CLI update check + release auto-publish (ADR 0080 Phases 2 & 4)#244
Merged
Conversation
|
agent-paste PR preview is ready. API: https://agent-paste-api-pr-244.isaac-a46.workers.dev |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (25)
✅ Files skipped from review due to trivial changes (4)
🚧 Files skipped from review as they are similar to previous changes (18)
📝 WalkthroughWalkthroughThis PR implements Phase 2 of the CLI auto-update feature: a KV-backed public CLI version endpoint, background update checks with semver comparison and per-channel warnings, and release automation via GitHub Actions to advertise new versions to Cloudflare KV. ChangesCLI version endpoint: contract through integration
CLI update-check: runtime logic through integration
Release automation: npm publish and KV advertisement
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
AP-165 CLI auto-update: version baking, update check, and binary self-upgrade
OutcomeThe ContextThree distribution channels with different update mechanics: standalone binary ( Scope (phased)
Out of scopeSilent binary self-update (explicit Acceptance criteria
Required checks
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 9
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/cli-advertise.yml:
- Line 27: The job-level guard if: startsWith(github.event.release.tag_name,
'cli-v') causes the workflow to run then skip jobs; either move the filter to
the trigger by switching the workflow to a tag-based trigger (e.g., replace the
current release trigger with an on: push: tags: - "cli-v*" or an appropriate
tag-filtering trigger if you want no workflow runs for non-cli tags) or, if the
workflow must be release-triggered, add a short comment above the job explaining
that workflow-level if: is not supported for release events so the guard remains
at job-level (referencing the existing if:
startsWith(github.event.release.tag_name, 'cli-v') in cli-advertise.yml).
- Around line 54-56: Replace the non-deterministic "npm install -g npm@latest"
invocation in the "Upgrade npm for trusted publishing" step with a pinned
version that satisfies the >=11.5.1 requirement (for example "npm install -g
npm@11.7.0"); update the run command to use that specific version (or an input
variable like NPM_VERSION) so the workflow installs a fixed npm version instead
of latest.
In `@apps/cli/src/update-check.ts`:
- Around line 127-131: The minimum-supported warning currently hardcodes the
upgrade command; update the block that checks compareSemver(CLI_VERSION,
min_supported) so it uses the same channel detection logic as nag() (or its
helper) to pick a channel-appropriate suggestion: for "binary" show "agent-paste
upgrade", for "npm-global" show the npm global upgrade instruction, for
"unknown" or when channel detection fails omit the specific command and use a
generic "Upgrade soon" message; ensure you modify the write(...) call (and any
helper used) so the message text varies by channel rather than always printing
"agent-paste upgrade".
In `@docs/ops/project-status.md`:
- Line 150: Update the status line in docs/ops/project-status.md that currently
reads “Placeholder UI: dashboard Access Link management.” to indicate the
feature is shipped (e.g., “Shipped: dashboard Access Link management (AP-156)”),
since docs/ops/status/implementation.md and the implemented route
apps/web/src/routes/_authed.access-links.tsx show the /access-links
list/create/mint/revoke/lockdown and artifact detail work is complete; reference
AP-156 in the updated text so the two docs remain consistent.
In `@docs/ops/status/implementation.md`:
- Line 69: Update the table entry for the `pnpm verify` row so the branch
context is explicit: either replace "AP-33 branch" with `main` if `main` has a
more recent successful run, or append a clarifying note like "pre-merge
verification for AP-33" if this is a feature-branch result; ensure the "Latest
known result" wording reflects that it's a branch verification rather than main.
Locate the table row containing the `pnpm verify` entry and edit the fourth
column text accordingly to show the correct branch context and date.
In `@packages/contracts/openapi/api.json`:
- Around line 569-585: The schema for CliVersionResponse currently allows any
non-empty string for latest and min_supported; update the source JSON/YAML
schema where CliVersionResponse is defined to replace their
"type":"string","minLength":1 with a shared semver pattern (e.g., a reusable
regex schema component like "components/schemas/Semver" or a $ref to a shared
"Semver" schema) and reference that shared Semver schema for both latest and
min_supported, then regenerate the OpenAPI artifact so the api.json contains the
semver constraint for those fields.
In `@packages/contracts/src/cliVersion.ts`:
- Around line 7-10: The current CliVersionResponse schema only enforces
non-empty strings for latest and min_supported; update CliVersionResponse to
validate proper semver format instead of .min(1). Replace the .min(1) checks on
the latest and min_supported fields with a semver validation (e.g., use
z.string().regex(...) or z.string().refine(...) with a standard semver regex
that matches MAJOR.MINOR.PATCH and optional pre-release/build metadata) so
malformed values like "not-a-version", "1.2", or "v1.2.3" are rejected; keep the
schema name CliVersionResponse and the field names latest and min_supported
unchanged.
In `@scripts/local-mvp-server.mjs`:
- Around line 346-347: The local harness seed for cli release version is
inconsistent with the PR intent, since the MemoryKVNamespace initialization in
the local-mvp-server flow hardcodes "0.1.0" while the summary refers to a "0.0.0
placeholder." Update the seeded value to match the intended package.json
baseline or add a clear inline comment near the cliRelease.put setup explaining
why "0.1.0" is used, so the behavior in the local harness is explicit and easy
to reconcile.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 003bdc51-3251-4762-bd60-432039dc2f09
📒 Files selected for processing (37)
.github/workflows/ci.yml.github/workflows/cli-advertise.yml.github/workflows/cli-release.yml.github/workflows/security.ymlapps/apex/src/copy.tsapps/apex/src/index.test.tsapps/api/src/env.tsapps/api/src/index.tsapps/api/src/routes/cli-version.tsapps/api/test/route-cli-version.test.tsapps/api/wrangler.jsoncapps/cli/src/credentials.tsapps/cli/src/index.tsapps/cli/src/node-globals.d.tsapps/cli/src/update-check.tsapps/cli/test/index.test.tsapps/cli/test/update-check.test.tsbiome.jsondocs/ops/cli-auto-update-plan.mddocs/ops/live-updates-todo.mddocs/ops/project-status.mddocs/ops/status/changelog.mddocs/ops/status/coverage.mddocs/ops/status/implementation.mddocs/ops/status/phase-backlog.mddocs/vision.mdpackages/api-client/src/index.tspackages/contracts/openapi/api.jsonpackages/contracts/src/cliVersion.tspackages/contracts/src/index.tspackages/contracts/src/mvp-contracts.test.tspackages/contracts/src/openapi/api.tspackages/contracts/src/openapi/shared.tspackages/contracts/src/openapi/web-cursor-bounds.tspackages/contracts/src/routes/registry.tspackages/worker-runtime/src/route-repository-errors.tsscripts/local-mvp-server.mjs
💤 Files with no reviewable changes (4)
- .github/workflows/security.yml
- docs/vision.md
- docs/ops/status/changelog.md
- apps/apex/src/index.test.ts
…165)
Implements ADR 0080 Phases 2 and 4: the CLI learns the latest published
version from the Agent Paste API and nags per channel when stale, and a
release-published workflow publishes to npm and advertises the version in KV.
- api: GET /v1/public/cli-version (unauthenticated) serves {latest,
min_supported} from a new CLI_RELEASE KV namespace, with a 60s module
memo and Cache-Control: public, max-age=300. Total handler: serves a
0.0.0 safe default on absent/malformed/erroring KV, never 500s.
- contracts: cli.version route + CliVersionResponse schema + OpenAPI;
extract applyWebCursorParameterBounds to keep api.ts under the line cap.
- cli: update-check.ts detects channel (npx/npm-global/binary), throttles
24h, suppresses on CI/non-TTY/--json/--quiet/AGENT_PASTE_NO_UPDATE_CHECK,
fetches fail-open, and prints one channel-tailored stderr hint. Wired
after dispatch so it never affects exit code.
- ci: cli-advertise.yml on release:published publishes @zaks-io/agent-paste
to npm via OIDC trusted publishing (no stored token) and writes the
CLI_RELEASE value per env; cli-release.yml asserts the tag matches
package.json. package.json is the single version source.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
isuttell
force-pushed
the
feat/cli-update-check
branch
from
9885616 to
a118145
Compare
Contributor
Author
Pushed fixes for CodeRabbit review + a rebase-revert correctionMaterial fix (beyond CodeRabbit's findings): the previous push contained accidental reverts of 11 files unrelated to this feature — a corrupted rebase had re-applied stale copies of Code findings addressed:
Nits resolved with reasons (skipped): job-level Verified: |
Contributor
Author
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
agent-paste PR preview is ready. API: https://agent-paste-api-pr-244.isaac-a46.workers.dev |
|
agent-paste PR preview resources were cleaned up. The shared Preview GitHub Environment is retained for future preview deploys. |
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements ADR 0080 Phases 2 and 4. The CLI now learns the latest published version from the Agent Paste API and prints one channel-tailored upgrade hint when stale; a
release: publishedworkflow publishes the package to npm and advertises the new version in KV with noapiredeploy. Builds on Phase 1 (version baking, #232).Changes
GET /v1/public/cli-version(unauthenticated) serves{latest, min_supported}from a newCLI_RELEASEKV namespace, with a 60s module memo andCache-Control: public, max-age=300. The handler is total: serves a0.0.0safe default on absent/malformed/erroring KV, never 500s. Mounted via a new no-db registrar (pure KV read).cli.versionroute +CliVersionResponseschema + OpenAPI (200-only, matching the total handler). ExtractedapplyWebCursorParameterBoundsinto its own file to keepapi.tsunder the line cap.update-check.tsdetects channel (npx / npm-global / binary), throttles 24h (stamps the cache before the fetch so offline users aren't re-checked), suppresses onCI/ non-TTY /--json/--quiet/AGENT_PASTE_NO_UPDATE_CHECK, fetches fail-open, and prints one stderr hint (npx: none; npm-global:npm i -g …@latest; binary:agent-paste upgrade; belowmin_supported: louder warning). Wired afterdispatch()so it never affects exit code.cli-advertise.ymlonrelease: published(gated oncli-v*) publishes@zaks-io/agent-pasteto npm via OIDC trusted publishing (no stored token) then writesCLI_RELEASEper env viawrangler kv key put --binding CLI_RELEASE --env <env>.cli-release.ymlasserts the dispatch tag equalscli-v<package.json version>.package.jsonis the single version source.biome.jsonexcludes**/coverage(generated artifact was being linted).Risk: MEDIUM
tag_nameis maintainer-controlled and never reaches a shell unquoted.Test plan
pnpm verify(88/88) andpnpm test:coverage(branches 80.34%) green--jsonstdout untouchedactionlintclean on both workflows; injection audit (no untrusted input inrun:blocks)Out of scope: Phase 3 (
agent-paste upgrade) and the README docs.Manual prerequisite before the first automated release: configure the npm trusted publisher on npmjs.com (org
zaks-io, repoagent-paste, workflowcli-advertise.yml). A0.0.0placeholder is already published, so the precondition is met. (Done.)AP-165
🤖 Generated with Claude Code
Summary by CodeRabbit
Release Notes
New Features
GET /v1/public/cli-version) to retrieve current and minimum supported CLI versions.Chores