repopilot 0.11.0

Local-first CLI for repository audit, architecture risk detection, baseline tracking, and CI-friendly code review.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176

# Release process

RepoPilot releases are prepared in the repository, verified locally and in CI, tagged from `main`, and published by the release workflow when the required secrets are configured.

## 1. Prepare the release

Update:

- `Cargo.toml` version
- `Cargo.lock` package version, if needed
- `package.json` version
- `CHANGELOG.md`
- `README.md` if user-facing behavior changed
- release checklist for the target version, for example `docs/release-checklist-0.10.md`

Use the current date for the release entry in `CHANGELOG.md`.

## 2. Verify locally

```bash
cargo fmt --check
cargo clippy --all-targets --all-features -- -D warnings
cargo test --all
cargo audit
cargo deny check advisories licenses
cargo package --list
cargo publish --dry-run
./scripts/smoke-product.sh --binary ./target/release/repopilot --repo . --tmp-dir /tmp/repopilot-release-smoke
mapfile -d '' shell_scripts < <({ [[ -f install.sh ]] && printf '%s\0' install.sh; [[ -d scripts ]] && find scripts -maxdepth 1 -type f -name '*.sh' -print0; })
((${#shell_scripts[@]} == 0)) || bash -n "${shell_scripts[@]}"
((${#shell_scripts[@]} == 0)) || shellcheck "${shell_scripts[@]}"
mapfile -d '' workflows < <(find .github/workflows -maxdepth 1 -type f \( -name '*.yml' -o -name '*.yaml' \) -print0)
((${#workflows[@]} == 0)) || actionlint "${workflows[@]}"
npm test
npm pack --dry-run
```

Review the package contents from `cargo package --list` before publishing.
When release archives already exist in `dist/`, verify npm platform package
generation with:

```bash
node scripts/build-npm-platform-packages.js --dist dist --out /tmp/repopilot-npm-platform-packages
```

Install `cargo-audit`, `cargo-deny`, `shellcheck`, and `actionlint` before running the local release checks.
For a version-specific gate list, use the current release checklist in `docs/release-checklist-*.md`.
The product smoke suite validates the adoption flow, including receipt generation.

## npm Trusted Publishing setup

Before the first npm publish, configure npm Publishing Access for `repopilot` and
each `@repopilot/*` platform package:

```text
Publisher: GitHub Actions
Repository owner: MykytaStel
Repository name: repopilot
Workflow filename: publish-npm.yml
Environment name: npm
```

Keep package publishing access set to "Require two-factor authentication and
disallow tokens". The `publish-npm.yml` job uses the `npm` GitHub Environment and
OIDC, so no `NPM_TOKEN` secret is required.

## 3. Create release branch

```bash
git checkout -b release/vX.Y.Z
```

## 4. Commit

```bash
git add .
git commit -m "chore: prepare vX.Y.Z release"
```

## 5. Merge after CI passes

Open a pull request, wait for CI, review the package metadata and docs, then merge into `main`.

## 6. Tag

```bash
git checkout main
git pull
git tag vX.Y.Z
git push origin vX.Y.Z
```

The tag workflow builds GitHub Release artifacts, creates or updates the GitHub Release once, runs `cargo publish --dry-run`, publishes crates.io with `CRATES_IO_TOKEN`, and updates the Homebrew tap with `HOMEBREW_TAP_TOKEN`. The separate `publish-npm.yml` workflow downloads the GitHub Release artifacts, generates checksum-verified `@repopilot/*` platform packages, publishes those packages first, then publishes the root `repopilot` package through npm Trusted Publishing / GitHub OIDC. Optional secret-backed channels are skipped when their secret is absent.

## 7. Verify publishing

After the tag workflow passes, verify all configured distribution channels:

```bash
cargo install repopilot --force
npm install -g repopilot@X.Y.Z
brew tap mykytastel/repopilot
brew install repopilot
repopilot --version
brew test repopilot
```

For the 0.11.0 release, also verify that the public package and tag state moved
to 0.11.0:

```bash
git ls-remote --tags origin v0.11.0
npm view repopilot version
for pkg in \
  @repopilot/darwin-arm64 \
  @repopilot/darwin-x64 \
  @repopilot/linux-arm64-gnu \
  @repopilot/linux-x64-gnu \
  @repopilot/win32-x64-msvc; do
  npm view "$pkg" version
done
npm install -g repopilot@0.11.0
repopilot --version
repopilot scan . --format json --output /tmp/repopilot-0.11-smoke.json
```

If a publishing secret is intentionally absent, publish that channel manually from the exact tagged commit and a clean worktree.

For Homebrew failures, check the custom tap first: `MykytaStel/homebrew-repopilot` must exist, contain a `Formula/` directory, and be writable by `HOMEBREW_TAP_TOKEN`.

## 8. Review GitHub Release

Title:

```text
RepoPilot vX.Y.Z — short release name
```

Include:

- highlights;
- install commands for npm, cargo, and quick install;
- upgrade command;
- example usage;
- React Native example when relevant;
- link to [CHANGELOG.md](../CHANGELOG.md).

Example release body:

````md
## Highlights

- ...

## Install

```bash
npm install -g repopilot
cargo install repopilot
```

## Upgrade

```bash
npm update -g repopilot
cargo install repopilot --force
```

## Example

```bash
repopilot review . --base origin/main
```

See [CHANGELOG.md](https://github.com/MykytaStel/repopilot/blob/main/CHANGELOG.md) for details.
````