review: keep the pinned review.md ref in sync with the released version#242
Open
jwbron wants to merge 1 commit into
Open
review: keep the pinned review.md ref in sync with the released version#242jwbron wants to merge 1 commit into
jwbron wants to merge 1 commit into
Conversation
…sync with the released version The pre-agent-steps checkout ref in review.md is supposed to name the release the file ships in, but changesets only bumps package.json, so every tag since review-v1.2.2 shipped with a stale ref (and v1.4.0's prompt invokes lib/provenance.ts, which a v1.2.2 checkout lacks). The release flow's version command now runs utils/sync-review-version.ts after changeset version, rewriting every review-v<semver> literal in review.md to the version being released so the bump lands in the same Version Packages commit that gets tagged. version-sync.test.ts is the CI backstop: it fails any PR where the ref diverges from the review package version. Also bumps the currently stale ref to review-v1.4.0.
🦋 Changeset detectedLatest commit: bfd3cea The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
jeresig
approved these changes
Jul 10, 2026
jeresig
left a comment
Member
There was a problem hiding this comment.
Thanks for solving this issue - one request inline to make this generic for any possible workflow that we add!
| if: steps.has-changesets.outputs.result == 'true' | ||
| uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1 | ||
| with: | ||
| # Not the default `changeset version`: version-packages also syncs |
Member
There was a problem hiding this comment.
Suggested change
| # Not the default `changeset version`: version-packages also syncs | |
| # Note the default `changeset version`: version-packages also syncs |
| @@ -0,0 +1,79 @@ | |||
| import * as fs from "fs"; | |||
Member
There was a problem hiding this comment.
Could we make this generic so that it updates any workflow? We're bound to have more shared workflows so we might as well handle this in a single way.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem: the ref: lag
workflows/review/review.mdchecks out Khan/actions at a pinned tag in itspre-agent-stepsto fetch the deterministic lib the prompt invokes at runtime. The file's own comment calls thatref:"the single version surface for prompt + code", but nothing updated it during a release: changesets bumpspackage.jsonand changelogs, not prose in a markdown file, so every tag since review-v1.2.2 (v1.3.0, v1.3.1, v1.4.0) shipped with the ref still readingreview-v1.2.2.The skew is not cosmetic: the v1.4.0 prompt invokes
lib/provenance.ts, which does not exist in a v1.2.2 checkout, so an un-overridden consumer gets runtime failures or silently missing gates. It also mis-stamps attribution, since the postedpr-reviewer:versionmarker reads the version from the pinned checkout'spackage.json. (This is the "operational floor" row from the round-two plan, re-confirmed on the review-v1.4.0 tag on 2026-07-09.)Fix: automation, not vigilance
review-v<semver>literal in review.md (today, only the checkoutref:line) to the currentreviewpackage version, and fails if it finds none to rewrite.pnpm run version-packages(changeset versionfollowed by the sync) instead of the defaultchangeset version, so the ref bump lands in the same Version Packages commit that gets tagged. If a Version Packages PR does not bumpreview, the sync is a no-op.reviewpackage version. Runs with the existingpnpm run test --runstep in node-ci.review-v1.4.0so the invariant holds on main now; the next release rewrites it automatically.review-vliterals found no other embeds outside changelogs and test fixtures).Changeset included (patch bump for
review; release plumbing and comments only).Verification
pnpm run version-packagesagainst this PR's real changeset:changeset versionbumpedreviewto 1.4.1 and the sync rewrote the ref toreview-v1.4.1in the same working state the changesets action commits (then reset).review-v1.2.2, the backstop test fails as intended.vitestsuite,eslint, andtscall green on the real tree.Once a release ships with the sync in place, webapp's hand-pinned override (its imported review.md carries a "the tag's own ref line lags the release" comment and hand-bumps the ref on every re-import) can be dropped on its next re-import.
cc @jeresig
Human steps (non-review)
reviewpackage release merges, confirm the taggedreview.mdcarriesref: review-v<released version>(the sync step) and that CI would have failed without it (the assert).ref:override comment ("the tag's own ref line lags the release") from itsreview.md.