Skip to content

fix(release): stop patch-release-me double-bumping ql/hotspots#175

Merged
felickz merged 1 commit into
mainfrom
fix/release-yml-hotspots-exclude
Jul 10, 2026
Merged

fix(release): stop patch-release-me double-bumping ql/hotspots#175
felickz merged 1 commit into
mainfrom
fix/release-yml-hotspots-exclude

Conversation

@felickz

@felickz felickz commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Why

ql/hotspots/ is deliberately excluded from .release.yml's pack-version
location (added in #158/d0b969e - it's a separate package published by its
own manual workflow_dispatch, not part of the per-language pack family),
yet it kept getting bumped in lockstep with every release anyway (0.2.4 →
0.3.0 in #173, 0.2.1 → 0.2.4 in #169 before that).

Root cause

Confirmed by running the exact pinned patch-release-me image locally with
--debug, against both a minimal repro and a full copy of this repo's real
qlpack.yml files:

  1. patch-release-me ships its own hardcoded default location for the
    CodeQL ecosystem, literally named "CodeQL Packs" (see its
    src/defaults.yml), matching **/qlpack.yml with only its own
    excludes: [/.codeql/]. Our custom location was named "CodeQL Pack Versions" — a different name — so the config loader only adds its
    built-in default alongside ours instead of treating ours as an override
    (it only skips the default when a location with the exact same name
    already exists). The built-in default has no idea about our
    ql/hotspots/ exclude, so it bumps that file regardless of what we
    configured.
  2. Our own location's pattern has never actually matched anything, ever.
    ^version:\s*{version}$ anchors ^/$ to the whole file (not each
    line) without a (?m) multiline flag, and version: is never the
    literal first/last byte of a real multi-line qlpack.yml. All real
    bumping across every pack has silently been done by the built-in default
    this whole time — which is exactly why our exclude never took effect.

Fix

Two one-line changes to .release.yml, verified together locally against
all 28 real qlpack.yml files in this repo (with their actual LF line
endings, matching what CI/the Linux Docker image actually sees):

  • Rename our location to exactly "CodeQL Packs", so patch-release-me's
    default-merge logic skips adding its conflicting built-in default instead
    of running both.
  • Add the (?m) flag so the anchor actually works per-line, keeping the
    original anti-partial-match protection (e.g. a bump of 0.2.2 incorrectly
    matching inside 0.2.20) while actually working at all.

Verified: re-running bump -m minor against a real copy of this repo's
28 tracked qlpack.yml files (extracted via git cat-file to avoid a
Windows CRLF checkout artifact that produced a false negative on the first
attempt) - all 20 real packs bump 0.2.4 → 0.3.0 correctly,
ql/hotspots/qlpack.yml stays untouched, .release.yml itself still
bumps.

Also in this PR

  • Reverted ql/hotspots/qlpack.yml's unintended version bump directly on
    chore: bump pinned CodeQL CLI to v2.22.4 and release v0.3.0 #173 (separate commit there) to unblock that release without waiting on
    this fix.
  • Documents the "CodeQL Packs" name + (?m) pattern requirements in
    CONTRIBUTING.md's "Cutting a release" section, so a future edit doesn't
    silently reintroduce this.

`ql/hotspots/` is deliberately excluded from `.release.yml`'s
"CodeQL Pack Versions" location (added in #158/d0b969e: it's a
separate package published by its own manual workflow_dispatch, not
part of the per-language pack family) - yet it kept getting bumped in
lockstep with every release anyway (most recently 0.2.4 -> 0.3.0 in
PR #173, and 0.2.1 -> 0.2.4 in PR #169 before that).

Root cause, confirmed by running the exact pinned patch-release-me
image locally with --debug against both a minimal repro and a full
copy of this repo's real qlpack.yml files:

1. patch-release-me ships its own hardcoded default location for the
   "CodeQL" ecosystem, literally named "CodeQL Packs" (see its
   src/defaults.yml), matching **/qlpack.yml with only
   `excludes: [/.codeql/]`. Our own custom location was named
   "CodeQL Pack Versions" - a different name - so patch-release-me's
   config loader (src/config.rs) adds its built-in default *alongside*
   ours instead of treating ours as an override (it only skips adding
   the default when a location with the exact same `name` already
   exists). The built-in default has no idea about our `ql/hotspots/`
   exclude, so it bumps that file regardless.

2. Our own location's pattern (`^version:\s*{version}$`) has never
   actually matched anything, on any pack, since the day it was
   anchored in d0b969e - the `^`/`$` anchor to the whole file, not
   each line, without a `(?m)` multiline flag, and `version:` is never
   the literal first/last byte of a real multi-line qlpack.yml. All
   real bumping has silently been done by the built-in default this
   whole time, which is exactly why our exclude never took effect.

Fix (both verified together, locally, against all 28 real qlpack.yml
files in this repo with their actual LF line endings):
- Rename our location to exactly "CodeQL Packs" so patch-release-me's
  default-merge logic skips adding its own conflicting built-in
  default instead of running both.
- Add the `(?m)` flag so the anchor actually works per-line, keeping
  the original anti-partial-match protection (e.g. bumping "0.2.2"
  from correctly matching inside "0.2.20") while working at all.

Verified: all 20 real packs bump correctly, `ql/hotspots/qlpack.yml`
stays untouched, `.release.yml` itself still bumps.

Also documents this in CONTRIBUTING.md's "Cutting a release" section
so the location's name/pattern requirements aren't silently broken
again by a future edit.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 10, 2026 22:44

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes the repo’s automated release bumping configuration so 42ByteLabs/patch-release-me updates only the intended qlpack.yml versions and does not inadvertently bump the separately-managed ql/hotspots package. It also documents the key configuration constraints to prevent regressions.

Changes:

  • Renames the .release.yml location to CodeQL Packs to override (rather than coexist with) patch-release-me’s built-in default location for the CodeQL ecosystem.
  • Updates the pack-version matching regex to use (?m) so ^...$ anchors apply per-line and actually match version: in real multi-line qlpack.yml files.
  • Adds an IMPORTANT note in CONTRIBUTING.md documenting the required location name and regex behavior, and reiterates why ql/hotspots/ must remain excluded.
Show a summary per file
File Description
CONTRIBUTING.md Documents the required .release.yml location name and multiline regex requirement, plus why ql/hotspots/ must remain excluded.
.release.yml Adjusts the location name and regex pattern so releases bump the intended packs and avoid ql/hotspots/.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 0
  • Review effort level: Low

@felickz felickz merged commit ce2f4ee into main Jul 10, 2026
22 checks passed
@felickz felickz deleted the fix/release-yml-hotspots-exclude branch July 10, 2026 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants