Skip to content

fix(release): restore release binaries — immutable-release draft flow + portable BSD sed#641

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/inspiring-newton-dg5wov
Jun 21, 2026
Merged

fix(release): restore release binaries — immutable-release draft flow + portable BSD sed#641
hyperpolymath merged 1 commit into
mainfrom
claude/inspiring-newton-dg5wov

Conversation

@hyperpolymath

@hyperpolymath hyperpolymath commented Jun 21, 2026

Copy link
Copy Markdown
Owner

Problem

v0.2.0 shipped source-only (regression from v0.1.1, which had affinescript-linux-x64, affinescript-macos-x64, affinescript-macos-arm64, SHA256SUMS). Downstream consumers on locked-down networks rely on the prebuilt binary (building from source needs opam + ~15 packages, blocked when opam.ocaml.org 403s), and the v0.1.1 binary can't parse v0.2.0-only syntax — e.g. quandledb's quandle_gui.affineParse error (quandledb PR #60 had to pin v0.1.1).

Root cause — two bugs, both confirmed from the failed v0.2.0 run (26694097435)

  1. Immutable releases. prepare created a published release, then the build matrix uploaded assets to it. The repo enabled immutable releases between v0.1.1 (immutable:false) and v0.2.0 (immutable:true); immutable published releases reject asset uploads — the linux leg died with: 
    HTTP 422: Cannot upload assets to an immutable release.
  2. BSD sed. The version-bake step (added in v0.2.0) used sed -i "s/…", which BSD sed on the macOS runners rejects (sed: 1: "lib/version.ml": extra characters at the end of l command) — so macos-x64 and macos-arm64 failed before building anything.

Fix (.github/workflows/release.yml only)

  • Draft → upload → publish: create the release as a --draft (mutable), let the build legs upload binaries into it, and gh release edit --draft=false --latest last in the checksums job — so it seals atomically with all four assets attached, compatible with immutable releases.
  • Portable in-place sed: sed -i.bak … (accepted by both GNU and BSD sed) + remove the backups.

Verification

  • Compiler builds in release mode locally (dune build --release → ELF x86-64); --version and check <file> work.
  • Bake substitutions match lib/version.ml (let value = "0.2.1") and .build/dune-project ((version 0.2.1)).
  • YAML validated.

Publishing

v0.2.0 is immutable and cannot be amended, so binaries are published via a fresh v0.2.1 tag built with this fixed workflow (per the task: "otherwise cut v0.2.1"). This PR lands the same fix on main for all future releases.

Refs ADR-019, #260 S2.

🤖 Generated with Claude Code

https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8

Generated by Claude Code

@claude
fix(release): produce binaries under immutable releases + portable BS…
c1bf74d 
…D sed

v0.2.0 shipped SOURCE-ONLY (regression from v0.1.1). Two bugs in the release
workflow, both confirmed from the failed v0.2.0 run (26694097435):

1. Immutable releases. `prepare` created a *published* release, then the build
   matrix uploaded assets to it. The repo enabled immutable releases between
   v0.1.1 (immutable:false) and v0.2.0 (immutable:true); immutable *published*
   releases reject asset uploads — the linux leg died with "HTTP 422: Cannot
   upload assets to an immutable release". Fix: create the release as a DRAFT,
   upload all binaries + SHA256SUMS into the draft, then publish (--draft=false)
   last so it seals atomically with all four assets.

2. BSD sed. The version-bake step (added in v0.2.0) used `sed -i "s/..."`, which
   BSD sed on the macOS runners rejects ("extra characters at the end of l
   command") — so macos-x64 and macos-arm64 failed before building. Fix:
   `sed -i.bak ...` (portable across GNU + BSD) and remove the backups.

Verified locally: the compiler builds in release mode (ELF x86-64); `--version`
and `check` work; the bake substitutions match lib/version.ml + .build/dune-project.

v0.2.0 is immutable and cannot be amended, so the binaries are published via a
fresh v0.2.1 tag built with this fixed workflow. Refs ADR-019, #260 S2.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8
@github-actions

github-actions Bot commented Jun 21, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 41 issues detected

Severity Count
🔴 Critical 2
🟠 High 23
🟡 Medium 16

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action denoland/setup-deno@v2 needs attention",
    "type": "unpinned_action",
    "file": "publish-jsr.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in instant-sync.yml",
    "type": "secret_action_without_presence_gate",
    "file": "instant-sync.yml",
    "action": "peter-evans/repository-dispatch",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
    "type": "js_exec_sync",
    "file": "/home/runner/work/affinescript/affinescript/packages/affinescript-cli/mod.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Shell execution -- validate input before passing to shell (2 occurrences, CWE-78)",
    "type": "js_exec_sync",
    "file": "/home/runner/work/affinescript/affinescript/packages/affine-vscode/mod.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Shell execution -- validate input before passing to shell (1 occurrences, CWE-78)",
    "type": "js_exec_sync",
    "file": "/home/runner/work/affinescript/affinescript/affinescript-vite/src/affine-plugin-improved.js",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "expect() in hot path (32 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/wasm_gen.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "expect() in hot path (29 occurrences, CWE-754)",
    "type": "expect_in_hot_path",
    "file": "/home/runner/work/affinescript/affinescript/affinescriptiser/src/codegen/affine_gen.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unsafe block -- requires SAFETY comment (2 occurrences, CWE-676)",
    "type": "unsafe_block",
    "file": "/home/runner/work/affinescript/affinescript/runtime/src/panic.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unsafe block -- requires SAFETY comment (1 occurrences, CWE-676)",
    "type": "unsafe_block",
    "file": "/home/runner/work/affinescript/affinescript/runtime/src/alloc.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "unsafe block -- requires SAFETY comment (3 occurrences, CWE-676)",
    "type": "unsafe_block",
    "file": "/home/runner/work/affinescript/affinescript/runtime/src/ffi.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath marked this pull request as ready for review June 21, 2026 18:18
@hyperpolymath hyperpolymath merged commit b8ba479 into main Jun 21, 2026
18 checks passed
@hyperpolymath hyperpolymath deleted the claude/inspiring-newton-dg5wov branch June 21, 2026 18:18
This was referenced Jun 21, 2026
Open
Merged
hyperpolymath added a commit that referenced this pull request Jun 21, 2026
@hyperpolymath @claude
docs: onboarding polish — tutorial lesson-01 + audience router + STAT…
81caf8e 
…E.a2ml refresh (#649)

The three quick wind-down items from the close-out triage. The larger
docs consolidation (unifying the two learning tracks, wiki-sync audit)
stays tracked in **#647**.

## 1. `docs/tutorial/lesson-01-hello.adoc` (new)
The `docs/tutorial/` track started at **lesson-02** — the intro lived
only under `docs/guides/`, so a reader opening the tutorial began at
lesson 2. Adds a concise, self-contained first lesson with a lessons
1–10 map and the `check`/`eval`/`compile` workflow.

The hello-world is **verified against the built compiler**: `fn main()
-> Int { println(…); return 0; }` passes `check`, prints under `eval`,
and `compile`s to WASM. (Note: the *bare* top-level `println(…)` form
shown in `docs/guides/lessons/01-hello-affinescript.adoc` is a **parse
error** on the current compiler — folded into #647 rather than fixed
here.)

## 2. README + NAVIGATION — "Start here — by audience"
A top-level router so each audience has a clear entry point:
- **New users** → tutorial → runnable warm-ups → language reference
- **Developers** → repository map → `wiki/compiler/architecture` → ADRs
→ capability matrix
- **Maintainers** → `MAINTAINERS` → contributing → ops playbook →
soundness ledger

(Also adds a `SOUNDNESS.adoc` back-link in `NAVIGATION.adoc`.)

## 3. `.machine_readable/6a2/STATE.a2ml`
Adds a `2026-06-21` session note (release fix #641, the already-landed
#602 ctor fix, filed gaps #642#644/#646/#647) and bumps `last-updated`.
It was self-flagged stale; it still **mirrors** the authoritative docs,
it does not lead.

## Verification
All three doc guards pass locally: `check-doc-truthing`,
`check-soundness-ledger`, `check-capability-anchors`. No over-claim
phrases introduced; no compiler/code changes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8

---
_Generated by [Claude
Code](https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8)_

Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @claude