Skip to content

ci(release): pin source versions + fix demo image tag & installer JANS_APP_VERSION#2897

Merged
moabu merged 2 commits into
mainfrom
ci/release-source-version-pinning
Jun 24, 2026
Merged

ci(release): pin source versions + fix demo image tag & installer JANS_APP_VERSION#2897
moabu merged 2 commits into
mainfrom
ci/release-source-version-pinning

Conversation

@mo-auto

@mo-auto mo-auto commented Jun 24, 2026

Copy link
Copy Markdown
Member

Summary

Follow-up to #2892 (merged) — fixes found while testing the release cycle.

1. Source-version pinning (version_bump.py + release-trigger.yml). The bump now also pins, in release mode:

  • FLEX_SOURCE_VERSION → the released flex commit (--flex-source-sha, the source-ref HEAD before the bump commit), like jans pins its own source.
  • JANS_SOURCE_VERSION → the commit the mapped jans release pins (fetched from jans/v<major-4>.Y.Z/docker-jans-all-in-one/Dockerfile), so flex images build the exact same jans source the jans release did.

2. Demo image tag (version_bump.py). start_flex_aio_demo.sh's GLUU_VERSION is the flex-all-in-one image tag, so it now takes the suffixed tag (e.g. 6.2.0-1) instead of the bare version.

3. Installer JANS version (version_bump.py). flex_setup.py's app_versions now sets JANS_APP_VERSION → the mapped jans version and empties JANS_BUILD, so the installer pulls the jans release (e.g. 2.2.0) instead of 0.0.0-nightly. --verify guards both.

Validated: py_compile, YAML parse, and a real 6.2.0 bump confirming GLUU_VERSION=6.2.0-1, JANS_APP_VERSION=2.2.0/JANS_BUILD="", and the source pins (the jans value fetched live from v2.2.0).

Summary by CodeRabbit

  • Bug Fixes

    • Improved release version updating so more version placeholders are automatically replaced during release preparation, reducing the chance of shipping stale demo or setup values.
    • Added stronger validation to catch incomplete release version updates earlier.
  • Chores

    • Streamlined the release workflow’s handling of version inputs for more reliable automation.

…S_APP_VERSION (test feedback)

- Pin FLEX_SOURCE_VERSION to the released flex commit (--flex-source-sha, passed by release-trigger
  as the source-ref HEAD) and JANS_SOURCE_VERSION to the commit the mapped jans release pins (fetched
  from the jans vX.Y.Z docker-jans-all-in-one Dockerfile), so images build the exact released sources.
- start_flex_aio_demo.sh GLUU_VERSION is the flex-all-in-one image tag, so it now takes the suffixed
  tag (e.g. 6.2.0-1) instead of the bare version.
- flex_setup.py app_versions: JANS_APP_VERSION -> the mapped jans version and JANS_BUILD emptied, so the
  installer pulls the jans release (not 0.0.0-nightly). verify() now guards both.

Signed-off-by: moauto <54212639+mo-auto@users.noreply.github.com>
@mo-auto mo-auto requested review from iromli and moabu as code owners June 24, 2026 15:28
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@mo-auto, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 28 minutes and 15 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 44177f98-7b2c-4d2c-9170-dc195714f468

📥 Commits

Reviewing files that changed from the base of the PR and between c8def2b and af3457b.

📒 Files selected for processing (1)
  • automation/release/version_bump.py
📝 Walkthrough

Walkthrough

The PR extends automation/release/version_bump.py with two new helper functions that pin FLEX_SOURCE_VERSION and JANS_SOURCE_VERSION commit SHAs during release, rewrites the GLUU_VERSION demo sentinel in bump(), adds dev-sentinel checks to verify(), wires a new --flex-source-sha CLI flag into main(), and refactors the CI workflow to pass version inputs via environment variables.

Changes

Release Version Bump Enhancements

Layer / File(s) Summary
Source SHA pinning helpers and GLUU_VERSION sentinel rewrite
automation/release/version_bump.py
bump() gains a GLUU_VERSION (0.0.0-nightly) sentinel rewrite. fetch_jans_source_version() downloads the jans all-in-one Dockerfile from GitHub and extracts JANS_SOURCE_VERSION. pin_source_versions() validates the flex SHA, fetches the jans SHA, and rewrites FLEX_SOURCE_VERSION= and JANS_SOURCE_VERSION= sentinel patterns across the working tree, raising SystemExit on any failure.
CLI --flex-source-sha wiring and verify() dev sentinel checks
automation/release/version_bump.py
main() adds the --flex-source-sha SHA optional argument and conditionally calls pin_source_versions() to extend the changed list. verify() is extended to report failures when flex-linux-setup/flex_linux_setup/flex_setup.py still contains JANS_APP_VERSION=0.0.0 or JANS_BUILD=-nightly.
CI workflow env-var refactor
.github/workflows/release-trigger.yml
The "Bump every owned version" step now exposes VERSION and DOCKER_SUFFIX as step environment variables from github.event.inputs.* and uses them as shell variables in the python3 automation/release/version_bump.py invocation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • GluuFederation/flex#2892: Modifies the same automation/release/version_bump.py file, adjusting Flex→Jans version/sentinel handling and extending bump()/verify() behavior.

Suggested labels

area-CI

Suggested reviewers

  • iromli
  • moabu

Poem

🐇 Hoppity-hop through the release lane,
SHA sentinels pinned so nothing's vain,
GLUU_VERSION swapped, no nightly to see,
Env vars passed cleanly, as tidy as can be,
The bunny approves — this release runs free! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main release workflow and version pinning changes, including the demo image tag and installer version fix.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/release-source-version-pinning

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@mo-auto mo-auto added the area-CI Indicates work required in automatic builds or CI infrastructure label Jun 24, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@automation/release/version_bump.py`:
- Around line 385-390: The pin_source_versions() logic updates
FLEX_SOURCE_VERSION and JANS_SOURCE_VERSION assignments but does not verify that
every owned file was actually brought to the requested SHA. After the existing
grep_files/sub loops, add a postcondition check in pin_source_versions() that
scans for any remaining stale FLEX_SOURCE_VERSION or JANS_SOURCE_VERSION values
and fails closed (raise/abort the release) if any owned Dockerfile still differs
from flex_sha or jans_sha. Use the existing pin_source_versions(), grep_files(),
and changed tracking to locate and validate the rewrite result.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 996534ae-fd60-4b75-affd-9286330d6d99

📥 Commits

Reviewing files that changed from the base of the PR and between fe348f1 and c8def2b.

📒 Files selected for processing (2)
  • .github/workflows/release-trigger.yml
  • automation/release/version_bump.py

Comment thread automation/release/version_bump.py
…w follow-up)

pin_source_versions() rewrote only [0-9a-f]{40} values, so a FLEX_SOURCE_VERSION/JANS_SOURCE_VERSION
that wasn't 40-hex (a branch name, an already-different sha) was silently skipped and the image would
build from stale source. Add a postcondition that re-scans every owned assignment and aborts the
release if any literal value still differs from the requested sha (${VAR} indirections are ignored;
skipped under --dry-run).

Signed-off-by: moauto <54212639+mo-auto@users.noreply.github.com>
@moabu moabu merged commit 34040ea into main Jun 24, 2026
6 checks passed
@moabu moabu deleted the ci/release-source-version-pinning branch June 24, 2026 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area-CI Indicates work required in automatic builds or CI infrastructure

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants