Skip to content

chore: release v5.2.0#82

Closed
finalerock44 wants to merge 40 commits into
productionfrom
dev
Closed

chore: release v5.2.0#82
finalerock44 wants to merge 40 commits into
productionfrom
dev

Conversation

@finalerock44

@finalerock44 finalerock44 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

What & why

Type of change

  • fix — bug fix
  • feat — new feature
  • perf — performance improvement
  • refactor — code change that's neither a fix nor a feature
  • docs — documentation only
  • chore / ci / build / test — tooling, no user-facing change
  • Breaking change (title has ! or PR notes a BREAKING CHANGE:)

Checklist

  • PR title follows the Conventional Commits format (see comment above)
  • pnpm lint passes
  • pnpm typecheck passes
  • pnpm build passes
  • I have not bumped the version or edited CHANGELOG.md (release-please handles this)
  • I have signed the CLA (the bot will prompt on first contribution)
  • Docs / README.md / STYLE_GUIDE.md updated if behaviour or output changed

How to test


View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

riglar and others added 30 commits June 24, 2026 09:04
`isOutdated` stripped the prerelease suffix before comparing, so
beta-to-beta bumps like 5.0.0-beta.0 -> 5.0.0-beta.1 both collapsed to
[5,0,0], compared equal, and `dcd upgrade` reported "Already on the
latest version". Same nudge in cloud.ts was affected.

Replace the naive major.minor.patch compare with a SemVer 2.0.0
`compareSemver` helper that handles prerelease precedence (a prerelease
ranks below its final release; identifiers compare dot-by-dot, numeric
numerically and below alphanumeric). Add unit coverage for the
regression and related cases.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
When --quiet is passed (geared at CI), the live results footer no longer
renders the "next refresh in Ns" / "refreshing…" countdown. The realtime
connection indicator is still shown.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…mparison

fix(upgrade): compare prerelease versions per SemVer
…h-countdown

fix: suppress refresh countdown in quiet mode
feat(cloud): warn on deprecated iOS 16 (removal 2026-08-23)
feat(cloud): Maestro deprecation — drop legacy hard-block, soft-warn 1.39.5/1.41.0
The install scripts resolved the version from /latest.json, which (until a
stable release exists) synthesized the newest prerelease — so the default
`curl … | sh` was silently installing betas.

Pair the proxy's new channel support (get.devicecloud.dev now serves stable
on /latest.json and prereleases on ?channel=beta) with explicit opt-ins:

- DCD_BETA — request the beta channel (latest prerelease).
- DCD_VERSION — already pins an exact version; documented for rollback.
- Default (no opt-in) installs the latest *stable* only. When no stable
  release exists yet, the installer errors with guidance pointing at
  DCD_BETA / DCD_VERSION instead of falling back to a beta.

The manifest fetch is separated from parsing so a transient network/proxy
failure (curl -f non-zero) is reported differently from a channel that has
no release yet (HTTP 200 with "version": null).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Scaffolding to open dcd-cli to external contributors:

- LICENSE (MIT), CONTRIBUTING, CODE_OF_CONDUCT, SECURITY, CLA templates
- CODEOWNERS, PR template, issue forms + config, dependabot, .editorconfig
- pr-title-lint workflow: Conventional Commits on PR title (squash-merge model,
  types kept in sync with release-please changelog-sections)
- cla workflow: CLA Assistant Lite
- release-please: use a GitHub App token (falls back to GITHUB_TOKEN until the
  App secrets exist) so Release PRs trigger required checks under branch protection
- cli-ci: also run on production so the dev->production promotion PR is gated
fix(installer): make beta opt-in, default to stable channel
Low value for a small maintainer team where anyone can review anything; the
branch ruleset's approval requirement covers review without it.
chore: add open-source contribution governance
* fix(ci): keep dependabot and fork PRs green

Dependabot/fork PRs run without repo secrets, so three jobs failed on them:

- lint-and-test: HAS_PRIVATE_ACCESS was true for dependabot (same-repo head),
  so it tried to clone the private mock-api with an empty DCD_SSH_DEPLOY_KEY.
  Now excludes dependabot[bot], same as forks (skips mock-api + integration).
- claude-code-review: skips dependabot/fork PRs (no CLAUDE_CODE_OAUTH_TOKEN).
- cla: skips its action step until PERSONAL_ACCESS_TOKEN is configured so the
  check is green instead of 'Branch cla-signatures not found'; also fixes two
  invalid input names (custom-*-prompt -> custom-*-prcomment).

* ci: group all github-actions bumps into one weekly PR

Wildcard pattern so major action bumps join the group too, instead of one
PR per action.
* ci: power CLA via the shared automation GitHub App

Mint the CLA token from the same GitHub App release-please uses, instead of a
personal PAT (no expiry, signature commits show as the bot). Rename the App
secrets RELEASE_PLEASE_APP_* -> BOT_APP_* since one App now serves both
workflows. CLA self-skips until BOT_APP_ID is set.

