fix(release): bump marketplace catalogs for coding-tutor removal (#951)

tmchow · web-flow · commit d4cb8eec0db5 · 2026-06-15T13:00:27.000-07:00
diff --git a/.github/release-please-config.json b/.github/release-please-config.json
@@ -67,6 +67,7 @@
     ".claude-plugin": {
       "release-type": "simple",
       "package-name": "marketplace",
+      "release-as": "1.0.3",
       "extra-files": [
         {
           "type": "json",
@@ -78,6 +79,7 @@
     ".cursor-plugin": {
       "release-type": "simple",
       "package-name": "cursor-marketplace",
+      "release-as": "1.0.2",
       "extra-files": [
         {
           "type": "json",
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -37,6 +37,10 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        # Full history so release:validate can read the base-branch (origin/main)
+        # release-please manifest when checking release-as pins for staleness.
+        with:
+          fetch-depth: 0
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
diff --git a/scripts/release/validate.ts b/scripts/release/validate.ts
@@ -1,18 +1,39 @@
 #!/usr/bin/env bun
+import { execFileSync } from "node:child_process"
 import path from "path"
 import { validateReleasePleaseConfig } from "../../src/release/config"
 import { getCompoundEngineeringCounts, syncReleaseMetadata } from "../../src/release/metadata"
 import { readJson } from "../../src/utils/files"
 
 type ReleasePleaseManifest = Record<string, string>
 
+const MANIFEST_RELATIVE_PATH = ".github/.release-please-manifest.json"
+
+// The release-as staleness check must compare a pin against the version already
+// released on the base branch (main), NOT the working tree: a release-please PR
+// bumps the working-tree manifest to the proposed version, which would make a
+// legitimate pin look stale and block the very release it exists to create.
+// Returns {} when origin/main is unreachable (e.g. a shallow checkout that did
+// not fetch it) so the staleness check no-ops rather than risk a false block.
+function readReleasedManifest(): ReleasePleaseManifest {
+  try {
+    const raw = execFileSync("git", ["show", `origin/main:${MANIFEST_RELATIVE_PATH}`], {
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "ignore"],
+    })
+    return JSON.parse(raw) as ReleasePleaseManifest
+  } catch {
+    return {}
+  }
+}
+
 const releasePleaseConfig = await readJson<{ packages: Record<string, unknown> }>(
   path.join(process.cwd(), ".github", "release-please-config.json"),
 )
 const manifest = await readJson<ReleasePleaseManifest>(
-  path.join(process.cwd(), ".github", ".release-please-manifest.json"),
+  path.join(process.cwd(), ...MANIFEST_RELATIVE_PATH.split("/")),
 )
-const configErrors = validateReleasePleaseConfig(releasePleaseConfig)
+const configErrors = validateReleasePleaseConfig(releasePleaseConfig, readReleasedManifest())
 const counts = await getCompoundEngineeringCounts(process.cwd())
 const result = await syncReleaseMetadata({
   write: false,
diff --git a/src/release/config.ts b/src/release/config.ts
@@ -10,15 +10,56 @@ type ReleasePleaseConfig = {
   packages: Record<string, ReleasePleasePackageConfig>
 }
 
-export function validateReleasePleaseConfig(config: ReleasePleaseConfig): string[] {
+// Maps a release component path (e.g. ".claude-plugin") to its last-released
+// version. Callers pass the manifest as it exists on the base branch (main),
+// NOT the working tree -- on a release-please PR the working-tree manifest is
+// already bumped to the proposed version, which would make a legitimate pin
+// look stale. See validateReleasePleaseConfig and scripts/release/validate.ts.
+type ReleasePleaseManifest = Record<string, string>
+
+// Compares two plain "x.y.z" versions. Returns a negative number when `a` is
+// lower than `b`, 0 when equal, positive when higher. Any pre-release suffix is
+// ignored -- release-owned versions in this repo are plain semver.
+function compareReleaseVersions(a: string, b: string): number {
+  const parse = (version: string) =>
+    version
+      .split("-")[0]
+      .split(".")
+      .map((part) => Number.parseInt(part, 10) || 0)
+  const left = parse(a)
+  const right = parse(b)
+  for (let index = 0; index < Math.max(left.length, right.length); index += 1) {
+    const diff = (left[index] ?? 0) - (right[index] ?? 0)
+    if (diff !== 0) return diff
+  }
+  return 0
+}
+
+export function validateReleasePleaseConfig(
+  config: ReleasePleaseConfig,
+  manifest: ReleasePleaseManifest = {},
+): string[] {
   const errors: string[] = []
 
   for (const [packagePath, packageConfig] of Object.entries(config.packages)) {
     const releaseAs = packageConfig["release-as"]
     if (releaseAs) {
-      errors.push(
-        `Package "${packagePath}" uses temporary release-as pin "${releaseAs}". Remove release-as after the pinned release ships so future releases can bump normally.`,
-      )
+      // A release-as pin is only legitimate as a one-shot forward override: it
+      // must be strictly ahead of the released version so it drives exactly one
+      // release. Once that release ships, the released version catches up to the
+      // pin, and this check then fails on the next PR -- forcing cleanup. This
+      // is what bit the repo in #674: a pin left behind at-or-below the released
+      // version silently re-pins (freezes) every subsequent release.
+      //
+      // `released` is the base-branch (main) version. If it is unknown (e.g. the
+      // base manifest could not be read), we cannot prove the pin is stale, so
+      // we allow it rather than risk blocking a legitimate release.
+      const released = manifest[packagePath]
+      if (released !== undefined && compareReleaseVersions(releaseAs, released) <= 0) {
+        errors.push(
+          `Package "${packagePath}" uses a stale release-as pin "${releaseAs}" that is not ahead of the released version "${released}". Remove release-as after the pinned release ships so future releases can bump normally.`,
+        )
+      }
     }
 
     const changelogPath = packageConfig["changelog-path"]
diff --git a/tests/release-config.test.ts b/tests/release-config.test.ts
@@ -37,22 +37,62 @@ describe("release-please config validation", () => {
     expect(errors).toEqual([])
   })
 
-  test("rejects checked-in release-as pins", () => {
+  // The `manifest` argument is the released (base-branch) version, so an
+  // at-or-below pin means the release already shipped -- the pin is stale.
+  test("rejects a stale release-as pin that is not ahead of the released version", () => {
+    const errors = validateReleasePleaseConfig(
+      {
+        packages: {
+          ".claude-plugin": { "release-as": "1.0.2" },
+          ".cursor-plugin": { "release-as": "1.0.0" },
+        },
+      },
+      {
+        ".claude-plugin": "1.0.2",
+        ".cursor-plugin": "1.0.1",
+      },
+    )
+
+    expect(errors).toHaveLength(2)
+    expect(errors[0]).toContain('Package ".claude-plugin"')
+    expect(errors[0]).toContain("stale")
+    expect(errors[0]).toContain("1.0.2")
+    expect(errors[1]).toContain('Package ".cursor-plugin"')
+    expect(errors[1]).toContain("1.0.0")
+  })
+
+  // A forward pin is ahead of the released version. This is also the state of an
+  // in-flight release-please PR when compared against the base manifest (the
+  // release has not shipped yet), so it must pass.
+  test("allows a forward release-as pin that is ahead of the released version", () => {
+    const errors = validateReleasePleaseConfig(
+      {
+        packages: {
+          ".claude-plugin": { "release-as": "1.0.3" },
+          ".cursor-plugin": { "release-as": "1.0.2" },
+        },
+      },
+      {
+        ".claude-plugin": "1.0.2",
+        ".cursor-plugin": "1.0.1",
+      },
+    )
+
+    expect(errors).toEqual([])
+  })
+
+  // No released baseline (e.g. the base manifest could not be read) means
+  // staleness is unprovable, so the pin is allowed rather than risk blocking a
+  // legitimate release.
+  test("allows a release-as pin when the released version is unknown", () => {
     const errors = validateReleasePleaseConfig({
       packages: {
         ".": {
           "release-as": "3.0.2",
         },
-        "plugins/compound-engineering": {
-          "release-as": "3.0.2",
-        },
       },
     })
 
-    expect(errors).toHaveLength(2)
-    expect(errors[0]).toContain('Package "."')
-    expect(errors[0]).toContain("release-as")
-    expect(errors[1]).toContain('Package "plugins/compound-engineering"')
-    expect(errors[1]).toContain("3.0.2")
+    expect(errors).toEqual([])
   })
 })
