feat(wordpress): assert release ZIP internal version matches the release before upload#1297
Merged
Conversation
…ase before upload Adds verify-artifact-version.sh, a guard that opens the packaged ZIP, reads the plugin main-file (or theme style.css) Version header, and fails when it does not equal the version the release is shipping. Wired into both release chokepoints: - package.sh verifies the freshly built artifact against the release payload version (falls back to the on-disk header for standalone dry-runs) - publish.sh verifies the artifact against the release tag immediately before 'gh release upload' — the last stop before a ZIP becomes the asset that homeboy deploy consumes Motivation: the data-machine-socials v0.14.0 release shipped a v0.8.1 zip as its GitHub release asset (a stale git-tracked blob restored during release recovery), and production silently ran rolled-back code for 6 days because nothing in the pipeline ever opened the zip. Either chokepoint would have caught it. Includes a smoke test covering plugin match/mismatch, theme fallback match/mismatch, missing-header rejection, and missing-artifact rejection. Verified against the real incident artifact: the stale 0.8.1 zip is rejected for an 0.14.0 release; the corrected zip passes. Closes #1296
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
wordpress/scripts/release/verify-artifact-version.sh: opens the packaged ZIP, reads the plugin main-fileVersion:header (themestyle.cssfallback), fails on mismatch or missing headerHOMEBOY_SETTINGS_JSON→.release.version; falls back to the on-disk header for standalone dry-runs)gh release upload— the last stop before a ZIP becomes the asset thathomeboy deployconsumestests/wordpress-release-artifact-version-smoke.sh: plugin match/mismatch, theme fallback match/mismatch, missing-header rejection, missing-artifact rejectionWhy
Closes #1296. The data-machine-socials v0.14.0 release shipped a v0.8.1 zip as its GitHub release asset (a stale git-tracked blob restored by
git checkout --during release recovery — Extra-Chill/data-machine-socials#169), and production silently ran rolled-back code for 6 days. Nothing in the pipeline ever opened the zip. Either chokepoint added here would have caught it.Verification
bash -nclean on both edited scriptsError: artifact … contains version 0.8.1 but the release expects 0.14.0 — refusing to ship a stale artifact✓Defense-in-depth picture
build/*.zip