chore(ci): release & supply-chain hardening from the v0.13.0 retro#127
Merged
Conversation
Folds in the lessons from the v0.13.0 release, where every release-tooling bug surfaced only at tag-push time on an irreversible tag. CI gates: - Add `format:check` to the Lint lane. Prettier was only enforced by the pre-push hook (bypassable, and merged PRs were never format-gated), so drift accumulated and blocked the v0.13.0 tag push. Absorbs that drift. - Add a PR-only `Release dry run` lane (`release:prepare --build --skip-zip`, path-filtered to release-relevant changes): packs + attw + external consumers on a cheap PR. The tilemap-missing-from-pack and attw-format regressions would have failed HERE instead of mid-release. Release correctness: - verify:release-matrix now asserts every official package has a `repository` field — `npm publish --provenance` aborts without it, which caused the v0.13.0 partial publish (Core published, particles failed mid-run). - Add scripts/release/RELEASING.md: new-package OIDC bootstrap procedure and the `npm dist-tag add` E401-under-OIDC limitation + manual promotion runbook. Supply chain: - pnpm `minimumReleaseAge: 4320` (3 days) quarantines brand-new versions on every install, local and CI — defends against publish-then-yank attacks. - publint (pinned, via dlx) validates the published manifests — the layer attw does not cover. Tooling pins (output-gating tools must not drift like attw@latest did): - typescript / eslint / typescript-eslint to `~` (patch-only). - actionlint Docker image pinned to 1.7.12. Style consistency: - array-simple for test/scripts/config blocks too (was always-[] there); autofixed T[] -> Array<T> for non-simple types. Matches src/. Dependabot: - Group the vitest and eslint families across patch+minor so lockstep tools move together instead of as separate skew-prone PRs.
The prettier pass in this PR reformatted NineSliceSprite/RepeatingSprite/ TextureRegion source, shifting the line numbers the API doc generator bakes into the MDX sourceUrl anchors. Regenerate so docs:api:check matches. Surfaces a real coupling: format:check (added here) and docs:api:check are linked — reformatting an API-exported source requires a docs regen in the same change. Both are gates and the regenerated MDX is itself prettier-clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Folds in the lessons from the v0.13.0 release, where every release-tooling bug surfaced only at tag-push time on an irreversible tag. Supersedes #123 (its prettier drift is absorbed here under a real CI gate).
CI gates
format:checkin the Lint lane. Prettier was only enforced by the pre-push hook (bypassable; merged PRs were never format-gated), so 34 files drifted and blocked the v0.13.0 tag push. This absorbs that drift and gates it going forward.Release dry runlane —release:prepare --build --skip-zip, path-filtered to release-relevant changes. Runs pack → attw → external consumers on a cheap PR. The tilemap-missing-from-pack and attw-output-format regressions that broke the release would have failed HERE.Release correctness
verify:release-matrixnow requires arepositoryfield on every official package.npm publish --provenanceaborts without it — the exact cause of the v0.13.0 partial publish (Core published with provenance, particles failed mid-run).scripts/release/RELEASING.md: the new-package OIDC bootstrap procedure (publish placeholder + Trusted Publisher config BEFORE first release — OIDC cannot first-publish) and thenpm dist-tag add→ E401-under-OIDC limitation with the manual-promotion runbook.Supply chain
minimumReleaseAge: 4320(3 days) — quarantines brand-new versions on every install, local AND CI, defending against publish-then-yank attacks. Complements the Dependabot cooldown (which only governs Dependabot PRs).Tooling pins
Output-gating tools must not drift the way
attw@latestdid mid-release:typescript/eslint/typescript-eslint→~(patch-only; minors can add type errors / lint rules).1.7.12.Style
array-simplefor the test/scripts/config eslint blocks too (was always-[]); autofixedT[]→Array<T>for non-simple types, matchingsrc/.Dependabot
Validation
pnpm typecheck✓ ·pnpm test3049 passed / 10 skipped ✓ ·pnpm lint:all✓ ·pnpm format:check✓ ·pnpm verify:release-matrix✓ (incl. new repository checks) ·pnpm verify:lockstep✓