parity-lib/CHANGELOG.md

Changelog

All notable changes to parity-lib are documented here. This project follows semantic versioning; the version is a conceptual tag (no git tag is created).

Unreleased

• Feature: mkS390xNpmPublishMulti (cluster #192). A multi-version npm builder mirroring the PyPI multi one: publishes a fixed list of { version; file; distTag? } per tag, each staged into its own dir and npm published with its dist-tag (idempotent — "already exists" == success). file may be a .node addon OR a plain binary, and packageJson (with a $VERSION the stage heredoc expands) declares the shape (main vs bin), so it covers both nextjs-swc (16.1.6 @latest + 15.2.0 @next15) and sentry-cli (a binary published as an npm package at two versions). Shared parity_npm_publish_dir helper added to ci/parity-lib.sh.
• Feature: mkPyPiWheelPublishMulti (cluster #197). A multi-version PyPI builder that publishes a fixed list of { version; wheel; } per tag instead of just the default — the pre-parity behaviour several *-s390x repos rely on. Each wheel's real version is read from its filename (PEP 427), so stage/publish/push-staged need no side-channel map and a re-run is idempotent (409-skip per version). Shared parity_pypi_post / parity_wheel_version helpers added to ci/parity-lib.sh. First consumer: numpy-s390x (5 versions).
• Fix (safety): dev-tag guard was ineffective. Every publish app body runs VERSION="$(parity_derive_version <default>)" before parity_devtag_guard, so by the time the guard checked $VERSION it was always non-empty (the derived default) and an accidental local --publish with no explicit version and no v* tag still pushed (cluster #194 finding). The guard now reads a source-time snapshot PARITY_VERSION_EXPLICIT captured before any clobber, so it correctly blocks unless the caller set $VERSION or $CI_COMMIT_TAG matches ^v[0-9].
• pipeline-doctor (cluster #191 security sweep): added a scoped per-file check asserting no set -x in token-bearing ci/*.sh scripts going forward — a script that references a registry token (REGISTRY_TOKEN / CI_REGISTRY_TOKEN / an Authorization: token header) must not enable xtrace, which would echo the token to the build log. Token-free helpers (e.g. version parsers) are not flagged.

v0.1.0

Initial release (cluster #192/#193/#194, emmett#44).

• lib.mkParityBuilders pkgs plus per-builder wrappers exposing the six archetype publish-app builders:
  • mkPyPiWheelPublish — single-arch Gitea PyPI wheel.
  • mkS390xNpmPublish — single-arch Gitea npm native addon.
  • mkGenericBinaryPublish — single-arch Gitea generic-registry binary.
  • mkGoBinaryPublish — alias of mkGenericBinaryPublish (explicit archetype).
  • mkNix2ContainerPublish — multi-arch OCI image with publish-index and :latest digest copy.
  • mkHelmPublish — Helm chart to an OCI registry.
• Each builder returns flake apps following the corrected parity standard: stage-<arch> (build-parity, no registry), publish-<arch> (dry-run by default), publish-index (build-free, fail-closed multi-arch assembly via regctl), publish (all local arches + index + :latest last), and push-staged (replay ./.parity-stage).
• Shared shell library ci/parity-lib.sh (token resolution with $REGISTRY_TOKEN + pass fallback and never printed, dev-tag guard, version derivation, the dry-run gate, registry preflight, stage-dir helpers).
• packages.pipeline-doctor / apps.pipeline-doctor (cluster #193): static parity-contract checker that prints local-equivalent commands.
• flake.lock fully pinned; nixpkgs follows the shared fleet-pins nixpkgs-ci.