chore: refuse release.sh from main; require release branch

[Jamkris]

Summary

`scripts/release.sh` used to run on any branch and only print a hint about creating a PR when not on `main`. Running it from `main` accidentally commits a version bump directly to `main`, bypassing PR review, CI, and the merge audit trail. This happened today — two stray local commits had to be reset.

This PR adds an explicit guard: if HEAD is on `main`, the script prints the proper 5-step workflow and exits 1 before touching any file. No env-var escape hatch — normalising the wrong path is what caused the incident in the first place.

Behaviour

Before: running on main silently committed the version bump to main; a footer suggested a PR but the bump was already on the wrong branch.

After:

```
$ git checkout main
$ ./scripts/release.sh 1.3.9
Error: refusing to run release from 'main' branch.

Version bumps must go through a PR:

1. git checkout -b chore/release-v1.3.9
2. ./scripts/release.sh 1.3.9 # re-run on the release branch
3. git push -u origin chore/release-v1.3.9
4. gh pr create --title "chore: release v1.3.9" --body "Bump version to 1.3.9"
5. Merge once CI is green, then push the tag.
   ```

On any non-main branch, the script proceeds normally.

Also in this PR

• Dropped the dead `if [ "$BRANCH" != "main" ]` footer branch — `BRANCH = main` is now unreachable past the guard, so collapsed the "Next steps" to the single correct path.

Test plan

• `npm run lint` — clean
• `npm test` — 264/264
• Dry-run on `chore/release-guard` branch — script proceeds past the guard (made a throwaway 9.9.9 commit, rolled back)
• Dry-run on `main` — script prints the 5-step workflow and exits 1; `package.json` / `gemini-extension.json` / `plugin.json` are not modified

Follow-up (after this merges)

Re-do the 1.3.9 release the proper way:

1. `git checkout main && git pull`
2. `git checkout -b chore/release-v1.3.9`
3. `./scripts/release.sh 1.3.9`
4. Push the branch, open the release PR, merge, push the tag.

---

Summary by cubic

Add a hard guard in scripts/release.sh to refuse running on main, forcing releases to go through a release branch and PR. This prevents accidental version bumps on main and ensures CI and review run every time.

• Refactors
  • Detect main, print a 5-step release workflow, and exit 1 before touching files.
  • Remove the dead if [ "$BRANCH" != "main" ] branch and simplify “Next steps” to the single PR path (push branch, open PR, push tag after merge).

^{Written for commit 468bf4f. Summary will update on new commits.}

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

⛔ Ignored keywords (3)

• bump version
• release
• chore: bump

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5be30a41-124f-4000-b953-4039ab154eb8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/release-guard

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 1 file