From d9a7b5d985870b2deeff3a02a0e9f855b7fd2498 Mon Sep 17 00:00:00 2001 From: Stefan Steiner Date: Mon, 1 Jun 2026 20:31:06 -0700 Subject: [PATCH] fix(release): include hyperdb-compile-check in lockfile-sync guard allow-list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 'Verify lockfile diff is workspace-only' sentinel in release-please.yml builds its allow-list from `cargo metadata --no-deps` on the ROOT workspace. But hyperdb-compile-check is deliberately NOT a root-workspace member (it declares its own [workspace] so it can build/test standalone), so root metadata omits it — while it IS a path crate in the root lockfile and gets a 0.3.1 -> 0.4.0 bump during the release lock-sync. The guard therefore false-positived and aborted the v0.4.0 release with: Cargo.lock sync touched non-workspace packages: hyperdb-compile-check Fix: union the root workspace members with hyperdb-compile-check's own workspace members (its sub-workspace cargo metadata). Both halves are still derived at runtime, so future workspace additions stay in sync with no hard-coded list. Verified against the real v0.4.0 lock diff: the old allow-list flags hyperdb-compile-check (reproducing the failure); the unioned allow-list accepts all 9 bumped path crates and the guard passes. Also corrects the stale '8 workspace-member version rows' comment to 9, naming hyperdb-compile-check. This is the third place the compile-check non-membership exception needed handling (after the version-pin markers in #97 and the publish ordering). --- .github/workflows/release-please.yml | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index e4d82b0..3a66feb 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -119,13 +119,14 @@ jobs: # `cargo metadata --format-version=1` forces a lockfile # reconciliation pass against the current Cargo.tomls. Empirically - # validated on this workspace: it flips exactly the 8 workspace- - # member version rows (hyperdb-api, hyperdb-api-core, + # validated on this workspace: it flips exactly the 9 path-crate + # version rows in the root lockfile (hyperdb-api, hyperdb-api-core, # hyperdb-api-derive, hyperdb-api-node, hyperdb-api-salesforce, - # hyperdb-bootstrap, hyperdb-mcp, sea-query-hyperdb) and touches - # no external dep rows. The "Verify lockfile diff is workspace- - # only" sentinel below catches it if a future cargo version - # diverges. + # hyperdb-bootstrap, hyperdb-mcp, sea-query-hyperdb, and + # hyperdb-compile-check — the last is its own workspace but is + # still a path dep in the root lock) and touches no external dep + # rows. The "Verify lockfile diff is workspace-only" sentinel below + # catches it if a future cargo version diverges. # # Why not `cargo generate-lockfile`: it does a full re-resolve # and bumps unrelated transitive deps to their latest semver @@ -182,7 +183,19 @@ jobs: # Layer 2: enumerate workspace members at runtime, then # check each name appearing in the diff is in that set. # `select(.source==null)` filters out registry packages. - WORKSPACE=$(cargo metadata --no-deps --format-version=1 \ + # + # hyperdb-compile-check is deliberately NOT a member of the root + # workspace (it declares its own `[workspace]` so it can build/test + # standalone), so root `cargo metadata` omits it — yet it IS a path + # crate in the root lockfile and gets a version bump on release. Union + # in its own workspace's members so the guard doesn't false-positive + # on it. Both sides are runtime-derived, so workspace additions stay + # automatically in sync with no hard-coded list. + WORKSPACE=$( { \ + cargo metadata --no-deps --format-version=1; \ + cargo metadata --no-deps --format-version=1 \ + --manifest-path hyperdb-compile-check/Cargo.toml; \ + } \ | jq -r '.packages[] | select(.source==null) | .name' \ | sort -u) CHANGED=$(git diff -U1 -- Cargo.lock \