fix(release): 前移发布包清单校验

[GeWuYou]

• 修复 benchmark 项目误入发布面的风险，明确 GFramework.Cqrs.Benchmarks 保持不可打包。

• 新增共享 packed modules 校验脚本，并让 publish 与 CI 工作流复用同一份发布包名单规则。

• 更新 CQRS active tracking 与 trace，记录本轮发布校验前移的恢复点与验证结果。

Summary by CodeRabbit

发布说明

• 新功能

  • 添加了性能基准测试框架。

• 改进

  • 增强了构建流程中的模块包验证机制。

[coderabbitai]

Warning

Rate limit exceeded

@GeWuYou has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 46 minutes and 3 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 51f44132-8681-4c50-87e9-d1c9552ee995

📥 Commits

Reviewing files that changed from the base of the PR and between 30ddb84 and e3d6aa5.

📒 Files selected for processing (4)

• .github/workflows/ci.yml
• ai-plan/public/cqrs-rewrite/todos/cqrs-rewrite-migration-tracking.md
• ai-plan/public/cqrs-rewrite/traces/cqrs-rewrite-migration-trace.md
• scripts/validate-packed-modules.sh

📝 Walkthrough

演练

此PR引入包验证脚本并将打包验证从发布工作流的内联逻辑提取到共享脚本中，同时在CI流程中添加打包步骤，并配置基准项目排除打包。包括文档更新以记录迁移进度。

变更

包验证基础设施与打包控制

层级 / 文件	摘要
打包配置 GFramework.Cqrs.Benchmarks/GFramework.Cqrs.Benchmarks.csproj	添加 IsPackable 和 GeneratePackageOnBuild 属性均设为 false，防止基准项目生成NuGet包。
验证脚本实现 scripts/validate-packed-modules.sh	新增Bash脚本用于验证打包输出目录中的.nupkg文件是否与预期的包标识符列表相匹配，包含严格模式设置、目录验证、临时文件管理和差异报告。
CI工作流集成 .github/workflows/ci.yml	在Build步骤后添加两个新步骤：执行 dotnet pack 在Release模式下输出到./packages，以及调用验证脚本验证已打包模块。
发布工作流重构 .github/workflows/publish.yml	将"Validate packed modules"步骤的内联验证逻辑（原先枚举预期包、列举实际包并执行diff）替换为单行脚本调用：bash scripts/validate-packed-modules.sh ./packages。
文档与进度追踪 ai-plan/public/cqrs-rewrite/todos/cqrs-rewrite-migration-tracking.md, ai-plan/public/cqrs-rewrite/traces/cqrs-rewrite-migration-trace.md	更新恢复点从RP-090到RP-091，记录基准项目隔离与包清单校验前移的决策；扩充活跃事实、风险评估、权威验证命令及推荐后续步骤；补充RP-083至RP-089的迁移追踪及新增基准基础设施的详细记录。

预估代码审查工作量

🎯 3 (中等) | ⏱️ ~20 分钟

可能相关的PR

• GeWuYou/GFramework#247：前序PR添加了发布工作流中的内联包验证逻辑，本PR将其提取为外部脚本并在CI流程中复用。
• GeWuYou/GFramework#326：前序PR引入了GFramework.Cqrs.Benchmarks项目，本PR通过添加打包控制属性完成该项目的隔离，防止其被打包为NuGet包。

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	PR标题「fix(release): 前移发布包清单校验」准确概括了主要变更内容，即将发布包清单校验逻辑前移到CI工作流中，并抽取为共享脚本。
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/package-validation-guard

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Summary

Tests 📝	Passed ✅	Failed ❌	Skipped ⏭️	Other ❓	Flaky 🍂	Duration ⏱️
2288	2288	0	0	0	0	1ms

Test Results

2288 passed

Details

2288 tests
34.1s
nunit
CI - Build & Test build-and-test #1070
fix(release): 前移发布包清单校验 #331

Insights

Average Tests per Run	Total Flaky Tests	Total Failed	Slowest Test (p95)
2288	0	0	4.3s

build-and-test: Run #1070

Tests 📝	Passed ✅	Failed ❌	Skipped ⏭️	Pending ⏳	Other ❓	Flaky 🍂	Duration ⏱️
2288	2288	0	0	0	0	0	34.1s

🎉 All tests passed!

Slowest Tests

Test 📝	Results 📊	Duration (avg) ⏱️	Duration (p95) ⏱️
CreateStream_Should_ResolveCqrsRuntime_OnlyOnce_When_AccessedConcurrently	1	4.3s	4.3s
Does_Not_Report_When_FieldInjectedModel_Is_Registered	1	2.0s	2.0s
Generates_Scene_Behavior_Boilerplate	1	1.5s	1.5s
CleanupDuringAcquire_Should_NotCauseRaceCondition	1	1.1s	1.1s
Append_ShouldNotBlock	1	1.0s	1.0s
Context_Caching_Should_Improve_Performance	1	773ms	773ms
PendingCount_ShouldReflectQueuedEntries	1	501ms	501ms
Cleanup_Should_NotRemoveActiveLocks	1	404ms	404ms
Cleanup_Should_RemoveUnusedLocks	1	401ms	401ms
Generates_Precise_Assembly_Type_Lookups_For_Inaccessible_External_Generic_Definitions_With_Visible_Type_Arguments	1	260ms	260ms

_{🎉 No failed tests in this run. | 🍂 No flaky tests in this run.}

Github Test Reporter by CTRF 💚

[greptile-apps]

Greptile Summary

This PR moves release-package validation earlier in the pipeline by adding dotnet pack + validate-packed-modules.sh steps to the PR CI workflow, so a rogue packable project is caught at PR time rather than at tag publish. It also extracts the previously inline publish.yml validation logic into a single shared script and explicitly marks GFramework.Cqrs.Benchmarks as non-packable.

• GFramework.Cqrs.Benchmarks.csproj: adds <IsPackable>false</IsPackable> and <GeneratePackageOnBuild>false</GeneratePackageOnBuild> to lock the benchmark project out of any NuGet/GitHub Packages release set.
• scripts/validate-packed-modules.sh: new shared script consolidating the expected package list and diff logic; both ci.yml and publish.yml now call this single source of truth.
• ci.yml: new Pack step correctly includes --no-build so the preceding explicit Build step is not re-run, and feeds its output into the shared validation script.

Confidence Score: 5/5

Safe to merge — the changes add a validation gate with no production-code side effects, and the benchmark project is correctly locked out of the release set.

The three substantive changes (benchmark .csproj guard, shared validation script, CI workflow pack step) are all additive and defensive. The --no-build flag is correctly present in the new CI pack step, the find portability issue from earlier threads is addressed with -exec basename {} \;, and the script logic correctly diffs two sorted lists.

No files require special attention; scripts/validate-packed-modules.sh has a minor implicit-sort dependency worth tidying but it does not affect correctness today.

Important Files Changed

Filename	Overview
scripts/validate-packed-modules.sh	New shared validation script extracting inline publish.yml logic; uses POSIX-compatible basename instead of GNU find -printf, but actual_file is written without an explicit sort (works because the pipeline already pipes through sort -u, though slightly fragile)
.github/workflows/ci.yml	Adds Pack + Validate steps to the PR workflow; dotnet pack correctly includes --no-build to avoid re-compiling after the preceding explicit Build step
.github/workflows/publish.yml	Replaces 35-line inline validation block with a single call to the shared script, keeping publish and CI workflows in sync
GFramework.Cqrs.Benchmarks/GFramework.Cqrs.Benchmarks.csproj	Explicitly marks project as non-packable with both IsPackable=false and GeneratePackageOnBuild=false to prevent it from entering the NuGet release set

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
scripts/validate-packed-modules.sh:44
The `actual_file` is written without an explicit `sort`, whereas `expected_file` uses `| sort`. Today this is safe because the `mapfile` pipeline already ends with `sort -u`, so the array arrives pre-sorted. However, if the pipeline is ever modified (e.g., the `sort -u` is dropped or replaced with a different filter), `diff -u` will silently produce incorrect output — false positives or negatives — without any obvious error. Adding an explicit `sort` at the write site makes the invariant self-documenting and resilient to future pipeline changes.

```suggestion
printf '%s\n' "${actual_packages[@]}" | sort > "$actual_file"
```

