ci(release): pin source versions + fix demo image tag & installer JANS_APP_VERSION#2897
Conversation
…S_APP_VERSION (test feedback) - Pin FLEX_SOURCE_VERSION to the released flex commit (--flex-source-sha, passed by release-trigger as the source-ref HEAD) and JANS_SOURCE_VERSION to the commit the mapped jans release pins (fetched from the jans vX.Y.Z docker-jans-all-in-one Dockerfile), so images build the exact released sources. - start_flex_aio_demo.sh GLUU_VERSION is the flex-all-in-one image tag, so it now takes the suffixed tag (e.g. 6.2.0-1) instead of the bare version. - flex_setup.py app_versions: JANS_APP_VERSION -> the mapped jans version and JANS_BUILD emptied, so the installer pulls the jans release (not 0.0.0-nightly). verify() now guards both. Signed-off-by: moauto <54212639+mo-auto@users.noreply.github.com>
|
Warning Review limit reached
More reviews will be available in 28 minutes and 15 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe PR extends ChangesRelease Version Bump Enhancements
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@automation/release/version_bump.py`:
- Around line 385-390: The pin_source_versions() logic updates
FLEX_SOURCE_VERSION and JANS_SOURCE_VERSION assignments but does not verify that
every owned file was actually brought to the requested SHA. After the existing
grep_files/sub loops, add a postcondition check in pin_source_versions() that
scans for any remaining stale FLEX_SOURCE_VERSION or JANS_SOURCE_VERSION values
and fails closed (raise/abort the release) if any owned Dockerfile still differs
from flex_sha or jans_sha. Use the existing pin_source_versions(), grep_files(),
and changed tracking to locate and validate the rewrite result.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 996534ae-fd60-4b75-affd-9286330d6d99
📒 Files selected for processing (2)
.github/workflows/release-trigger.ymlautomation/release/version_bump.py
…w follow-up)
pin_source_versions() rewrote only [0-9a-f]{40} values, so a FLEX_SOURCE_VERSION/JANS_SOURCE_VERSION
that wasn't 40-hex (a branch name, an already-different sha) was silently skipped and the image would
build from stale source. Add a postcondition that re-scans every owned assignment and aborts the
release if any literal value still differs from the requested sha (${VAR} indirections are ignored;
skipped under --dry-run).
Signed-off-by: moauto <54212639+mo-auto@users.noreply.github.com>
Summary
Follow-up to #2892 (merged) — fixes found while testing the release cycle.
1. Source-version pinning (
version_bump.py+release-trigger.yml). The bump now also pins, in release mode:FLEX_SOURCE_VERSION→ the released flex commit (--flex-source-sha, the source-ref HEAD before the bump commit), like jans pins its own source.JANS_SOURCE_VERSION→ the commit the mapped jans release pins (fetched fromjans/v<major-4>.Y.Z/docker-jans-all-in-one/Dockerfile), so flex images build the exact same jans source the jans release did.2. Demo image tag (
version_bump.py).start_flex_aio_demo.sh'sGLUU_VERSIONis theflex-all-in-oneimage tag, so it now takes the suffixed tag (e.g.6.2.0-1) instead of the bare version.3. Installer JANS version (
version_bump.py).flex_setup.py'sapp_versionsnow setsJANS_APP_VERSION→ the mapped jans version and emptiesJANS_BUILD, so the installer pulls the jans release (e.g.2.2.0) instead of0.0.0-nightly.--verifyguards both.Validated:
py_compile, YAML parse, and a real6.2.0bump confirmingGLUU_VERSION=6.2.0-1,JANS_APP_VERSION=2.2.0/JANS_BUILD="", and the source pins (the jans value fetched live fromv2.2.0).Summary by CodeRabbit
Bug Fixes
Chores