Finish deployment-tag policy review fixes#291
Conversation
|
Warning Review limit reachedYou’ve reached a temporary PR review limit under our Fair Usage Limits Policy. Next review available in: 10 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (6)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@codex review @cursor review @coderabbitai review |
|
✅ Action performedReview finished.
|
There was a problem hiding this comment.
Pull request overview
Updates the DAR deployment-tag policy and associated CI/release gates to use a narrowed OCP-only deployment state model that reads only the latest DevNet tag plus exact current-version DevNet/Mainnet tags, while strengthening backup integrity validation (hash + size) and making backup restoration atomic.
Changes:
- Refactors
dar-version-policyto derive the candidate strictly from the latest DevNet deployment tag (or0.0.1if none) and to read only the minimal tag set needed for the current package version. - Adds atomic restore/verification for DAR backups and tightens integrity checks to include both SHA-256 and file size.
- Adjusts CI/release workflows to use the updated policy interfaces, add post-policy DAR backup verification, and configure Git identity prior to creating annotated deployment tags.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/dar-version-policy.ts | Reworks deployment state reading/candidate resolution to OCP-only and minimal tag reads; strengthens immutability enforcement and size checks. |
| scripts/dar-version-policy.test.ts | Updates tests to the new state model, adds coverage for atomic backup restoration and new candidate logic. |
| scripts/check-dar-version-policy.ts | Simplifies to optional --base, scopes to OCP inputs, and strengthens backup validation (size + hash). |
| scripts/backup-dar.ts | Adds ensureBackupFile for atomic restore/verification and uses the new deployment state API. |
| .github/workflows/release.yml | Configures Git identity before tagging; updates policy/deployment gate invocations; reads dars.lock via fs.readFileSync. |
| .github/workflows/ci.yml | Uses previous-main SHA on main pushes for --base, and adds a verify-dars gate after the policy check. |
|
Codex Review: Didn't find any major issues. Keep them coming! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Summary
dars.lockcorrectly and configure Git identity before either deployment tag is created0.0.1Deployment state
The annotated baseline
dar-deploy/devnet/OpenCapTable-v34/v0.0.1is live and points to the exact committed DevNet DAR. Repository rulesetImmutable DAR deployment tagspermits new deployment-tag creation and blocks updates or deletion.Validation
0.0.3and requires candidate0.0.2git diff --checkLocal DAML tests and upgrade-check require Java, which is unavailable in this shell; the new GitHub Actions run supplies Temurin and is the final gate.
Note
Medium Risk
Changes release deployment gates and immutable DAR versioning rules; mistakes could block releases or allow wrong candidate versions, though behavior is covered by policy tests and added backup verification.
Overview
This PR tightens DAR deployment-tag policy and CI/release gates after review follow-ups.
Policy model is narrowed to the OCP package (
requirePackageConfig('ocp')) andreadDeploymentState, which loads only the latest DevNet tag plus exact current DevNet/Mainnet tags fordaml.yamlversion—replacing full tag scans and legacy locknetworksmarkers as the version anchor. The next candidate isnextPatch(latest DevNet)or0.0.1if none exist.backup-daraddsensureBackupFileto atomically restore missing/corrupt backups (hash + size) before lock updates;planCandidateBackup/ deployment gates use the new state API.check-dar-version-policydrops--alland multi-package loops; optional--basecompares via merge-base, skips when OCP inputs unchanged, and on main CI usesgithub.event.beforeinstead of alwaysorigin/main. Backup checks now include size; release runs policy without--base.Workflows: CI adds
verify-darsafter policy check; release configures Git identity before tagging, readsdars.lockviafs.readFileSync, andcheck:dar-deploymentis--networkonly (no--package).Tests are refocused on DevNet-anchored candidates, history retention, backup restoration, and Mainnet/DevNet hash alignment.
Reviewed by Cursor Bugbot for commit 060e933. Bugbot is set up for automated code reviews on this repo. Configure here.