Skip to content

post-release-vcpkg: fix version source, simplify UX, add no-secrets CI notification#89

Merged
mario4tier merged 7 commits into
devfrom
copilot/automate-vcpkg-port-update-prs
Jun 11, 2026
Merged

post-release-vcpkg: fix version source, simplify UX, add no-secrets CI notification#89
mario4tier merged 7 commits into
devfrom
copilot/automate-vcpkg-port-update-prs

Conversation

Copilot AI commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Three bugs/design issues in the vcpkg post-release workflow: version was read from the local VERSION file (broken when main is bumped past the release), the CI workflow checked out main instead of the release tag (same root cause), and the manual step required memorizing two verbose flags.

Version source (concern 2)

  • Script: authoritative version now comes from releases/latest GitHub API. Local VERSION is a cross-check only — mismatch prints [info] and continues with the release version instead of erroring.
  • Workflow: ref: mainref: ${{ github.event.release.tag_name }}, so the CI checkout always matches the published release.
  • read_latest_release_src_tarball() now explicitly rejects draft: true releases.

UX — no flags needed (concern 3)

Default invocation does everything; confirmation prompt guards against accidents (matches post-release-brew.py pattern):

cd scripts && python post-release-vcpkg.py

Removed --perform-local-changes and --create-pr. Added --plan for non-interactive/CI use.

Idempotency (concern 3)

Safe to run multiple times for the same release:

  • Existing-PR check exits cleanly if a vcpkg PR for this version is already open.
  • Port file update (version + SHA512) overwrites to the same values — no harmful double-apply.
  • git checkout -B ta-lib-{version} and the "no changes to commit" guard prevent duplicate commits.
  • Safety guards (fork + main-branch checks) fire before the confirmation prompt.

CI workflow value (concern 1)

Workflow fires on release.published as a reminder and pre-computes SHA512 — useful for async coordination when the person publishing the release isn't the one submitting the vcpkg PR. Zero secrets required; the "Next Step" in the job summary is the single no-flag command above.

Copilot AI added 2 commits June 11, 2026 14:06
- Verify original TA-Lib repo (not a fork) before --perform-local-changes/--create-pr
- Verify on 'main' branch before creating PRs
- Check for existing open PR in microsoft/vcpkg before creating a duplicate
- Improve version-mismatch error message to mention draft/unpublished releases
- Add .github/workflows/post-release-vcpkg.yml: triggers on release.published,
  runs the script in plan mode, posts SHA512 + instructions as job summary
  (no PAT or secret required)
- Use word-boundary regex in _check_no_existing_vcpkg_pr to avoid false
  positives (e.g. 0.6.1 matching 0.6.10)
- Add permissions: contents: read to the GitHub Actions workflow job
  to satisfy GITHUB_TOKEN least-privilege requirement
Copilot AI changed the title [WIP] Automate vcpkg port update PRs after TA-Lib releases post-release-vcpkg: add safety guards and no-secrets CI plan automation Jun 11, 2026
Copilot AI requested a review from mario4tier June 11, 2026 14:09
Copilot AI added 2 commits June 11, 2026 15:46
…ct CI ref

Concern 1 - workflow value:
- Workflow still fires on release.published as a reminder and pre-computes
  SHA512 in CI (useful for multi-person teams / async coordination)
- --plan flag added for non-interactive CI mode

Concern 2 - version source:
- Authoritative version now comes from the GitHub releases/latest API
  (not local VERSION file), so running after main has been bumped works
- Local VERSION used as informational cross-check only (prints [info] if
  different, never errors)
- Workflow changed to checkout release tag not main, so VERSION always
  matches the published release in CI too
- read_latest_release_src_tarball() also checks draft=true and rejects it

Concern 3 - UX and idempotency:
- Default (no flags) = full pipeline; no lengthy flags needed
- Interactive confirmation prompt before any side-effects
- --plan flag for non-interactive/CI mode
- Removed --perform-local-changes and --create-pr
- 'no changes to commit' guard improved with clearer message
- Existing PR duplicate-check still present
Copilot AI changed the title post-release-vcpkg: add safety guards and no-secrets CI plan automation post-release-vcpkg: fix version source, simplify UX, add no-secrets CI notification Jun 11, 2026
Comment thread scripts/post-release-vcpkg.py Outdated
Comment thread scripts/post-release-vcpkg.py Outdated

# Cross-check with local VERSION — warn if they differ (main may be bumped ahead).
try:
local_version = read_local_version()

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are building from the tarball, so this is more like a sanity test that the user local branch matches (and was not confuse testing something else). Wondering, should it be done comparing release tag (hash) instead of just VERSION. When it fails, make sure you give instruction about how to get the local repos on the needed tag with git (and give optional instruction to the user about how to go back to latest AFTER done with this operation).

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replaced the VERSION-file comparison with a git-tag-hash check. read_latest_release_src_tarball now also returns the tag_name from the GitHub release API. _check_local_at_release_tag resolves that tag locally via git rev-parse refs/tags/<tag>^{} and compares it against HEAD. On mismatch it prints:

[info] Local HEAD (abc123456789) does not match release tag 'v0.6.4' (def098765432).
[info] The vcpkg update will still use the downloaded tarball for version 0.6.4,
[info] but if you want your local checkout to match the release:
[info]   git checkout v0.6.4
[info] (To return to the latest main afterwards: git checkout main)

If the tag isn't present locally at all it suggests git fetch --tags first.

@mario4tier mario4tier left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Check the inline comments, fix the code.

@mario4tier

Copy link
Copy Markdown
Member

Important, do not submit PR to main. You can submit changes only into dev. The maintainer (myself) will merge into main later.

Copilot AI requested a review from mario4tier June 11, 2026 17:27

@mario4tier mario4tier left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved, but you have to rebase to commit into dev, not main.

@mario4tier mario4tier marked this pull request as ready for review June 11, 2026 18:06
@mario4tier

Copy link
Copy Markdown
Member

AI agent: you have to rebase to the dev branch. No changes go to main directly, have to always soak in dev for a while first.

@mario4tier mario4tier changed the base branch from main to dev June 11, 2026 19:07
@mario4tier mario4tier merged commit c78be20 into dev Jun 11, 2026
2 checks passed
@mario4tier mario4tier deleted the copilot/automate-vcpkg-port-update-prs branch June 11, 2026 19:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Automate vcpkg port update PRs after TA-Lib releases

2 participants