main; validate numericX.Y.Z; portable BSD/GNUsedfor the version bump + CHANGELOG prepend; pre-flight that.github/workflows/bazelmod.patchstill applies. Simple flow kept: open the version-bump PR and stop — another maintainer reviews and merges (no self-approve / admin-merge).release.yml— trigger on numeric-semver tags only ([0-9]+.[0-9]+.[0-9]+).main.yml— trigger on branch pushes only, so release tags don't re-run the full matrix.Validation
release_prep.shdry run produces a correct self-contained tarball;pre-commitfully green (shellcheck + beautysh included).