_{Reviews (2): Last reviewed commit: "fix(release): 修复发布校验链路的审查遗留问题" | Re-trigger Greptile}

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ REPOSITORY	gitleaks	yes		no	no	4.21s
✅ REPOSITORY	trufflehog	yes		no	no	4.36s

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ai-plan/public/cqrs-rewrite/todos/cqrs-rewrite-migration-tracking.md`:
- Line 12: Update the PR anchor text in the migration tracking markdown by
replacing the literal string "当前 PR 锚点：`待创建`" with the actual PR identifier
(e.g., "当前 PR 锚点：`PR `#331``") and optionally add the PR link; ensure the markdown
line that currently contains `待创建` is updated so the document reflects the real
PR number and link for traceability.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 93fa777d-087a-43f1-b0d1-219b168852f0

📥 Commits

Reviewing files that changed from the base of the PR and between c65c131 and 30ddb84.

📒 Files selected for processing (6)

• .github/workflows/ci.yml
• .github/workflows/publish.yml
• GFramework.Cqrs.Benchmarks/GFramework.Cqrs.Benchmarks.csproj
• ai-plan/public/cqrs-rewrite/todos/cqrs-rewrite-migration-tracking.md
• ai-plan/public/cqrs-rewrite/traces/cqrs-rewrite-migration-trace.md
• scripts/validate-packed-modules.sh

📜 Review details

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (C#)

🧰 Additional context used

📓 Path-based instructions (8)

**/*[!.]*

📄 CodeRabbit inference engine (AGENTS.md)

For files with shebang lines, keep shebang as first line and place license header immediately after it

Files:

• GFramework.Cqrs.Benchmarks/GFramework.Cqrs.Benchmarks.csproj
• scripts/validate-packed-modules.sh
• ai-plan/public/cqrs-rewrite/todos/cqrs-rewrite-migration-tracking.md
• ai-plan/public/cqrs-rewrite/traces/cqrs-rewrite-migration-trace.md

**/*.{xml,csproj,props,targets}

📄 CodeRabbit inference engine (AGENTS.md)

For XML/MSBuild files with XML declaration, keep XML declaration as first node and place license header immediately after it

Files:

• GFramework.Cqrs.Benchmarks/GFramework.Cqrs.Benchmarks.csproj

**/*.csproj

📄 CodeRabbit inference engine (AGENTS.md)

**/*.csproj: Follow repository defaults: ImplicitUsings disabled, Nullable enabled, GenerateDocumentationFile enabled for shipped libraries, LangVersion generally preview in main libraries and abstractions
Minimize new package dependencies. Add them only when necessary and keep scope narrow

Files:

• GFramework.Cqrs.Benchmarks/GFramework.Cqrs.Benchmarks.csproj

**/*.{csproj,cs}

📄 CodeRabbit inference engine (AGENTS.md)

Framework runtime, abstractions, and meta-package projects MUST NOT reference *.SourceGenerators* projects or packages, and MUST NOT use source-generator attributes

Files:

• GFramework.Cqrs.Benchmarks/GFramework.Cqrs.Benchmarks.csproj

**/*.{cs,ts,tsx,js,jsx,py,sh,xml,csproj,props,targets}

📄 CodeRabbit inference engine (AGENTS.md)

Use 4 spaces for indentation. Do not use tabs

Files:

• GFramework.Cqrs.Benchmarks/GFramework.Cqrs.Benchmarks.csproj
• scripts/validate-packed-modules.sh

**/*.{cs,ts,tsx,js,jsx,py,sh}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{cs,ts,tsx,js,jsx,py,sh}: All generated or modified code MUST include clear and meaningful comments where required by documentation rules
Comments MUST NOT be trivial, redundant, or misleading. Prefer explaining why and when, not just what. Code should remain understandable without requiring external context
Avoid obvious comments such as // increment i

Files:

• scripts/validate-packed-modules.sh

**/*.{cs,ts,tsx,js,jsx,py,sh,xml}

📄 CodeRabbit inference engine (AGENTS.md)

Keep line length readable. Around 120 characters is preferred upper bound

Files:

• scripts/validate-packed-modules.sh

**/*.{md,mdx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{md,mdx}: Keep code samples, package names, and command examples aligned with current repository state in documentation
When public page references XML docs or API coverage, convert evidence into reader-facing guidance: explain which types/namespaces/entry points readers should inspect and why
For integration-oriented features such as AI-First config system, documentation MUST cover: project directory layout/file conventions, required project/package wiring, minimal working example, migration/compatibility notes
When examples are rewritten, preserve only parts that remain true. Delete or replace speculative examples instead of lightly editing into another inaccurate form

Files:

• ai-plan/public/cqrs-rewrite/todos/cqrs-rewrite-migration-tracking.md
• ai-plan/public/cqrs-rewrite/traces/cqrs-rewrite-migration-trace.md

🔇 Additional comments (5)

GFramework.Cqrs.Benchmarks/GFramework.Cqrs.Benchmarks.csproj (1)

14-16: 发布边界控制到位。

IsPackable=false 与 GeneratePackageOnBuild=false 在 Line 15-16 明确把 benchmark 项目排除出发布面，和本次包清单前移校验目标一致。

scripts/validate-packed-modules.sh (1)

7-51: 共享校验脚本实现清晰，复用价值高。

参数化包目录、临时目录清理、expected/actual 集合对比都完整，能稳定支撑 CI 与 publish 复用同一规则。

.github/workflows/publish.yml (1)

85-85: 发布流程改为调用共享脚本是正确收敛。

Line 85 消除了发布流内联校验逻辑，降低了规则漂移风险。

.github/workflows/ci.yml (1)

158-168: PR 阶段前移包清单校验，方向正确。

新增 dotnet pack + validate-packed-modules.sh 能在合并前暴露发布面异常，和发布工作流形成一致约束。

ai-plan/public/cqrs-rewrite/traces/cqrs-rewrite-migration-trace.md (1)

5-20: RP-091 追踪记录完整且可执行。

阶段背景、决策、落地文件与预期结果在同一段闭环，作为恢复点信息质量很好。

[github-actions]

Summary

Tests 📝	Passed ✅	Failed ❌	Skipped ⏭️	Other ❓	Flaky 🍂	Duration ⏱️
2288	2288	0	0	0	0	36.8s    ↑2.7s

Test Results

2288 passed

Details

2288 tests
36.8s ↑2.7s
nunit
CI - Build & Test build-and-test #1071
fix(release): 前移发布包清单校验 #331

Insights

Average Tests per Run	Total Flaky Tests	Total Failed	Slowest Test (p95)
2288	0	0	4.3s

build-and-test: Run #1071

Tests 📝	Passed ✅	Failed ❌	Skipped ⏭️	Pending ⏳	Other ❓	Flaky 🍂	Duration ⏱️
2288	2288	0	0	0	0	0	36.8s

🎉 All tests passed!

Slowest Tests

Test 📝	Results 📊	Duration (avg) ⏱️	Duration (p95) ⏱️
CreateStream_Should_ResolveCqrsRuntime_OnlyOnce_When_AccessedConcurrently	2	4.0s	4.3s
Does_Not_Report_When_FieldInjectedModel_Is_Registered	2	2.0s	2.1s
Generates_Scene_Behavior_Boilerplate	2	1.6s	1.8s
CleanupDuringAcquire_Should_NotCauseRaceCondition	2	1.1s	1.1s
Append_ShouldNotBlock	2	1.0s	1.0s
Context_Caching_Should_Improve_Performance	2	777ms	782ms
PendingCount_ShouldReflectQueuedEntries	2	501ms	501ms
Cleanup_Should_NotRemoveActiveLocks	2	404ms	405ms
Cleanup_Should_RemoveUnusedLocks	2	401ms	401ms
Generates_Precise_Assembly_Type_Lookups_For_Inaccessible_External_Generic_Definitions_With_Visible_Type_Arguments	2	288ms	317ms

_{± Comparison with run #1070 at 1b9e18e | 🎉 No failed tests detected across all runs. | 🍂 No flaky tests detected across all runs. | ⏱️ Measured over 2 runs.}

Github Test Reporter by CTRF 💚