mosaicstack/stack
1
0
Fork 0
Code Issues 36 Pull Requests Actions Packages Projects Releases 15 Wiki Activity

ci(#462): add durable next publish pipeline #687

Merged
jason.woltje merged 1 commits from feat/next-durable-publish into next 2026-06-25 05:45:09 +00:00
Conversation 1 Commits 1 Files Changed 3 +197 -5
jason.woltje commented 2026-06-25 05:02:55 +00:00
Owner
Copy Link

Summary

  • add design doc for the durable @next publish pipeline
  • publish non-private @mosaicstack packages from next as -next.<CI_PIPELINE_NUMBER> with npm --tag next
  • publish gateway sha-only images from next while keeping appservice/web and latest publishing on main/tags

Registry verification

  • Gitea npm registry returns dist-tags for @mosaicstack/mosaic (latest=0.0.48)
  • @mosaicstack/mosaic@latest resolves to 0.0.48
  • @next is expected absent before the first next prerelease; pipeline verifies @mosaicstack/mosaic@next after publish

Verification

  • python yaml parse + publish guard assertions
  • npm view @mosaicstack/mosaic dist-tags / @latest against Gitea registry
  • prerelease publish dry-run: computed 23 non-private packages and pnpm publish --dry-run --tag next passed
  • pnpm typecheck
  • pnpm lint
  • pnpm format:check
  • pnpm build
  • Codex code review: approve
  • Codex security review: no findings

No self-merge; release-config/SOURCE review requested.

## Summary - add design doc for the durable @next publish pipeline - publish non-private @mosaicstack packages from next as <target-stable>-next.<CI_PIPELINE_NUMBER> with npm --tag next - publish gateway sha-only images from next while keeping appservice/web and latest publishing on main/tags ## Registry verification - Gitea npm registry returns dist-tags for @mosaicstack/mosaic (latest=0.0.48) - @mosaicstack/mosaic@latest resolves to 0.0.48 - @next is expected absent before the first next prerelease; pipeline verifies @mosaicstack/mosaic@next after publish ## Verification - python yaml parse + publish guard assertions - npm view @mosaicstack/mosaic dist-tags / @latest against Gitea registry - prerelease publish dry-run: computed 23 non-private packages and pnpm publish --dry-run --tag next passed - pnpm typecheck - pnpm lint - pnpm format:check - pnpm build - Codex code review: approve - Codex security review: no findings No self-merge; release-config/SOURCE review requested.
jason.woltje added 1 commit 2026-06-25 05:02:56 +00:00
ci: add durable next publish pipeline e349ec6956
jason.woltje force-pushed feat/next-durable-publish from e349ec6956 to b1a887a262 2026-06-25 05:21:47 +00:00 Compare
jason.woltje commented 2026-06-25 05:29:15 +00:00
Author
Owner
Copy Link

REVIEW-OF-RECORD — APPROVE (#687, head b1a887a262). I reviewed the @next durable publish pipeline and found no blockers.

Publish guardrails: publish-next-npm is gated to push/manual on branch next and has a second in-step fatal guard requiring CI_COMMIT_BRANCH=next. The existing stable publish-npm remains on release tags and main push/manual package changes; it does not run on next. The next publish command uses pnpm publish ... --tag next and contains no latest-dist-tag operation, so next cannot update npm latest through this path. Main cannot publish @next because the publish-next-npm step is branch-gated away from main.

Versioning: prerelease versions are computed at publish time in the CI workspace from committed stable package versions as <patch+1>-next.<CI_PIPELINE_NUMBER>; no -next.* versions are committed in package.json. I simulated the version script with CI_PIPELINE_NUMBER=9999; it computed 23 publishable packages, including @mosaicstack/mosaic 0.0.48 -> 0.0.49-next.9999, then restored the worktree. The b1a887a2 brace fix is clean: the Node heredoc uses string concatenation rather than JS template literals that would collide with Woodpecker ${...} interpolation.

Secrets / tags / images: NPM_TOKEN reuses the existing Woodpecker gitea_token secret; no hardcoded credentials or new secret are introduced. Gateway image publishing on next is sha-only (gateway:sha-<short>); gateway:latest is added only under the main branch condition, and appservice/web image steps remain main/tag-only.

Reviewer verification on head b1a887a2: YAML parse pass; publish guard assertions pass; version-compute simulation pass; pnpm typecheck pass (41/41); pnpm lint pass (23/23); pnpm format:check pass; pnpm build pass (23/23). PR CI reported green on pipeline 1631. APPROVE.

REVIEW-OF-RECORD — APPROVE (#687, head b1a887a2627a10c72a65aaeba8b359d2ee0905da). I reviewed the @next durable publish pipeline and found no blockers. Publish guardrails: `publish-next-npm` is gated to push/manual on branch `next` and has a second in-step fatal guard requiring `CI_COMMIT_BRANCH=next`. The existing stable `publish-npm` remains on release tags and main push/manual package changes; it does not run on `next`. The next publish command uses `pnpm publish ... --tag next` and contains no latest-dist-tag operation, so next cannot update npm `latest` through this path. Main cannot publish `@next` because the `publish-next-npm` step is branch-gated away from main. Versioning: prerelease versions are computed at publish time in the CI workspace from committed stable package versions as `<patch+1>-next.<CI_PIPELINE_NUMBER>`; no `-next.*` versions are committed in package.json. I simulated the version script with `CI_PIPELINE_NUMBER=9999`; it computed 23 publishable packages, including `@mosaicstack/mosaic 0.0.48 -> 0.0.49-next.9999`, then restored the worktree. The b1a887a2 brace fix is clean: the Node heredoc uses string concatenation rather than JS template literals that would collide with Woodpecker `${...}` interpolation. Secrets / tags / images: `NPM_TOKEN` reuses the existing Woodpecker `gitea_token` secret; no hardcoded credentials or new secret are introduced. Gateway image publishing on `next` is sha-only (`gateway:sha-<short>`); `gateway:latest` is added only under the `main` branch condition, and appservice/web image steps remain main/tag-only. Reviewer verification on head b1a887a2: YAML parse pass; publish guard assertions pass; version-compute simulation pass; `pnpm typecheck` pass (41/41); `pnpm lint` pass (23/23); `pnpm format:check` pass; `pnpm build` pass (23/23). PR CI reported green on pipeline 1631. APPROVE.
jason.woltje merged commit c25a551c28 into next 2026-06-25 05:45:09 +00:00
jason.woltje deleted branch feat/next-durable-publish 2026-06-25 05:45:10 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
fleet-enhancement
Fleet-wide reliability/speed/cost improvements surfaced by the nightly enhance pass
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
jason.woltje
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mosaicstack/stack#687
Delete Branch "feat/next-durable-publish"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?