Skip to content

Finish deployment-tag policy review fixes#291

Merged
HardlyDifficult merged 1 commit into
mainfrom
codex/tag-policy-review-fixes
Jul 13, 2026
Merged

Finish deployment-tag policy review fixes#291
HardlyDifficult merged 1 commit into
mainfrom
codex/tag-policy-review-fixes

Conversation

@HardlyDifficult

@HardlyDifficult HardlyDifficult commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • apply the review fixes that missed the Use successful deployment tags for DAR versions #290 merge because its branch was deleted while the follow-up push was in flight
  • restore and verify missing or corrupt candidate backups atomically
  • parse dars.lock correctly and configure Git identity before either deployment tag is created
  • simplify candidate selection to the latest DevNet deployment tag only; no tag means 0.0.1
  • read only the latest DevNet and exact current deployment tags instead of scanning all history
  • validate main pushes from the previous main SHA, stale branches from their merge base, and every retained DAR file

Deployment state

The annotated baseline dar-deploy/devnet/OpenCapTable-v34/v0.0.1 is live and points to the exact committed DevNet DAR. Repository ruleset Immutable DAR deployment tags permits new deployment-tag creation and blocks updates or deletion.

Validation

  • 6/6 deployment-policy tests
  • TypeScript build
  • focused ESLint and Prettier
  • workflow YAML parsing
  • full DAML build
  • DAML lint
  • 3/3 DAR integrity verification
  • base-relative policy check
  • real tag-only release check correctly rejects stale 0.0.3 and requires candidate 0.0.2
  • git diff --check

Local DAML tests and upgrade-check require Java, which is unavailable in this shell; the new GitHub Actions run supplies Temurin and is the final gate.


Note

Medium Risk
Changes release deployment gates and immutable DAR versioning rules; mistakes could block releases or allow wrong candidate versions, though behavior is covered by policy tests and added backup verification.

Overview
This PR tightens DAR deployment-tag policy and CI/release gates after review follow-ups.

Policy model is narrowed to the OCP package (requirePackageConfig('ocp')) and readDeploymentState, which loads only the latest DevNet tag plus exact current DevNet/Mainnet tags for daml.yaml version—replacing full tag scans and legacy lock networks markers as the version anchor. The next candidate is nextPatch(latest DevNet) or 0.0.1 if none exist.

backup-dar adds ensureBackupFile to atomically restore missing/corrupt backups (hash + size) before lock updates; planCandidateBackup / deployment gates use the new state API.

check-dar-version-policy drops --all and multi-package loops; optional --base compares via merge-base, skips when OCP inputs unchanged, and on main CI uses github.event.before instead of always origin/main. Backup checks now include size; release runs policy without --base.

Workflows: CI adds verify-dars after policy check; release configures Git identity before tagging, reads dars.lock via fs.readFileSync, and check:dar-deployment is --network only (no --package).

Tests are refocused on DevNet-anchored candidates, history retention, backup restoration, and Mainnet/DevNet hash alignment.

Reviewed by Cursor Bugbot for commit 060e933. Bugbot is set up for automated code reviews on this repo. Configure here.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 10 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 639b38b6-af3d-4835-818c-8f5ed5cb52ce

📥 Commits

Reviewing files that changed from the base of the PR and between 2076b55 and 060e933.

📒 Files selected for processing (6)
  • .github/workflows/ci.yml
  • .github/workflows/release.yml
  • scripts/backup-dar.ts
  • scripts/check-dar-version-policy.ts
  • scripts/dar-version-policy.test.ts
  • scripts/dar-version-policy.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/tag-policy-review-fixes

Comment @coderabbitai help to get the list of available commands.

@HardlyDifficult HardlyDifficult marked this pull request as ready for review July 13, 2026 22:35
@HardlyDifficult HardlyDifficult requested a review from Copilot July 13, 2026 22:35

Copy link
Copy Markdown
Collaborator Author

@codex review

@cursor review

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

@HardlyDifficult I'll review the PR now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the DAR deployment-tag policy and associated CI/release gates to use a narrowed OCP-only deployment state model that reads only the latest DevNet tag plus exact current-version DevNet/Mainnet tags, while strengthening backup integrity validation (hash + size) and making backup restoration atomic.

Changes:

  • Refactors dar-version-policy to derive the candidate strictly from the latest DevNet deployment tag (or 0.0.1 if none) and to read only the minimal tag set needed for the current package version.
  • Adds atomic restore/verification for DAR backups and tightens integrity checks to include both SHA-256 and file size.
  • Adjusts CI/release workflows to use the updated policy interfaces, add post-policy DAR backup verification, and configure Git identity prior to creating annotated deployment tags.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
scripts/dar-version-policy.ts Reworks deployment state reading/candidate resolution to OCP-only and minimal tag reads; strengthens immutability enforcement and size checks.
scripts/dar-version-policy.test.ts Updates tests to the new state model, adds coverage for atomic backup restoration and new candidate logic.
scripts/check-dar-version-policy.ts Simplifies to optional --base, scopes to OCP inputs, and strengthens backup validation (size + hash).
scripts/backup-dar.ts Adds ensureBackupFile for atomic restore/verification and uses the new deployment state API.
.github/workflows/release.yml Configures Git identity before tagging; updates policy/deployment gate invocations; reads dars.lock via fs.readFileSync.
.github/workflows/ci.yml Uses previous-main SHA on main pushes for --base, and adds a verify-dars gate after the policy check.

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Keep them coming!

Reviewed commit: 060e933adf

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@HardlyDifficult HardlyDifficult merged commit 35da83f into main Jul 13, 2026
6 checks passed
@HardlyDifficult HardlyDifficult deleted the codex/tag-policy-review-fixes branch July 13, 2026 22:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants