mirror of
https://github.com/alkimake/paperclip.git
synced 2026-06-14 01:50:39 +09:00
29401b231b
## Thinking Path > - Paperclip is a control plane for autonomous agent companies, so its release automation is part of the core operator trust boundary. > - The affected subsystem is npm/GitHub Actions release publishing for the public monorepo packages. > - The concrete failure was that a newly added package reached `master`, the canary workflow attempted its first publish, and npm trusted publishing was not yet bootstrapped for that package. > - That means the problem is not just one broken run; it is a missing pre-merge guard that lets release-ineligible packages land and only fail once `publish_canary` runs. > - This pull request makes release enrollment explicit, validates that enrollment in CI, and adds a PR-time bootstrap check against npm for changed release-enabled package manifests. > - The result is that we keep trusted publishing, avoid teaching CI to `npm adduser`, and move this class of failure from post-merge canary time to pre-merge review time. ## What Changed - Added `scripts/release-package-manifest.json` so release-managed public packages are explicitly enrolled instead of being inferred from every non-private workspace package. - Hardened `scripts/release-package-map.mjs` to validate the manifest before release workflows rewrite versions or assemble publish payloads. - Added `scripts/check-release-package-bootstrap.mjs` and wired it into `.github/workflows/pr.yml` so PRs that change a release-enabled package manifest fail if that package does not already exist on npm. - Added release-package manifest coverage tests to `scripts/release-package-map.test.mjs` and included them in `pnpm run test:release-registry`. - Wired manifest validation into `.github/workflows/release.yml` and documented the first-publish bootstrap policy in `doc/PUBLISHING.md` and `doc/RELEASE-AUTOMATION-SETUP.md`. ## Verification - `pnpm run test:release-registry` - `./scripts/release.sh canary --skip-verify --dry-run` - Confirmed the committed diff contains no obvious PII/secrets via targeted pattern scan before pushing. ## Risks - Low risk overall: this is CI/release-policy code, not product runtime logic. - The new PR bootstrap check depends on npm metadata availability, so a transient npm outage could block a PR that changes a release-enabled package manifest. - The manifest introduces a new source of truth that must stay aligned with public package additions, but that is intentional and now enforced. ## Model Used - OpenAI Codex via the `codex_local` Paperclip adapter; GPT-5-based coding agent with tool use, terminal execution, git, and GitHub CLI. Exact served model ID/context window are not exposed by the local runtime. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge |
||
|---|---|---|
| .. | ||
| smoke | ||
| backfill-issue-reference-mentions.ts | ||
| backup-db.sh | ||
| bootstrap-npm-package.mjs | ||
| bootstrap-npm-package.test.mjs | ||
| build-npm.sh | ||
| build-standalone-public-packages.mjs | ||
| capture-acpx-skills-screenshots.mjs | ||
| check-docker-deps-stage.mjs | ||
| check-forbidden-tokens.mjs | ||
| check-release-package-bootstrap.mjs | ||
| check-release-package-bootstrap.test.mjs | ||
| clean-onboard-git.sh | ||
| clean-onboard-npm.sh | ||
| clean-onboard-ref.sh | ||
| create-github-release.sh | ||
| dev-runner-output.mjs | ||
| dev-runner-output.ts | ||
| dev-runner-paths.mjs | ||
| dev-runner.mjs | ||
| dev-runner.ts | ||
| dev-service-profile.ts | ||
| dev-service.ts | ||
| discord-daily-digest.sh | ||
| docker-build-test.sh | ||
| docker-entrypoint.sh | ||
| docker-onboard-smoke.sh | ||
| ensure-plugin-build-deps.mjs | ||
| ensure-workspace-package-links.ts | ||
| generate-company-assets.ts | ||
| generate-npm-package-json.mjs | ||
| generate-org-chart-images.ts | ||
| generate-org-chart-satori-comparison.ts | ||
| generate-plugin-package-json.mjs | ||
| generate-ui-package-json.mjs | ||
| kill-agent-browsers.sh | ||
| kill-dev.sh | ||
| kill-vitest.sh | ||
| link-plugin-dev-sdk.mjs | ||
| measure-issue-chat-long-thread.mjs | ||
| migrate-inline-env-secrets.ts | ||
| paperclip-commit-metrics.ts | ||
| paperclip-issue-update.sh | ||
| prepare-server-ui-dist.sh | ||
| provision-worktree.sh | ||
| release-lib.sh | ||
| release-package-manifest.json | ||
| release-package-map.mjs | ||
| release-package-map.test.mjs | ||
| release.sh | ||
| rollback-latest.sh | ||
| run-vitest-stable.mjs | ||
| screenshot-pap2373.mjs | ||
| screenshot-subissues.mjs | ||
| screenshot.cjs | ||
| verify-release-registry-state.mjs | ||
| verify-release-registry-state.test.mjs | ||