Skip to content

fix(ci): prevent prerelease builds from clobbering stable release assets#8823

Open
markijbema wants to merge 8 commits intomainfrom
mark/fix-brew-prerelease-clobber
Open

fix(ci): prevent prerelease builds from clobbering stable release assets#8823
markijbema wants to merge 8 commits intomainfrom
mark/fix-brew-prerelease-clobber

Conversation

@markijbema
Copy link
Copy Markdown
Contributor

@markijbema markijbema commented Apr 13, 2026

Summary

Fixes #8796brew install Kilo-Org/tap/kilo was failing with a checksum mismatch because a prerelease publish run overwrote the v7.2.1 stable release binaries with --clobber.

Root cause: When the prerelease workflow computed a version that collided with an existing stable release (due to npm registry lag in fetchHighest()), gh release upload --clobber silently replaced the stable assets. The homebrew formula still had the original checksums.

Fixes:

  1. build.ts: Only use --clobber for prerelease uploads. Stable releases will now fail-fast if assets already exist rather than silently overwriting them.
  2. version.ts: Add a safety check that aborts the workflow if a stable (non-prerelease) GitHub release already exists for the computed version.

Additionally: The homebrew-tap formula has been updated directly to fix the immediate user-facing issue (commit pushed to Kilo-Org/homebrew-tap).

@markijbema
fix(ci): prevent prerelease builds from clobbering stable release assets
ebebd6e 
The prerelease publish workflow was able to overwrite binaries on existing
stable releases due to --clobber being used unconditionally on gh release
upload. This caused the homebrew formula checksums to become stale,
breaking brew install.

Two fixes:
1. Only use --clobber for prerelease uploads (stable releases should
   fail-fast if assets already exist)
2. Add a safety check in version.ts that aborts if a stable release
   already exists for the computed version
@markijbema
revert: keep --clobber in build.ts (upstream behavior)
dd3c4c0
@markijbema
fix(ci): only use --clobber for prerelease uploads
3f04559
@markijbema
fix(ci): log archive checksums before release upload
a9e6097
@markijbema
fix(ci): add header to checksum log output
0cecf40
@markijbema
fix(ci): fail closed on release check and verify prerelease before cl…
12bb453 
…obber

- version.ts: Only treat 'release not found' as safe to proceed.
  Any other gh error (auth, network, etc.) now aborts the build
  instead of silently continuing.
- build.ts: Query the actual release metadata before deciding on
  --clobber. Only drafts and prereleases allow overwriting assets,
  making the upload step itself the last line of defense.
@markijbema
fix(ci): clarify draft+prerelease clobber intent and add --repo flag
9b1dbfc
@markijbema
fix(ci): remove --repo from build.ts (intentionally omitted in kilocode)
6af41f3
@markijbema markijbema marked this pull request as ready for review April 13, 2026 08:15
@kilo-code-bot
Copy link
Copy Markdown
Contributor

kilo-code-bot bot commented Apr 13, 2026
edited
Loading

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (2 files)
  • packages/opencode/script/build.ts
  • script/version.ts

Reviewed by gpt-5.4-20260305 · 353,306 tokens

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

brew install broken for kilo cli

1 participant

@markijbema