2026-05-22 โ Wrong major-version bump proposed on main due to manual edits
to release-please's governed files inside a squashed PR. Resolved + 3-layer prevention shipped.
feat!: hard-delete monitors.json. The ! queues a future MAJOR bump.
v8.0.0 tagged + released cleanly.
chore: bump to v8.1.0 that hand-edits 9 governed files. release-please's state machine desyncs.
9.0.0. Compare URL says compare/v8.1.0...v9.0.0 โ but neither tag exists.
chore(main): release 8.1.0.
v8.1.0 released correctly.
version-check.yml + pre-push hook).
release-please needs to find a git tag matching the version in .release-please-manifest.json
to know where to start scanning commits. When the manifest says 8.1.0 but no v8.1.0
tag exists, it falls back to the bootstrap-sha baseline and re-scans the full history โ
re-applying every feat!: and BREAKING CHANGE: it finds, even ones already
shipped. Result: wildly wrong major bumps.
| Layer | File | How it protects |
|---|---|---|
| 1 | .github/workflows/release-please-guard.yml |
Reads governed file list from .release-please-config.json at runtime, fails any non-bot PR touching them. Bots + release-please-override label bypass. |
| 2 | CONTRIBUTING.md |
"Do not hand-edit release-please's governed files" subsection under Versioning, references this incident. |
| 3 | docs/fix--release-please-version-drift/release-please-drift.html |
Diagnosis playground with before/after table + step-by-step root-cause walkthrough. |
| Lesson | Action |
|---|---|
Squashed PR bodies hide intent โ an inner chore: bump to vX.Y.Z commit can land without standalone review. |
Guard blocks based on file diffs, not commit messages. |
.release-please-config.json extra-files is the SOURCE for "what release-please owns." |
Guard reads this file at runtime so the list stays in sync automatically. |
| release-please's failure mode is silent โ wrong version, no error. | Treat any major-bump draft on a non-breaking commit cluster as a red flag. |
| The override label exists for emergencies only โ drift fixes, schema changes. | Use sparingly; document the reason in PR body. |