From 468bf4f7bdb24630fb030ac93d21eb4c3d873eaf Mon Sep 17 00:00:00 2001 From: Jamkris Date: Tue, 12 May 2026 11:23:34 +0900 Subject: [PATCH] chore: refuse release.sh from main; require release branch MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit scripts/release.sh used to run on any branch and only hinted "create a PR" when not on main. Running it directly on main accidentally commits a version bump to main without going through PR review, CI, or the merge audit trail — discovered the hard way today (two stray local commits had to be reset). This change adds an explicit guard at the top of the script: if the current branch is `main`, print the proper workflow and exit 1 before touching any file. No env-var escape hatch — normalising the wrong path is what got us here in the first place. For a genuine emergency the user can comment out the guard locally. Also tightens the "Next steps" footer to the single (and now only) correct path — create a release branch, push, PR, merge, push tag. Drops the dead `if BRANCH != main` branch since `BRANCH = main` is now unreachable. Verified by dry-run: - on chore/release-guard: script proceeds past the guard. - on main: script prints the 5-step workflow and exits 1 without modifying package.json / gemini-extension.json / plugin.json. --- scripts/release.sh | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/scripts/release.sh b/scripts/release.sh index 8761c40..b216c07 100755 --- a/scripts/release.sh +++ b/scripts/release.sh @@ -17,6 +17,25 @@ fi # Remove 'v' prefix if provided VERSION="${VERSION#v}" +# Refuse to run on main. The release workflow expects the version +# bump to land via a reviewable PR — committing directly to main +# bypasses CI, code review, and the merge audit trail. If you really +# need to release from main (genuine emergency), comment out this +# guard temporarily; do not add an env-var escape hatch because that +# normalises the wrong path. +BRANCH=$(git rev-parse --abbrev-ref HEAD) +if [ "$BRANCH" = "main" ]; then + echo "Error: refusing to run release from 'main' branch." >&2 + echo "" >&2 + echo "Version bumps must go through a PR:" >&2 + echo " 1. git checkout -b chore/release-v$VERSION" >&2 + echo " 2. ./scripts/release.sh $VERSION # re-run on the release branch" >&2 + echo " 3. git push -u origin chore/release-v$VERSION" >&2 + echo " 4. gh pr create --title \"chore: release v$VERSION\" --body \"Bump version to $VERSION\"" >&2 + echo " 5. Merge once CI is green, then push the tag." >&2 + exit 1 +fi + echo "Preparing release v$VERSION..." # 1. Update package.json @@ -42,17 +61,9 @@ git commit -m "chore: bump version to $VERSION" echo "Creating tag v$VERSION..." git tag "v$VERSION" -BRANCH=$(git rev-parse --abbrev-ref HEAD) - echo "Done!" echo "Next steps:" -echo "1. git push origin $BRANCH" -echo "2. git push origin v$VERSION" -if [ "$BRANCH" != "main" ]; then - echo "3. Create a PR to merge '$BRANCH' into main" - echo " gh pr create --title 'chore: release v$VERSION' --body 'Bump version to $VERSION'" - echo "4. After merge, push the tag: git push origin v$VERSION" - echo "5. Check GitHub Actions for the Release process." -else - echo "3. Check GitHub Actions for the Release process." -fi +echo "1. git push -u origin $BRANCH" +echo "2. gh pr create --title \"chore: release v$VERSION\" --body \"Bump version to $VERSION\"" +echo "3. After merge, push the tag: git push origin v$VERSION" +echo "4. Check GitHub Actions for the Release process."