What happened
v0.7.0 tag was pushed against commit `8d4d141` (workspace.package.version = 0.7.0) while every `crates/*/Cargo.toml` still had `{ path = "../X", version = "0.6.0" }` on its internal path deps. cargo refused to resolve, breaking both release.yml and publish-to-crates-io.yml on the v0.7.0 tag (no GitHub Release was produced; the tag was deleted and re-tagged after fixing).
Recovery: PR #143 swept 23 pins across 8 manifests + MODULE.bazel.
Why it happened
The pins were added in #136 to give `cargo publish` real crates.io coordinates for path deps. The release-execution skill / docs/release-process.md does not currently call out that bumping `[workspace.package].version` must also sweep every `version = "X.Y.Z"` in path-dep declarations. The PR description for #136 said "Bumping the workspace version requires" and then was truncated — the original author noted the trap but the doc never got written.
Proposed fix (pick one)
Option A — manual step in the release ritual. Add to `docs/release-process.md` a numbered step: "Sweep intra-workspace pins" with a one-liner sed. Cheap, easy to forget.
Option B — script the sweep. Add `scripts/bump_workspace_version.rs` that takes a new version, edits `[workspace.package].version`, `module(version = ...)` in MODULE.bazel, and every `{ path, version }` pin in one pass. Call it from the release-execution flow.
Option C — CI gate. Add a CI check that reads `[workspace.package].version` and compares it to every `version =` value in every workspace member's `Cargo.toml` (for path deps to other workspace members). Fail with a clear error message if they diverge. Makes the bug uncatchable at PR-merge time rather than tag-push time.
Recommend C as primary (catches it immediately on the changelog PR) plus B as the ergonomic helper. A alone is what we have today and it didn't work.
Falsification
This issue would be closed wrong if the same divergence happens again on the v0.8.0 → v0.9.0 cut. The fix should make that structurally impossible (gate) or trivially avoidable (single script).
What happened
v0.7.0 tag was pushed against commit `8d4d141` (workspace.package.version = 0.7.0) while every `crates/*/Cargo.toml` still had `{ path = "../X", version = "0.6.0" }` on its internal path deps. cargo refused to resolve, breaking both release.yml and publish-to-crates-io.yml on the v0.7.0 tag (no GitHub Release was produced; the tag was deleted and re-tagged after fixing).
Recovery: PR #143 swept 23 pins across 8 manifests + MODULE.bazel.
Why it happened
The pins were added in #136 to give `cargo publish` real crates.io coordinates for path deps. The release-execution skill / docs/release-process.md does not currently call out that bumping `[workspace.package].version` must also sweep every `version = "X.Y.Z"` in path-dep declarations. The PR description for #136 said "Bumping the workspace version requires" and then was truncated — the original author noted the trap but the doc never got written.
Proposed fix (pick one)
Option A — manual step in the release ritual. Add to `docs/release-process.md` a numbered step: "Sweep intra-workspace pins" with a one-liner sed. Cheap, easy to forget.
Option B — script the sweep. Add `scripts/bump_workspace_version.rs` that takes a new version, edits `[workspace.package].version`, `module(version = ...)` in MODULE.bazel, and every `{ path, version }` pin in one pass. Call it from the release-execution flow.
Option C — CI gate. Add a CI check that reads `[workspace.package].version` and compares it to every `version =` value in every workspace member's `Cargo.toml` (for path deps to other workspace members). Fail with a clear error message if they diverge. Makes the bug uncatchable at PR-merge time rather than tag-push time.
Recommend C as primary (catches it immediately on the changelog PR) plus B as the ergonomic helper. A alone is what we have today and it didn't work.
Falsification
This issue would be closed wrong if the same divergence happens again on the v0.8.0 → v0.9.0 cut. The fix should make that structurally impossible (gate) or trivially avoidable (single script).