chore: standardize ruby release flow with back-merge and strict version checks

Author: cs-raj

.github/workflows/back-merge-pr.yml

@@ -0,0 +1,59 @@
+# Opens a PR from master → development after changes land on master (back-merge).
+#
+# Org/repo Settings → Actions → General → Workflow permissions: read and write
+# (so GITHUB_TOKEN can create pull requests). Or use a PAT in secret GH_TOKEN.
+
+name: Back-merge master to development
+
+on:
+  push:
+    branches: [master]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  open-back-merge-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Open back-merge PR if needed
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          git fetch origin development master
+
+          MASTER_SHA=$(git rev-parse origin/master)
+          DEV_SHA=$(git rev-parse origin/development)
+
+          if [ "$MASTER_SHA" = "$DEV_SHA" ]; then
+            echo "master and development are at the same commit; nothing to back-merge."
+            exit 0
+          fi
+
+          EXISTING=$(gh pr list --repo "${{ github.repository }}" \
+            --base development \
+            --head master \
+            --state open \
+            --json number \
+            --jq 'length')
+
+          if [ "$EXISTING" -gt 0 ]; then
+            echo "An open PR from master to development already exists; skipping."
+            exit 0
+          fi
+
+          gh pr create --repo "${{ github.repository }}" \
+            --base development \
+            --head master \
+            --title "chore: back-merge master into development" \
+            --body "Automated back-merge after changes landed on \`master\`. Review and merge to keep \`development\` in sync."
+
+          echo "Created back-merge PR master → development."

.github/workflows/check-branch.yml

@@ -0,0 +1,82 @@
+name: Check Version Bump
+
+on:
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  check-version-bump:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Validate version and changelog updates
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          VERSION_FILE="lib/contentstack_utils/version.rb"
+          CHANGELOG_FILE="CHANGELOG.md"
+          BASE_SHA="${{ github.event.pull_request.base.sha }}"
+          HEAD_SHA="${{ github.event.pull_request.head.sha }}"
+
+          mapfile -t CHANGED_FILES < <(git diff --name-only "$BASE_SHA" "$HEAD_SHA")
+          if [ "${#CHANGED_FILES[@]}" -eq 0 ]; then
+            echo "No changed files detected."
+            exit 0
+          fi
+
+          is_ignored_change() {
+            local f="$1"
+            [[ "$f" =~ ^docs/ ]] && return 0
+            [[ "$f" =~ ^\.github/ ]] && return 0
+            [[ "$f" =~ (^|/)tests?/ ]] && return 0
+            [[ "$f" =~ (^|/)spec/ ]] && return 0
+            [[ "$f" =~ \.md$ ]] && [[ ! "$f" =~ (^|/)CHANGELOG\.md$ ]] && return 0
+            return 1
+          }
+
+          has_release_impact=false
+          for file in "${CHANGED_FILES[@]}"; do
+            if ! is_ignored_change "$file"; then
+              has_release_impact=true
+              break
+            fi
+          done
+
+          if [ "$has_release_impact" = false ]; then
+            echo "Skipping docs/test-only PR."
+            exit 0
+          fi
+
+          changed_file() {
+            local target="$1"
+            for file in "${CHANGED_FILES[@]}"; do
+              if [ "$file" = "$target" ]; then
+                return 0
+              fi
+            done
+            return 1
+          }
+
+          changed_file "$VERSION_FILE" || { echo "Version bump required in $VERSION_FILE."; exit 1; }
+          changed_file "$CHANGELOG_FILE" || { echo "Matching changelog update required in $CHANGELOG_FILE."; exit 1; }
+
+          head_version=$(sed -nE 's/.*VERSION\s*=\s*["'"'"']([^"'"'"']+)["'"'"'].*/\1/p' "$VERSION_FILE" | sed -n '1p')
+          CHANGELOG_HEAD=$(sed -nE 's/^## v?([^[:space:]]+).*/\1/p' "$CHANGELOG_FILE" | head -1)
+
+          [ -n "$CHANGELOG_HEAD" ] || { echo "::error::Could not find a top changelog heading like '## vX.Y.Z' in $CHANGELOG_FILE."; exit 1; }
+          [ "$CHANGELOG_HEAD" = "$head_version" ] || { echo "::error::$CHANGELOG_FILE top version ($CHANGELOG_HEAD) does not match project version ($head_version)."; exit 1; }
+
+          base_version=$(git show "$BASE_SHA:$VERSION_FILE" | sed -nE 's/.*VERSION\s*=\s*["'"'"']([^"'"'"']+)["'"'"'].*/\1/p' | sed -n '1p')
+          latest_tag=$(git tag --list 'v*' --sort=-version:refname | sed -n '1p')
+          latest_version="${latest_tag#v}"
+          [ -n "$latest_version" ] || latest_version="0.0.0"
+
+          version_gt() {
+            python3 -c 'import sys;v=lambda s:[int(x) if x.isdigit() else 0 for x in (s.strip().lstrip("v").split("-",1)[0].split("+",1)[0].split(".")+["0","0","0"])[:3]];print("true" if v(sys.argv[1])>v(sys.argv[2]) else "false")' "$1" "$2"
+          }
+
+          [ "$(version_gt "$head_version" "$base_version")" = "true" ] || { echo "Version must be greater than base version ($base_version). Found $head_version."; exit 1; }
+          [ "$(version_gt "$head_version" "$latest_version")" = "true" ] || { echo "Version must be greater than latest tag version ($latest_version). Found $head_version."; exit 1; }

.github/workflows/check-version-bump.yml

@@ -6,6 +6,7 @@ on:
 
 jobs:
   build:
+    if: ${{ startsWith(github.event.release.tag_name, 'v') && !github.event.release.draft }}
     name: Build + Publish
     runs-on: ubuntu-latest
     permissions:
@@ -14,6 +15,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
+      with:
+        ref: ${{ github.event.release.tag_name }}
     - name: Set up Ruby 2.7
       uses: ruby/setup-ruby@v1
       with:

.github/workflows/release-gem.yml

@@ -33,7 +33,7 @@ description: Use when reviewing or preparing a PR for this gem—behavior, tests
 
 ### Process
 
-- Respect **CODEOWNERS** and branch policy (**`master`** vs **`staging`**) described in [dev-workflow](../dev-workflow/SKILL.md)
+- Respect **CODEOWNERS** and branch policy (**feature/fix -> `development`**, release PRs **`development` -> `master`**) described in [dev-workflow](../dev-workflow/SKILL.md)
 
 ## References
 

skills/code-review/SKILL.md

@@ -32,12 +32,12 @@ description: Use when setting up the dev environment, running build/test/docs, o
 
 ### Branches and PRs
 
-- `.github/workflows/check-branch.yml` blocks merging into **`master`** unless the head branch is **`staging`** (organizational policy). Prefer PRs that follow team conventions for `master` / `staging`.
+- Feature/fix PRs should target **`development`**. Release PRs are raised directly from **`development`** to **`master`**.
 - Use `CODEOWNERS` for required reviewers when applicable
 
 ### CI and automation (no RSpec workflow today)
 
-- **Release:** `.github/workflows/release-gem.yml` — on GitHub **release created**, builds and pushes to RubyGems (note: workflow pins Ruby 2.7 for publish; align with gemspec minimum when changing)
+- **Release:** `.github/workflows/release-gem.yml` — on GitHub **Release** created (`release: types: [created]`) for tag **`v*`** (draft releases skipped), checks out the tag, then builds and pushes to RubyGems (note: workflow pins Ruby 2.7 for publish; align with gemspec minimum when changing)
 - **Security / compliance:** CodeQL, policy scan, SCA scan — see `.github/workflows/`
 - **Issues:** Jira integration workflow in `.github/workflows/issues-jira.yml`
 

skills/dev-workflow/SKILL.md

@@ -35,7 +35,7 @@ description: Use when changing the gemspec, Bundler setup, Ruby/runtime constrai
 ### Build and publish
 
 - Local artifact: `gem build contentstack_utils.gemspec`
-- Publishing is triggered by GitHub **release** per `release-gem.yml`
+- Publishing runs when a GitHub **Release** is created (`release: types: [created]`) for tag **`v*`** (draft releases skipped); see `release-gem.yml`.
 
 ## References