Skip to content

Proposed rollback to 3e90b26: no working NuGet publish destination, #181 regression, dependabot churn #193

Description

@peters

Context

A pending (currently uncommitted) change rolls the tracked tree back to 3e90b26 — a byte-exact revert of everything in 3e90b26..dc47ff5 (v1.0.0-beta.49): the artifact-cache prune fix ef6c572 (the fix for #181), the NuGet publishing changes (1d3e68b, 4678f2e, dc47ff5), and the merged dependabot bumps #177/#178/#179.

A max-effort review of that diff surfaced the findings below. Filing them so each regression is a deliberate decision rather than a side effect of the rollback.

Base is stale: the rollback was computed from beta.49, but main is now 6 commits ahead (dabf4b4), including d3e2ee9 (tagged v1.0.0-beta.50) and PRs #187#191. Landing it as-is would require a force-push (dropping a released commit from main) or an unreviewed merge.

Findings

1. Releases would have no working NuGet destination (critical)

  • The rollback restores dotnet nuget push --source nuget.org --api-key ${{ secrets.PETERSUNDE_NUGET_ORG_API_KEY }} — the exact configuration that failed the v1.0.0-beta.48 release with 403 (The specified API key is invalid, has expired, or does not have permission) (run 28244679072). The secret has not been rotated since that failure.
  • It simultaneously removes the GitHub Packages push added by dc47ff5 — the only destination that actually worked (beta.49/beta.50 exist only there; nuget.org stops at beta.46).
  • publish-nuget has no token-presence/validation guard (unlike publish-cargo-crates-io), so any credential problem only surfaces at release time.

Decision needed: intended destination(s) for Surge.NET (rotate the nuget.org key? keep GitHub Packages alongside?), plus a token guard in the job.

2. Reverts the #181 fix: silent prune failures + deleted regression coverage

  • surge-installer-ui prune_artifact_cache_for_package discards the prune Result (let _ =), so GUI and headless installs report neither prune failures nor counts; setup.rs and finalize.rs still log. This reintroduces the silent stale-cache accumulation Prune stale local artifact cache after successful installs and updates #181 was filed about.
  • Deletes test_download_and_apply_latest_full_artifact_retention_prunes_old_fulls_and_deltas — the only end-to-end coverage that latest_full retention prunes old fulls and deltas. AGENTS.md requires: "For update/diff changes, include regression coverage for full + delta flows." The behavior it guards still exists in finalize.rs.
  • Re-duplicates the retained-artifacts derivation verbatim across surge-cli and surge-installer-ui (the deleted shared helper retained_artifacts_for_resolved_install_cache made both call sites one-liners); the two copies already differ in error handling.
  • The surge setup prune log line drops the "retained policy key count" field (the update path in finalize.rs kept it).

Decision needed: if reverting ef6c572 is intentional, reopen #181 with the rationale; otherwise keep the fix (or re-land the revert without these four regressions).

3. Dependency/action downgrades guarantee weekly dependabot churn

Decision needed: if v6 / the older crates are genuinely required, add dependabot ignore entries and a comment saying why; otherwise drop these downgrades from the rollback.

Verified non-issues

  • cargo check --workspace --all-targets passes on the rolled-back tree.
  • The removed surge-core pub APIs (*_with_stats, InstallArtifactCachePruneResult, retained_artifacts_for_resolved_install_cache) shipped only in -beta prereleases — acceptable churn.
  • --source nuget.org resolves via dotnet/nuget.config; the packages: write permission removal has no other consumer; the checkout pins are at least internally consistent at v6.

Suggested path


Found by max-effort multi-agent code review (10 finder angles, per-finding adversarial verification, gap sweep); evidence includes release run logs and commit archaeology.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions