Add version guard CI check to enforce version bumping' to clearly communicate what the change accomplishes#9
Merged
cap-jmk-real merged 5 commits intomainfrom Feb 27, 2026
Merged
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review infoConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro 📒 Files selected for processing (6)
📝 WalkthroughWalkthroughAdds a CI-level version guard: new GitHub Actions jobs run a Node script that verifies configured package.json versions are bumped relative to the latest GitHub release tag; test/build jobs are made dependent on the guard. Multiple package.json files have their version fields updated. Changes
Sequence DiagramsequenceDiagram
participant GHA as GitHub Actions
participant Script as check-version-bumped.mjs
participant Pkg as package.json files
participant API as GitHub Releases API
GHA->>Script: start version_guard job
Script->>Script: ensure running in GitHub Actions
Script->>Pkg: read versions from VERSION_PACKAGES
Script->>Script: verify versions are identical
Script->>API: fetch latest release (Authorization: token GITHUB_TOKEN)
alt release found
API-->>Script: return tag_name
Script->>Script: normalize tag (strip leading "v")
alt currentVersion == latestTag
Script-->>GHA: exit 1 (fail)
else
Script-->>GHA: exit 0 (pass)
end
else no release found
API-->>Script: 404 / empty
Script-->>GHA: log and exit 0 (pass)
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 28-29: The CI step running the script check-version-bumped.mjs
fails because the script needs process.env.GITHUB_TOKEN but the workflow step
doesn't pass it; update the GitHub Actions step named "Ensure version is bumped
vs last tagged release" to export the GITHUB_TOKEN environment variable from
secrets (secrets.GITHUB_TOKEN) so the Node script
(scripts/check-version-bumped.mjs) can read process.env.GITHUB_TOKEN at runtime.
- Around line 12-14: Remove the redundant top-level "if:" conditional that
checks (github.event_name == 'pull_request' && github.base_ref == 'main') ||
(github.event_name == 'push' && github.ref == 'refs/heads/main') since the
workflow's "on:" triggers already restrict runs to pushes on main and PRs
targeting main; locate the `if:` block in the CI workflow (the line starting
with "if:" and referencing github.event_name/github.base_ref/github.ref) and
delete it, then run a quick workflow lint or dry-run to confirm no downstream
steps depend on that duplicated guard.
- Around line 16-26: Remove the unnecessary full git history and tag fetch:
delete the fetch-depth: 0 option from the actions/checkout@v4 step and remove
the separate "Fetch tags" run step that executes git fetch --tags --force
--prune, since the workflow uses the GitHub Releases API (not local tags) to
determine the latest release; leave the standard checkout and setup-node actions
(actions/checkout@v4 and actions/setup-node@v4 with node-version-file) intact.
In `@scripts/check-version-bumped.mjs`:
- Around line 1-29: Update the version-check so it validates that all aligned
package.json files have the same version instead of only the root; add a helper
(e.g., getAllPackageVersions or extend getCurrentVersion) that reads and returns
versions from root/package.json, apps/desktop/package.json, and
apps/docs/package.json using the existing root and readFileSync logic, then
compare them and if any differ call processLogger.error / console.error and
process.exit(1) (or fail the script) with a clear message listing mismatched
files and their versions; keep existing CI-only gating (inCi) and reuse
fileURLToPath/dirname utilities already in the script.
cap-jmk-real
changed the title
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@scripts/check-version-bumped.mjs`:
- Around line 114-124: The current check only fails when current === latest,
allowing a lower version to slip through; update the logic in the
version-checking block that compares the variables current and latest to enforce
that current must be greater than latest (use a semver-aware comparison, e.g.
semver.lte or semver.compare to detect current <= latest) and keep the existing
error message and process.exit(1) path when the check fails; locate the
comparison using the variables current and latest in the existing conditional
and replace the equality check with a semver-based "less than or equal" check.
Comment on lines
+114
to
+124
| if (current === latest) { | ||
| console.error( | ||
| [ | ||
| `Current version ${current} matches latest GitHub release version ${latest}.`, | ||
| `Every merge to main must bump the version. Please run:`, | ||
| ` npm run release:bump [patch|minor|major]`, | ||
| `then commit and push again.`, | ||
| ].join("\n") | ||
| ); | ||
| process.exit(1); | ||
| } |
There was a problem hiding this comment.
Enforce version increase, not just inequality.
The check only blocks current === latest. A lower version than latest still passes, which violates bump intent and can regress release versioning.
🔧 Proposed fix
+function parseSemver(v) {
+ const m = /^v?(\\d+)\\.(\\d+)\\.(\\d+)$/.exec(String(v).trim());
+ if (!m) return null;
+ return [Number(m[1]), Number(m[2]), Number(m[3])];
+}
+
+function compareSemver(a, b) {
+ const pa = parseSemver(a);
+ const pb = parseSemver(b);
+ if (!pa || !pb) return null;
+ for (let i = 0; i < 3; i += 1) {
+ if (pa[i] !== pb[i]) return pa[i] - pb[i];
+ }
+ return 0;
+}
+
const current = assertAlignedVersions();
const latest = await getLatestReleaseVersionFromGithub();
@@
-if (current === latest) {
+const cmp = compareSemver(current, latest);
+if (cmp === null) {
+ console.error(
+ `Version guard: unable to compare versions safely (current=${current}, latest=${latest}). Use strict semver x.y.z.`
+ );
+ process.exit(1);
+}
+
+if (cmp <= 0) {
console.error(
[
- `Current version ${current} matches latest GitHub release version ${latest}.`,
+ `Current version ${current} is not greater than latest GitHub release version ${latest}.`,
`Every merge to main must bump the version. Please run:`,
` npm run release:bump [patch|minor|major]`,
`then commit and push again.`,
].join("\n")
);
process.exit(1);
}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@scripts/check-version-bumped.mjs` around lines 114 - 124, The current check
only fails when current === latest, allowing a lower version to slip through;
update the logic in the version-checking block that compares the variables
current and latest to enforce that current must be greater than latest (use a
semver-aware comparison, e.g. semver.lte or semver.compare to detect current <=
latest) and keep the existing error message and process.exit(1) path when the
check fails; locate the comparison using the variables current and latest in the
existing conditional and replace the equality check with a semver-based "less
than or equal" check.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/release-desktop.yml:
- Around line 11-25: The version_guard job inherits default token permissions;
update the version_guard job to explicitly scope the GITHUB_TOKEN to least
privilege by adding a permissions block (for example permissions: contents:
read) at the job level before steps so the node scripts/check-version-bumped.mjs
step still has a read-only token for release metadata access; keep the existing
env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} and ensure only the minimal read
permission(s) required are granted.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
implemented a small ci workflow for checking I do not have conflicting release versions
Summary by CodeRabbit