github-starred/cs249r_book
2
0
Fork 0
mirror of https://github.com/harvard-edge/cs249r_book.git synced 2026-05-06 17:49:07 -05:00
Code Issues 85 Packages Projects Releases 24 Wiki Activity

[PR #1418] [MERGED] fix(publish): block silent version downgrades in tinytorch + book publish-live #6537

New Issue
Closed
opened 2026-04-21 22:24:06 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-21 22:24:06 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/harvard-edge/cs249r_book/pull/1418
Author: @profvjreddi
Created: 4/20/2026
Status: Merged
Merged: 4/20/2026
Merged by: @profvjreddi

Base: devHead: fix/publish-no-downgrade

📝 Commits (1)

  • 38f29da fix(publish): block silent version downgrades in tinytorch + book publish-live

📊 Changes

2 files changed (+180 additions, -0 deletions)

View changed files

📝 .github/workflows/book-publish-live.yml (+109 -0)
📝 .github/workflows/tinytorch-publish-live.yml (+71 -0)

📄 Description

Summary

Adds a no-downgrade guard to both `tinytorch-publish-live.yml` and `book-publish-live.yml`.
Catches a real footgun in the next release: triggering with the default `release_type=patch`
silently regresses TinyTorch from `0.10.0` → `0.1.10` and Vol II from `v0.5.1` → `v0.0.1`.

The footgun in concrete terms

Workflow Source-of-truth Current value Latest tag Default `patch` would write Result
`tinytorch-publish-live` `pyproject.toml` `0.10.0` `tinytorch-v0.1.9` `0.1.10` DOWNGRADE
`book-publish-live` (vol2) `index-vol2.qmd` doi `v0.5.1` (legacy inheritance) none → seeds `v0.0.0` `v0.0.1` DOWNGRADE
`book-publish-live` (vol1) `index-vol1.qmd` doi `v0.5.1` seeds from `book-v0.5.1` `v0.5.2` OK (forward)

Both downgrades complete with no error and silently overwrite the source.

How the guard works

After version computation, before any `sed` write:

  1. Read the bare version from the source-of-truth file.
  2. Use `sort -V` to compare against the planned new version.
  3. If planned < source (strict), fail with a remediation message that names the exact dispatch
    input to use (`explicit_version=X.Y.Z` for tinytorch, `previous_version=vol{N}-vX.Y.Z`
    for the book).
  4. Equality (no-op write) is allowed — needed for the v0.10.0 release where `pyproject.toml`
    is already at the target.
  5. Site-only mode skips the guard (no version write happens at all).
  6. Missing `index-vol{N}.qmd` warns rather than fails (defensive against future routing changes).

Verification

Tested `semver_lt` locally against 9 cases:

```
PASS 0.1.10 vs 0.10.0 → LT ← the TinyTorch footgun
PASS 0.10.0 vs 0.1.10 → GE
PASS 0.10.0 vs 0.10.0 → GE ← equality allowed
PASS 0.0.1 vs 0.5.1 → LT ← vol2 patch regression
PASS 0.1.0 vs 0.5.1 → LT ← vol2 minor still regresses
PASS 0.6.0 vs 0.5.1 → GE ← vol1 normal forward bump
PASS 0.5.2 vs 0.5.1 → GE
PASS 1.0.0 vs 0.99.99 → GE
PASS 0.5.1 vs 0.5.10 → LT ← naive lex sort would get this wrong
```

YAML parses cleanly for both workflows. `CI: Check workflows are safe for fork PRs` hook passes.