Carries only the app-token delta — the dependabot/fork CI fixes and actions
grouping already landed on dev via #46.

* ci: allowlist internal maintainers (riglar, finalerock44) in CLA
Fill the CLA party placeholder and the LICENSE/README copyright holder with the
registered entity. CLA still pending legal review.
Bumps the actions group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `2` | `3` |
| [actions/checkout](https://github.com/actions/checkout) | `4` | `7` |
| [pnpm/action-setup](https://github.com/pnpm/action-setup) | `4` | `6` |
| [actions/setup-node](https://github.com/actions/setup-node) | `5` | `6` |
| [amannn/action-semantic-pull-request](https://github.com/amannn/action-semantic-pull-request) | `5` | `6` |
| [googleapis/release-please-action](https://github.com/googleapis/release-please-action) | `4` | `5` |



Updates `actions/create-github-app-token` from 2 to 3
- [Release notes](https://github.com/actions/create-github-app-token/releases)
- [Changelog](https://github.com/actions/create-github-app-token/blob/main/CHANGELOG.md)
- [Commits](actions/create-github-app-token@v2...v3)

Updates `actions/checkout` from 4 to 7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v7)

Updates `pnpm/action-setup` from 4 to 6
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](pnpm/action-setup@v4...v6)

Updates `actions/setup-node` from 5 to 6
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@v5...v6)

Updates `amannn/action-semantic-pull-request` from 5 to 6
- [Release notes](https://github.com/amannn/action-semantic-pull-request/releases)
- [Changelog](https://github.com/amannn/action-semantic-pull-request/blob/main/CHANGELOG.md)
- [Commits](amannn/action-semantic-pull-request@v5...v6)

Updates `googleapis/release-please-action` from 4 to 5
- [Release notes](https://github.com/googleapis/release-please-action/releases)
- [Changelog](https://github.com/googleapis/release-please-action/blob/main/CHANGELOG.md)
- [Commits](googleapis/release-please-action@v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/create-github-app-token
  dependency-version: '3'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: amannn/action-semantic-pull-request
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: googleapis/release-please-action
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: pnpm/action-setup
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: finalerock44 <77282157+finalerock44@users.noreply.github.com>
#51)

fix: v5 release blockers — installer, binary version, repeated flags, upgrade, CI output

- install.ps1: fix PS 5.1 parse error (`$asset:` -> `${asset}`) that made
  `irm | iex` a no-op on stock Windows; decode the octet-stream SHA256SUMS
  (Byte[] under -UseBasicParsing) to text before splitting.
- build/version: stamp the version into the bun-compiled binary via
  `bun --define __DCD_CLI_VERSION__` (the compiled binary can't read
  package.json), so `dcd --version` no longer reports 0.0.0. npm/tsx path
  still falls back to reading package.json. Adds src/global.d.ts.
- cloud: collect repeated `-e/--env`, `-m/--metadata`, `--include-tags`,
  `--exclude-tags`, `--exclude-flows` from rawArgs (citty/parseArgs kept only
  the last occurrence, silently dropping earlier values); echo the collected
  values too.
- upgrade: query the beta channel for prerelease installs and distinguish
  "no newer release on this channel" from a real network failure, replacing
  the misleading "Could not reach the update manifest" error during the beta.
- progress/polling: make the realtime status indicator TTY-aware — in
  non-interactive/CI output, print one line per state change instead of
  flooding logs with a per-frame spinner (not suppressed by --quiet/--json-file).
- methods: downgrade primary-Backblaze-upload failure warnings to debug-only;
  the Supabase fallback recovers and validateUploadResults raises the only
  user-facing error (when every strategy fails).
- list/status: build console links from the env the CLI targets
  (resolveFrontendUrl) instead of the API's hardcoded-prod consoleUrl.
- cloud: validate a local --app-file exists during --dry-run.
Co-authored-by: dcd-cli-release-please[bot] <296541543+dcd-cli-release-please[bot]@users.noreply.github.com>
The CLA Assistant action defaults lock-pullrequest-aftermerge=true, so merging
a release-please PR locked it; release-please then failed trying to comment on
the locked PR, killing the Release job before npm publish + binary upload ran
(seen on v5.0.0-beta.2). Set lock-pullrequest-aftermerge=false.

