Update version_branch.yml

.github/workflows/version_branch.yml

@@ -132,51 +132,131 @@ jobs:
 
           chmod 0755 "$CI_HELPERS"
 
-      - name: Validate inputs and policy locks
+      $1
+
+      - name: Sanity check workflow and control characters
         run: |
           source "$CI_HELPERS"
-          moko_init "Validate inputs and policy locks"
+          moko_init "Sanity check"
+          python3 - <<'PY'
+import json
+import os
+import re
+from pathlib import Path
+from collections import defaultdict
+from datetime import datetime, timezone
 
-          VERSION_TEXT="$(moko_trim "${VERSION_TEXT}")"
+new_version = (os.environ.get("NEW_VERSION") or "").strip()
+version_text = (os.environ.get("VERSION_TEXT") or "").strip()
+report_only = (os.environ.get("REPORT_ONLY") or "").strip().lower() == "true"
+report_path = (os.environ.get("REPORT_PATH") or "").strip() or None
 
-          echo "[INFO] Inputs received:"
+stamp = datetime.now(timezone.utc).strftime("%Y-%m-%d")
-          echo "  NEW_VERSION=${NEW_VERSION}"
+root = Path(".").resolve()
-          echo "  VERSION_TEXT=${VERSION_TEXT}"
-          echo "  REPORT_ONLY=${REPORT_ONLY}"
-          echo "  COMMIT_CHANGES=${COMMIT_CHANGES}"
-          echo "  BASE_BRANCH=${BASE_BRANCH}"
-          echo "  BRANCH_PREFIX=${BRANCH_PREFIX}"
 
-          [[ -n "${NEW_VERSION}" ]] || { echo "[ERROR] new_version missing" >&2; exit 2; }
+# No literal tab characters. Use explicit escape sequences.
-          [[ "${NEW_VERSION}" =~ ^[0-9]{2}[.][0-9]{2}[.][0-9]{2}$ ]] || { echo "[ERROR] Invalid version format: ${NEW_VERSION}" >&2; exit 2; }
+header_re = re.compile(r"(?im)(VERSION[ \t]*:[ \t]*)([0-9]{2}[.][0-9]{2}[.][0-9]{2})")
+manifest_marker_re = re.compile(r"(?is)<extension\b")
+xml_version_re = re.compile(r"(?is)(<version[ \t]*>)([^<]*?)(</version[ \t]*>)")
+xml_date_res = [
+  re.compile(r"(?is)(<creationDate[ \t]*>)([^<]*?)(</creationDate[ \t]*>)"),
+  re.compile(r"(?is)(<date[ \t]*>)([^<]*?)(</date[ \t]*>)"),
+  re.compile(r"(?is)(<releaseDate[ \t]*>)([^<]*?)(</releaseDate[ \t]*>)"),
+]
 
-          if [[ "${BRANCH_PREFIX}" != "dev/" ]]; then
+skip_ext = {
-            echo "[FATAL] BRANCH_PREFIX is locked by policy. Expected 'dev/' but got '${BRANCH_PREFIX}'." >&2
+  ".json", ".png", ".jpg", ".jpeg", ".gif", ".svg", ".ico", ".pdf",
-            exit 2
+  ".zip", ".7z", ".tar", ".gz", ".woff", ".woff2", ".ttf", ".otf",
-          fi
+  ".mp3", ".mp4",
+}
+skip_dirs = {".git", ".github", "node_modules", "vendor", ".venv", "dist", "build"}
 
-          if ! moko_bool "${REPORT_ONLY}" && [[ "${COMMIT_CHANGES}" != "true" ]]; then
+counters = defaultdict(int)
-            echo "[FATAL] commit_changes must be 'true' when report_only is 'false' to ensure the branch is auditable." >&2
+updated_files = []
-            exit 2
+updated_manifests = []
-          fi
+would_update_files = []
+would_update_manifests = []
 
-          if [[ -n "${VERSION_TEXT}" ]]; then
+def should_skip(p: Path) -> bool:
-            if [[ ! "${VERSION_TEXT}" =~ ^[A-Za-z0-9._-]{1,32}$ ]]; then
+  if p.suffix.lower() in skip_ext:
-              echo "[FATAL] version_text must match ^[A-Za-z0-9._-]{1,32}$ when set." >&2
+    counters["skipped_by_ext"] += 1
-              exit 2
+    return True
-            fi
+  parts = {x.lower() for x in p.parts}
-          fi
+  if any(d in parts for d in skip_dirs):
+    counters["skipped_by_dir"] += 1
+    return True
+  return False
 
-          git ls-remote --exit-code --heads origin "${BASE_BRANCH}" >/dev/null 2>&1 || {
+for p in root.rglob("*"):
-            echo "[ERROR] Base branch does not exist on origin: ${BASE_BRANCH}" >&2
+  if not p.is_file():
-            echo "[INFO] Remote branches:" >&2
+    continue
-            git ls-remote --heads origin | awk '{sub("refs/heads/","",$2); print $2}' >&2
+  if should_skip(p):
-            exit 2
+    continue
+
+  if p.parent == root and p.name.lower() in {"update.xml", "updates.xml"}:
+    counters["skipped_release_artifacts"] += 1
+    continue
+
+  try:
+    original = p.read_text(encoding="utf-8", errors="replace")
+  except Exception:
+    counters["skipped_read_error"] += 1
+    continue
+
+  text = original
+
+  text, n1 = header_re.subn(lambda m: m.group(1) + new_version, text)
+  if n1:
+    counters["header_replacements"] += n1
+
+  is_manifest = (p.suffix.lower() == ".xml" and manifest_marker_re.search(original) is not None)
+  if is_manifest:
+    text, n2 = xml_version_re.subn(lambda m: m.group(1) + new_version + m.group(3), text)
+    if n2:
+      counters["xml_version_replacements"] += n2
+
+    for rx in xml_date_res:
+      text, n3 = rx.subn(lambda m: m.group(1) + stamp + m.group(3), text)
+      if n3:
+        counters["xml_date_replacements"] += n3
+
+  if text != original:
+    would_update_files.append(str(p))
+    if is_manifest:
+      would_update_manifests.append(str(p))
+
+    if not report_only:
+      p.write_text(text, encoding="utf-8")
+      updated_files.append(str(p))
+      if is_manifest:
+        updated_manifests.append(str(p))
+
+report = {
+  "mode": "report_only" if report_only else "apply",
+  "new_version": new_version,
+  "version_text": version_text,
+  "stamp_utc": stamp,
+  "counters": dict(counters),
+  "updated_files": updated_files,
+  "updated_manifests": updated_manifests,
+  "would_update_files": would_update_files,
+  "would_update_manifests": would_update_manifests,
 }
 
-          echo "VERSION_TEXT=${VERSION_TEXT}" >> "$GITHUB_ENV"
+payload = json.dumps(report, indent=2)
 
-      - name: Enterprise policy gate
+if report_path:
+  Path(report_path).write_text(payload, encoding="utf-8")
+else:
+  print(payload)
+
+print("[INFO] Mode:", report["mode"])
+print("[INFO] Would update files:", len(would_update_files))
+print("[INFO] Would update manifests:", len(would_update_manifests))
+print("[INFO] Updated files:", len(updated_files))
+print("[INFO] Updated manifests:", len(updated_manifests))
+PY
+$2
         run: |
           source "$CI_HELPERS"
           moko_init "Enterprise policy gate"
@@ -302,14 +382,14 @@ report_path = (os.environ.get("REPORT_PATH") or "").strip() or None
           stamp = datetime.now(timezone.utc).strftime("%Y-%m-%d")
           root = Path(".").resolve()
 
-# No literal tab characters. Use explicit escape sequences.
+          # No literal tab characters. Use 	 escape sequences.
-header_re = re.compile(r"(?im)(VERSION[ \t]*:[ \t]*)([0-9]{2}[.][0-9]{2}[.][0-9]{2})")
+          header_re = re.compile(r"(?im)(VERSION[ 	]*:[ 	]*)([0-9]{2}[.][0-9]{2}[.][0-9]{2})")
-manifest_marker_re = re.compile(r"(?is)<extension\b")
+          manifest_marker_re = re.compile(r"(?is)<extension")
-xml_version_re = re.compile(r"(?is)(<version[ \t]*>)([^<]*?)(</version[ \t]*>)")
+          xml_version_re = re.compile(r"(?is)(<version[ 	]*>)([^<]*?)(</version[ 	]*>)")
           xml_date_res = [
-  re.compile(r"(?is)(<creationDate[ \t]*>)([^<]*?)(</creationDate[ \t]*>)"),
+            re.compile(r"(?is)(<creationDate[ 	]*>)([^<]*?)(</creationDate[ 	]*>)"),
-  re.compile(r"(?is)(<date[ \t]*>)([^<]*?)(</date[ \t]*>)"),
+            re.compile(r"(?is)(<date[ 	]*>)([^<]*?)(</date[ 	]*>)"),
-  re.compile(r"(?is)(<releaseDate[ \t]*>)([^<]*?)(</releaseDate[ \t]*>)"),
+            re.compile(r"(?is)(<releaseDate[ 	]*>)([^<]*?)(</releaseDate[ 	]*>)"),
           ]
 
           skip_ext = {