fix(release): stop patch-release-me double-bumping ql/hotspots#175
Merged
Conversation
`ql/hotspots/` is deliberately excluded from `.release.yml`'s "CodeQL Pack Versions" location (added in #158/d0b969e: it's a separate package published by its own manual workflow_dispatch, not part of the per-language pack family) - yet it kept getting bumped in lockstep with every release anyway (most recently 0.2.4 -> 0.3.0 in PR #173, and 0.2.1 -> 0.2.4 in PR #169 before that). Root cause, confirmed by running the exact pinned patch-release-me image locally with --debug against both a minimal repro and a full copy of this repo's real qlpack.yml files: 1. patch-release-me ships its own hardcoded default location for the "CodeQL" ecosystem, literally named "CodeQL Packs" (see its src/defaults.yml), matching **/qlpack.yml with only `excludes: [/.codeql/]`. Our own custom location was named "CodeQL Pack Versions" - a different name - so patch-release-me's config loader (src/config.rs) adds its built-in default *alongside* ours instead of treating ours as an override (it only skips adding the default when a location with the exact same `name` already exists). The built-in default has no idea about our `ql/hotspots/` exclude, so it bumps that file regardless. 2. Our own location's pattern (`^version:\s*{version}$`) has never actually matched anything, on any pack, since the day it was anchored in d0b969e - the `^`/`$` anchor to the whole file, not each line, without a `(?m)` multiline flag, and `version:` is never the literal first/last byte of a real multi-line qlpack.yml. All real bumping has silently been done by the built-in default this whole time, which is exactly why our exclude never took effect. Fix (both verified together, locally, against all 28 real qlpack.yml files in this repo with their actual LF line endings): - Rename our location to exactly "CodeQL Packs" so patch-release-me's default-merge logic skips adding its own conflicting built-in default instead of running both. - Add the `(?m)` flag so the anchor actually works per-line, keeping the original anti-partial-match protection (e.g. bumping "0.2.2" from correctly matching inside "0.2.20") while working at all. Verified: all 20 real packs bump correctly, `ql/hotspots/qlpack.yml` stays untouched, `.release.yml` itself still bumps. Also documents this in CONTRIBUTING.md's "Cutting a release" section so the location's name/pattern requirements aren't silently broken again by a future edit. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes the repo’s automated release bumping configuration so 42ByteLabs/patch-release-me updates only the intended qlpack.yml versions and does not inadvertently bump the separately-managed ql/hotspots package. It also documents the key configuration constraints to prevent regressions.
Changes:
- Renames the
.release.ymllocation toCodeQL Packsto override (rather than coexist with)patch-release-me’s built-in default location for the CodeQL ecosystem. - Updates the pack-version matching regex to use
(?m)so^...$anchors apply per-line and actually matchversion:in real multi-lineqlpack.ymlfiles. - Adds an IMPORTANT note in
CONTRIBUTING.mddocumenting the required location name and regex behavior, and reiterates whyql/hotspots/must remain excluded.
Show a summary per file
| File | Description |
|---|---|
CONTRIBUTING.md |
Documents the required .release.yml location name and multiline regex requirement, plus why ql/hotspots/ must remain excluded. |
.release.yml |
Adjusts the location name and regex pattern so releases bump the intended packs and avoid ql/hotspots/. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 0
- Review effort level: Low
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
ql/hotspots/is deliberately excluded from.release.yml's pack-versionlocation (added in #158/d0b969e - it's a separate package published by its
own manual
workflow_dispatch, not part of the per-language pack family),yet it kept getting bumped in lockstep with every release anyway (0.2.4 →
0.3.0 in #173, 0.2.1 → 0.2.4 in #169 before that).
Root cause
Confirmed by running the exact pinned
patch-release-meimage locally with--debug, against both a minimal repro and a full copy of this repo's realqlpack.ymlfiles:patch-release-meships its own hardcoded default location for theCodeQLecosystem, literally named"CodeQL Packs"(see itssrc/defaults.yml), matching**/qlpack.ymlwith only its ownexcludes: [/.codeql/]. Our custom location was named"CodeQL Pack Versions"— a different name — so the config loader only adds itsbuilt-in default alongside ours instead of treating ours as an override
(it only skips the default when a location with the exact same
namealready exists). The built-in default has no idea about our
ql/hotspots/exclude, so it bumps that file regardless of what weconfigured.
^version:\s*{version}$anchors^/$to the whole file (not eachline) without a
(?m)multiline flag, andversion:is never theliteral first/last byte of a real multi-line
qlpack.yml. All realbumping across every pack has silently been done by the built-in default
this whole time — which is exactly why our exclude never took effect.
Fix
Two one-line changes to
.release.yml, verified together locally againstall 28 real
qlpack.ymlfiles in this repo (with their actual LF lineendings, matching what CI/the Linux Docker image actually sees):
"CodeQL Packs", sopatch-release-me'sdefault-merge logic skips adding its conflicting built-in default instead
of running both.
(?m)flag so the anchor actually works per-line, keeping theoriginal anti-partial-match protection (e.g. a bump of
0.2.2incorrectlymatching inside
0.2.20) while actually working at all.Verified: re-running
bump -m minoragainst a real copy of this repo's28 tracked
qlpack.ymlfiles (extracted viagit cat-fileto avoid aWindows CRLF checkout artifact that produced a false negative on the first
attempt) - all 20 real packs bump
0.2.4 → 0.3.0correctly,ql/hotspots/qlpack.ymlstays untouched,.release.ymlitself stillbumps.
Also in this PR
ql/hotspots/qlpack.yml's unintended version bump directly onchore: bump pinned CodeQL CLI to v2.22.4 and release v0.3.0 #173 (separate commit there) to unblock that release without waiting on
this fix.
"CodeQL Packs"name +(?m)pattern requirements inCONTRIBUTING.md's "Cutting a release" section, so a future edit doesn'tsilently reintroduce this.