fix(release): detect in-proposal dependency major bumps#2200
Conversation
The major-bump audit ran against release_head_sha (the released ref before this run's version bumps), so a crate whose direct dependency was bumped to a new major within the same proposal was not escalated: e.g. libdd-trace-protobuf 3->4 left libdd-trace-normalization at a minor bump. Audit against the proposal branch HEAD instead (the released ref plus the previous step's bumps), which includes cargo-release's dependency-requirement rewrites so in-proposal majors propagate. It is still built from the released ref, so main-only changes absent from a hotfix/older-ref release do not trigger spurious bumps. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
🎉 All green!🧪 All tests passed 🎯 Code Coverage (details) 🔗 Commit SHA: 91b4246 | Docs | Datadog PR Page | Give us feedback! |
Artifact Size Benchmark Reportaarch64-alpine-linux-musl
aarch64-unknown-linux-gnu
libdatadog-x64-windows
libdatadog-x86-windows
x86_64-alpine-linux-musl
x86_64-unknown-linux-gnu
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 91b42466a9
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| PROPOSAL_SHA=$(git rev-parse HEAD) | ||
|
|
||
| git worktree add --detach "$MAJOR_BUMPS_WT" "$RELEASE_SHA" | ||
| git worktree add --detach "$MAJOR_BUMPS_WT" "$PROPOSAL_SHA" |
There was a problem hiding this comment.
Re-run major-bump audit after forced major bumps
When the selected crates contain a dependency chain such as A -> B -> C, this one-time snapshot is taken before the loop below applies any forced major bumps. If A's in-proposal major makes B major in this step, cargo release version -p B rewrites C's B requirement as well (cargo-release documents that it updates dependent crates in the workspace when changing versions), but C was already audited against B's pre-major manifest and can remain pending or patch/minor with major_bumps: []. The audit needs to iterate to a fixed point, or otherwise re-check downstream crates after each forced major bump, so chained in-proposal majors do not leave downstream manifests changed without the corresponding major release.
Useful? React with 👍 / 👎.
## What The release-proposal major-bump audit now runs against the **proposal branch HEAD** (the released ref plus this run's version bumps) instead of the pre-bump release ref, so a crate whose direct `libdd-*` dependency is bumped to a new major **within the same proposal** is correctly escalated to a major bump. ## Why In run [28800859299](https://github.com/DataDog/libdatadog/actions/runs/28800859299/job/85403702020) (PR #2199), `libdd-trace-protobuf` was bumped `3.0.2 → 4.0.0` and step 1 rewrote `libdd-trace-normalization`'s dependency requirement to `4.0.0` on the proposal branch — but `libdd-trace-normalization` only got a **minor** bump. The audit worktree was checked out at `release_head_sha` (the released ref *before* step-1 bumps), where `libdd-trace-normalization` still required protobuf `^3` — same as its prev_tag — so no major diff was detected. Already-merged majors (e.g. `libdd-common ^4 → ^5`) worked because that change was already present at the released ref; only **in-proposal** majors were missed. ## How Check the audit worktree out at `git rev-parse HEAD` (proposal branch tip) rather than `release_head_sha`. | Reference | In-proposal dep majors | Already-merged majors | Main-only changes (hotfix risk) | |---|---|---|---| | `github.sha` | ❌ | ✅ | ❌ spurious | | `release_head_sha` (pre-bump) | ❌ ← this bug | ✅ | ✅ excluded | | **proposal HEAD** | ✅ | ✅ | ✅ excluded | Proposal HEAD includes cargo-release's dependency-requirement rewrites from the previous step (so in-proposal majors propagate) while still being built from the released ref (so main-only changes absent from a hotfix/older-ref release don't trigger spurious bumps — preserving the guarantee from the earlier review of #2195). Pending no-commit crates now also propagate in-proposal dependency majors, not just already-merged ones. ## Testing YAML validated. Behavior verified by tracing the failing run's logs against the new reference; the full workflow requires the CI runner + org tokens and was not run locally. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
## What The release-proposal major-bump audit now runs against the **proposal branch HEAD** (the released ref plus this run's version bumps) instead of the pre-bump release ref, so a crate whose direct `libdd-*` dependency is bumped to a new major **within the same proposal** is correctly escalated to a major bump. ## Why In run [28800859299](https://github.com/DataDog/libdatadog/actions/runs/28800859299/job/85403702020) (PR #2199), `libdd-trace-protobuf` was bumped `3.0.2 → 4.0.0` and step 1 rewrote `libdd-trace-normalization`'s dependency requirement to `4.0.0` on the proposal branch — but `libdd-trace-normalization` only got a **minor** bump. The audit worktree was checked out at `release_head_sha` (the released ref *before* step-1 bumps), where `libdd-trace-normalization` still required protobuf `^3` — same as its prev_tag — so no major diff was detected. Already-merged majors (e.g. `libdd-common ^4 → ^5`) worked because that change was already present at the released ref; only **in-proposal** majors were missed. ## How Check the audit worktree out at `git rev-parse HEAD` (proposal branch tip) rather than `release_head_sha`. | Reference | In-proposal dep majors | Already-merged majors | Main-only changes (hotfix risk) | |---|---|---|---| | `github.sha` | ❌ | ✅ | ❌ spurious | | `release_head_sha` (pre-bump) | ❌ ← this bug | ✅ | ✅ excluded | | **proposal HEAD** | ✅ | ✅ | ✅ excluded | Proposal HEAD includes cargo-release's dependency-requirement rewrites from the previous step (so in-proposal majors propagate) while still being built from the released ref (so main-only changes absent from a hotfix/older-ref release don't trigger spurious bumps — preserving the guarantee from the earlier review of #2195). Pending no-commit crates now also propagate in-proposal dependency majors, not just already-merged ones. ## Testing YAML validated. Behavior verified by tracing the failing run's logs against the new reference; the full workflow requires the CI runner + org tokens and was not run locally. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Taegyun Kim <taegyun.kim@datadoghq.com>
What
The release-proposal major-bump audit now runs against the proposal branch HEAD (the released ref plus this run's version bumps) instead of the pre-bump release ref, so a crate whose direct
libdd-*dependency is bumped to a new major within the same proposal is correctly escalated to a major bump.Why
In run 28800859299 (PR #2199),
libdd-trace-protobufwas bumped3.0.2 → 4.0.0and step 1 rewrotelibdd-trace-normalization's dependency requirement to4.0.0on the proposal branch — butlibdd-trace-normalizationonly got a minor bump.The audit worktree was checked out at
release_head_sha(the released ref before step-1 bumps), wherelibdd-trace-normalizationstill required protobuf^3— same as its prev_tag — so no major diff was detected. Already-merged majors (e.g.libdd-common ^4 → ^5) worked because that change was already present at the released ref; only in-proposal majors were missed.How
Check the audit worktree out at
git rev-parse HEAD(proposal branch tip) rather thanrelease_head_sha.github.sharelease_head_sha(pre-bump)Proposal HEAD includes cargo-release's dependency-requirement rewrites from the previous step (so in-proposal majors propagate) while still being built from the released ref (so main-only changes absent from a hotfix/older-ref release don't trigger spurious bumps — preserving the guarantee from the earlier review of #2195). Pending no-commit crates now also propagate in-proposal dependency majors, not just already-merged ones.
Testing
YAML validated. Behavior verified by tracing the failing run's logs against the new reference; the full workflow requires the CI runner + org tokens and was not run locally.
🤖 Generated with Claude Code