What this unblocks

The actual staged rollout (TinyTorch v0.10.0, Book vol1 v0.6.0, Book vol2 v0.1.0) can now be
triggered without worrying about the default-button creating a silent regression. Each volume's
first release just needs the right `previous_version` / `explicit_version` override, and the
guard tells you exactly which one to set if you forget.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/harvard-edge/cs249r_book/pull/1418 **Author:** [@profvjreddi](https://github.com/profvjreddi) **Created:** 4/20/2026 **Status:** ✅ Merged **Merged:** 4/20/2026 **Merged by:** [@profvjreddi](https://github.com/profvjreddi) **Base:** `dev` ← **Head:** `fix/publish-no-downgrade` --- ### 📝 Commits (1) - [`38f29da`](https://github.com/harvard-edge/cs249r_book/commit/38f29daa343565e193af5397dfdbfe845edbf584) fix(publish): block silent version downgrades in tinytorch + book publish-live ### 📊 Changes **2 files changed** (+180 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/book-publish-live.yml` (+109 -0) 📝 `.github/workflows/tinytorch-publish-live.yml` (+71 -0) </details> ### 📄 Description ## Summary Adds a no-downgrade guard to both \`tinytorch-publish-live.yml\` and \`book-publish-live.yml\`. Catches a real footgun in the next release: triggering with the default \`release_type=patch\` silently regresses TinyTorch from \`0.10.0\` → \`0.1.10\` and Vol II from \`v0.5.1\` → \`v0.0.1\`. ## The footgun in concrete terms | Workflow | Source-of-truth | Current value | Latest tag | Default \`patch\` would write | Result | |---|---|---|---|---|---| | \`tinytorch-publish-live\` | \`pyproject.toml\` | \`0.10.0\` | \`tinytorch-v0.1.9\` | \`0.1.10\` | **DOWNGRADE** | | \`book-publish-live\` (vol2) | \`index-vol2.qmd\` doi | \`v0.5.1\` (legacy inheritance) | none → seeds \`v0.0.0\` | \`v0.0.1\` | **DOWNGRADE** | | \`book-publish-live\` (vol1) | \`index-vol1.qmd\` doi | \`v0.5.1\` | seeds from \`book-v0.5.1\` | \`v0.5.2\` | OK (forward) | Both downgrades complete with no error and silently overwrite the source. ## How the guard works After version computation, before any \`sed\` write: 1. Read the bare version from the source-of-truth file. 2. Use \`sort -V\` to compare against the planned new version. 3. If planned \< source (strict), fail with a remediation message that names the exact dispatch input to use (\`explicit_version=X.Y.Z\` for tinytorch, \`previous_version=vol{N}-vX.Y.Z\` for the book). 4. Equality (no-op write) is allowed — needed for the v0.10.0 release where \`pyproject.toml\` is already at the target. 5. Site-only mode skips the guard (no version write happens at all). 6. Missing \`index-vol{N}.qmd\` warns rather than fails (defensive against future routing changes). ## Verification Tested \`semver_lt\` locally against 9 cases: \`\`\` PASS 0.1.10 vs 0.10.0 → LT ← the TinyTorch footgun PASS 0.10.0 vs 0.1.10 → GE PASS 0.10.0 vs 0.10.0 → GE ← equality allowed PASS 0.0.1 vs 0.5.1 → LT ← vol2 patch regression PASS 0.1.0 vs 0.5.1 → LT ← vol2 minor still regresses PASS 0.6.0 vs 0.5.1 → GE ← vol1 normal forward bump PASS 0.5.2 vs 0.5.1 → GE PASS 1.0.0 vs 0.99.99 → GE PASS 0.5.1 vs 0.5.10 → LT ← naive lex sort would get this wrong \`\`\` YAML parses cleanly for both workflows. \`CI: Check workflows are safe for fork PRs\` hook passes. ## What this unblocks The actual staged rollout (TinyTorch v0.10.0, Book vol1 v0.6.0, Book vol2 v0.1.0) can now be triggered without worrying about the default-button creating a silent regression. Each volume's first release just needs the right \`previous_version\` / \`explicit_version\` override, and the guard tells you exactly which one to set if you forget. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-21 22:24:06 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
area: book
area: collabs
area: kits
area: socratiq
area: tinytorch
area: tools
area: website
bug
dependencies
format: epub
format: pdf
link-health
link-rot
priority-high
pull-request
Mirrored from GitHub Pull Request
 staffml
type: bug
type: citation
type: code
type: errata
type: improvement
type: new
type: question
vault-sli
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/cs249r_book#6537
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?