Also skip release-please PRs in claude-code-review (version bumps — nothing to
review, and it must never block a release).
Prints a beta notice (billed at $0.03/min, contact support to enroll) before
starting a session. The API's new enrollment gate returns a 403 whose
"contact support" message the CLI already surfaces verbatim on a non-enrolled
org.
Co-authored-by: dcd-cli-release-please[bot] <296541543+dcd-cli-release-please[bot]@users.noreply.github.com>
Both versions are gone from the API gate, so resolveMaestroVersion rejects them
before the soft-warn block runs; drop the now-unreachable notice and bump the
integration test to a supported version. Also refresh CLAUDE.md.
* feat: render DB-driven notices and forward CLI/CI identity

The CLI now renders deprecation/warn/info/marketing notices the API returns with
the compatibility data, honouring --json. Removes the hardcoded iOS-16 warning
(now a seeded notice gated on the selected iOS version).

- notices.service: Notice type, match-DSL evaluator, level-aware renderer
- ci.ts: detectCiContext() resolves provider + wrapper version (DCD_CI_*)
- compatibility.ts: carries notices; forwards x-dcd-cli-version + x-dcd-ci-* headers
- version.service: export compareSemver for reuse

* test(upload): expect success when --ignore-sha-check bypasses dedup

The dcd swagger fix (getBinaryUploadUrl now returns a valid uploads/ staging
path) makes the TUS fallback upload succeed against dev storage, so this test no
longer fails — invert it to assert the command succeeds and returns a binary id.
Co-authored-by: dcd-cli-release-please[bot] <296541543+dcd-cli-release-please[bot]@users.noreply.github.com>
* fix(notices): single ⚠ symbol and distinct deprecation styling

Notice rendering routed warn/deprecation through warnOut (logger.warn), which
prepends its own ⚠ on top of the one ui.warn adds — producing a doubled ⚠ ⚠ and
a stray ⚠ on each branch row. Render through the gated out channel instead and
add the level symbol explicitly, so it shows a single symbol. Deprecation now
uses a red ⚠ to read as more serious than a yellow warn (they were identical).

* ci: point mock-api checkout at devicecloud-dev/dcd; docs: update CLAUDE.md

Update the cli-ci mock-api checkout from moropo-com/dcd to devicecloud-dev/dcd
(org rename) so it no longer relies on the redirect, and refresh CLAUDE.md.
Release-As: 5.0.1-beta.1
Co-authored-by: dcd-cli-release-please[bot] <296541543+dcd-cli-release-please[bot]@users.noreply.github.com>
Notice warn/deprecation rendering hand-concatenated symbols/colors in the service
layer, violating the STYLE_GUIDE rule that all human-facing output goes through
ui.ts. Add a ui.deprecation() helper (red warning glyph) and a matching
symbols.deprecation, and route warn through ui.warn. Output is unchanged.
Bumps [eslint-plugin-unicorn](https://github.com/sindresorhus/eslint-plugin-unicorn) from 68.0.0 to 69.0.0.
- [Release notes](https://github.com/sindresorhus/eslint-plugin-unicorn/releases)
- [Commits](sindresorhus/eslint-plugin-unicorn@v68.0.0...v69.0.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-unicorn
  dependency-version: 69.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
dependabot Bot and others added 10 commits July 10, 2026 14:08
#71)

---
updated-dependencies:
- dependency-name: "@clack/prompts"
  dependency-version: 1.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@supabase/supabase-js"
  dependency-version: 2.110.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@types/node"
  dependency-version: 26.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: eslint
  dependency-version: 10.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: js-yaml
  dependency-version: 5.2.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: prettier
  dependency-version: 3.9.4
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: tar
  dependency-version: 7.5.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: tsx
  dependency-version: 4.23.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: typescript-eslint
  dependency-version: 8.62.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Companion to devicecloud-dev/dcd#1084 (which fixes the root cause of
"Invalid Refresh Token: Already Used" by minting the CLI its own session
at login). This fixes the recovery path for sessions that are already
broken:

- CliAuthGateway.refresh now throws a typed SessionRefreshError whose
  `definitive` flag distinguishes a GoTrue 4xx token rejection from
  transient failures (network, 5xx).
- On a definitive rejection, resolveAuth drops the dead session from the
  config (keeping env/api_url/org), so subsequent commands report a clean
  "Not authenticated" instead of failing the same refresh every time.
- `dcd login` no longer dead-ends users whose session has expired: the
  "Already logged in… Sign out and log in again?" confirm is skipped for
  expired sessions (it proceeds straight to sign-in), and defaults to Yes
  for live ones — running `dcd login` deliberately almost always means
  "log me in".

Also updates the login-flow comments and CLAUDE.md for the new handoff
contract (access token as identity proof; api mints a dedicated session).

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
#75)

* feat(cloud): device matrix via repeated --ios-config/--android-config (#1105)

One upload targets N device configs. Each --ios-config <device>:<version> /
--android-config <device>:<apiLevel>[:play] names exactly one validated cell —
no cross-product. A device matrix is single-platform; mixing platforms is
rejected before any upload.

- parseDeviceMatrix() (unit-tested): parsing, :play Google Play cell, mixed-
  platform + malformed rejection.
- Each cell validated against the compatibility matrix up front; fails fast
  naming the bad cell before the flow zip is uploaded.
- Serialized as the deviceMatrix field; single-device submissions stay byte-
  identical. targetPlatform now derives from the matrix too.
- Pre-submit cost preview via POST /uploads/estimateMatrix (cells + est. cost +
  per-column breakdown); tolerant of older APIs that lack the endpoint (404).
- --json tests[].device (structured {name, osVersion, googlePlay}) on both the
  sync and async paths, so a flow run on two devices is disambiguated.

Note: generated schema.types.ts is intentionally not regenerated here (it lags
dev's swagger); regenerate from dev after the API lands. Runtime reads
config/simulator_name structurally.

* fix(cloud): tolerate 405 from estimateMatrix preview (#1105)

The cost preview is best-effort, but the gateway only treated 404 as
'endpoint absent' and threw on 405. An API that predates the endpoint (incl.
the CI Prism mock running against dev's swagger before this lands) 405s with
NO_METHOD_MATCHED, which blocked the submit. Treat 404 and 405 alike — return
null and proceed without a preview. A 400 (invalid config) still surfaces.

* test: run integration CLI via execFile argv, not a shell (#1105)

CodeQL flags every `exec(\)` in the integration suite as
js/shell-command-injection-from-environment — the built CLI's absolute path
(path.resolve) flows through a template string into a shell. There is no real
injection (test harness, local fixture paths), but the whole class is avoidable.

Route the shared exec helper through execFile(process.execPath, argv) — no
shell — by tokenising the `${CLI} <args>` command. This is CodeQL's
recommended remediation (argument list, not a shell string) and clears the
entire class across all five integration files at once, with no call-site
changes (signature-compatible; runExpectingFailure still reads stdout/stderr
from the rejection). Verified the CLI runs and non-zero exits still surface
stderr.
Beta of the upload-level device matrix (#75). It is a `feat`, so minor.

The beta manifest had drifted behind stable (5.0.1-beta.1 while latest is
5.1.0), so release-please computed 5.1.0-beta.1 — semver BELOW the published
5.1.0, which would have pointed the `beta` dist-tag at something older than
`latest`. 5.2.0 sits above stable 5.1.0 and clears the pending 5.1.1 (#74),
so `beta` stays ahead of `latest` either way.

Release-As: 5.2.0-beta.1
Co-authored-by: dcd-cli-release-please[bot] <296541543+dcd-cli-release-please[bot]@users.noreply.github.com>
…-matrix/--android-device-matrix (#77)

Renames the device-matrix flags to match the API's `deviceMatrix` field and to
say what they actually are (#1105).

Clean break — no alias, no migration guard. The old names only ever existed in
5.2.0-beta.1, an unconsumed beta, so there is nobody to migrate.

Deliberately NOT marked breaking. A `!` bumps the MAJOR on this 5.x repo
(`bump-minor-pre-major` only applies below 1.0.0), which would ship a bogus
6.0.0 for renaming flags that nobody uses.
…#79)

The table claimed `feat` and a breaking `!` both bump the minor 'pre-1.0'.
That is wrong for this repo: `bump-minor-pre-major` only applies below 1.0.0,
and we are on 5.x, so a `!` bumps the MAJOR. Acting on the old wording is
exactly how a `refactor(cloud)!:` PR title produced a 6.0.0-beta.1 release PR
for a flag rename in an unconsumed beta.

No Release-As footer: with the `!` removed from dev, release-please already
computes 5.2.0-beta.2 on its own. Forcing it here would only risk that footer
leaking into the production promotion.
Co-authored-by: dcd-cli-release-please[bot] <296541543+dcd-cli-release-please[bot]@users.noreply.github.com>
An API predating #1105 does not merely lack the feature — it accepts the
submission and SILENTLY STRIPS the unknown deviceMatrix field, because the API's
global ValidationPipe runs whitelist:true / forbidNonWhitelisted:false. Every
flow then runs on a single default device and the run exits 0. The user asked
for N devices, tested one, and is told nothing: the exact silent under-testing
the device matrix exists to prevent, and the worst outcome the feature can
produce.

The estimate endpoint is only called when a matrix was requested, so a null
estimate (gateway maps 404/405 -> null) is a definitive 'API too old' signal.
Fail loudly there instead of proceeding.

This also removes the ordering footgun for the prod rollout structurally rather
than by remembering it: if the CLI ever reaches an API without the matrix
(stale deploy, rollback, lagging self-host), it now refuses instead of quietly
under-testing.

Verified against a local Prism mock served from PRODUCTION's swagger (no
estimateMatrix): matrix run refuses with exit 1; a legacy single-device run on
the same API still succeeds with exit 0.
Co-authored-by: dcd-cli-release-please[bot] <296541543+dcd-cli-release-please[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants