fix: root-cause + cleanup for merge-beta/fix-beta sed-scope bug

[PaulNewling]

Why

merge-beta.sh and fix-beta.sh blanket-sed @v4 ↔ @v4-beta across all workflow / action files to keep self-refs aligned with the branch. The pattern is too broad and also rewrites third-party action refs that happen to be pinned at @v4 (e.g. actions/checkout@v4 → actions/checkout@v4-beta, a tag that doesn't exist upstream).

Symptom on v4-beta runs:

Unable to resolve action `actions/checkout@v4-beta`, unable to find version `v4-beta`

This blocks get run metadata and preflight (require-latest) in node-simple-pnpm.yaml and similar workflows, cascading skips into check for changesets, pre-build, etc. — meaning no v4-beta canary can fully exercise downstream jobs today.

Caught while canary-testing #168 (the changeset coverage check) against platforma-open/antibody-sequence-liabilities#63.

What this PR does

Commit 1 — restore third-party action refs on v4-beta

Flips back, on v4-beta only, the 107 third-party refs across 36 files that were incorrectly rewritten. Affected action repos:

Action	Lines
actions/checkout	41
aws-actions/configure-aws-credentials	24
actions/cache	13
actions/download-artifact	12
actions/upload-artifact (incl. /merge)	8
actions/setup-java	3
actions/setup-node	2
pnpm/action-setup	1
azure/setup-kubectl	1
azure/setup-helm	1

Verified by diffing each flipped line against the same line on v4 — every changed line was @v4 on the stable branch.

milaboratory/github-ci/...@v4-beta self-refs are untouched.

Commit 2 — anchor the sed in both scripts so this can't recur

Replaces the bare @v4 / @v4-beta substitution patterns with a path-anchored form:

\(milaboratory/github-ci[^[:space:]@]*\)@v4...

The character class excludes @ so the greedy * stops at the @ sign. fix-beta.sh keeps its two-pattern form (end-of-line and whitespace boundary) — necessary to avoid the original @v4 ⊂ @v4-beta prefix collision — and just adds the path anchor inside each pattern.

Also flips six lingering milaboratory/github-ci/.../@v4 self-refs in node-simple-pnpm.yaml back to @v4-beta. These were left behind by a previous manual fixup attempt (the 5baba62 revert) and are exactly what the new fix-beta.sh sed produces when run against the current tree.

Verification

Two definitive tests apply the new sed expressions (extracted verbatim from the scripts) to the actual v4 and v4-beta trees, then diff before/after:

Test	Source ref	Lines changed	Self-ref	Third-party	@v4-beta-beta artefacts	Result
fix-beta.sh (@v4 → @v4-beta)	origin/v4	563	563	0	0	✓ PASS
merge-beta.sh (@v4-beta → @v4)	this PR's HEAD (post-fix v4-beta)	564	564	0	0	✓ PASS

Every changed line is a milaboratory/github-ci/... self-ref. Zero third-party refs are touched and no prefix-collision artefacts (@v4-beta-beta) are produced. Idempotency verified by re-running each sed on its own output.

For comparison, applying the old sed expressions to the same trees corrupts third-party refs exactly as observed in production (actions/checkout@v4 → actions/checkout@v4-beta, etc.).

Adversarial fixture — known theoretical edge cases

A fixture covering quoted refs, prefix-collision paths (not-milaboratory/github-ci/...), SHA-pinned refs, and non-@v4 versions confirms:

• ✓ Third-party refs at @v4 (e.g. actions/checkout@v4) — not touched
• ✓ Third-party refs at other versions (@v5, @v6, full SHA) — not touched
• ✓ Self-refs with sub-paths (milaboratory/github-ci/blocks/notify/...@v4) — flipped correctly
• ✓ Tokens containing @v4 that aren't refs (e.g. channel: x@v4) — not touched

Two theoretical edge cases remain, neither exercised in the actual codebase (verified by grep over all tracked .yaml / action.yaml):

1. Pseudo-self-refs. The sed has no word-boundary anchor before milaboratory/github-ci, so a token like not-milaboratory/github-ci/foo@v4 would also flip. Zero occurrences of any character preceding milaboratory/github-ci exist in the repo today.
2. Quoted refs. fix-beta.sh's EOL/whitespace boundary doesn't cover " or ', so a literal \"milaboratory/github-ci/foo@v4\" would not flip. Zero quoted action refs exist in the repo today. This limitation exists in the old scripts as well — not a regression.

Both edge cases can be tightened later if a use-case appears (anchor at start-of-line / non-identifier char; broaden the boundary to non-ref characters). Not blocking.

Out of scope

• actions/*/test-*.yaml (act-based unit-test fixtures) deliberately pin @v4 and are outside the find globs in both scripts. Left as-is.

Re-trigger pending canary

Once this PR merges into v4-beta, push an empty commit on platforma-open/antibody-sequence-liabilities#63 so its workflow re-resolves @v4-beta against the fixed tree.

Greptile Summary

This PR fixes a sed-scope bug in fix-beta.sh and merge-beta.sh where a too-broad substitution pattern rewrote third-party action refs (e.g. actions/checkout@v4 → actions/checkout@v4-beta) in addition to the intended milaboratory/github-ci self-refs, causing workflow failures on v4-beta. The fix adds a path anchor \(milaboratory/github-ci[^[:space:]@]*\) so only self-refs are rewritten, and bulk-corrects the 36 files previously corrupted on this branch.

• fix-beta.sh / merge-beta.sh: Both substitution patterns now require the matched token to begin with milaboratory/github-ci, preserving third-party action pins at their upstream tags.
• 36 workflow/action files: Third-party refs reverted from @v4-beta → @v4; six lingering milaboratory self-refs in node-simple-pnpm.yaml corrected from @v4 → @v4-beta.

Confidence Score: 5/5

Safe to merge — the sed anchoring fix is correct, all 36 corrected files follow the expected pattern, and the PR includes thorough before/after verification.

The root-cause fix is well-scoped: the new milaboratory/github-ci[^[:space:]@]* anchor precisely targets self-refs without touching third-party pins, and the dual-pattern approach in fix-beta.sh correctly handles the @v4/@v4-beta prefix collision. The bulk file corrections are mechanically consistent with the fix. Known edge cases are documented and verified to have zero occurrences in the repo.

No files require special attention. fix-beta.sh and merge-beta.sh carry the logic change; all other files are straightforward bulk corrections.

Important Files Changed

Filename	Overview
fix-beta.sh	Path-anchors the sed patterns to milaboratory/github-ci self-refs; correctly handles the @v4/@v4-beta prefix collision with EOL and whitespace boundary patterns.
merge-beta.sh	Single-pattern sed anchored to milaboratory/github-ci path; no prefix-collision risk for the @v4-beta to @v4 direction, so one pattern suffices.
.github/workflows/node-simple-pnpm.yaml	Third-party refs reverted from @v4-beta to @v4; six lingering milaboratory self-refs corrected to @v4-beta.
.github/workflows/java-gradle.yaml	Most changed workflow file (46 lines); all changes are third-party ref corrections @v4-beta to @v4.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["fix-beta.sh runs"] --> B["find action.yaml + .github/workflows/*.yaml"]
    B --> C["sed with path-anchored pattern"]
    C --> D{"milaboratory/github-ci...@v4?"}
    D -- Yes --> E["Rewrite to @v4-beta"]
    D -- No --> F["Leave unchanged"]
    H["merge-beta.sh runs"] --> I["find action.yaml + .github/workflows/*.yaml"]
    I --> J["sed with path-anchored pattern"]
    J --> K{"milaboratory/github-ci...@v4-beta?"}
    K -- Yes --> L["Rewrite to @v4"]
    K -- No --> M["Leave unchanged"]

Loading

_{Reviews (1): Last reviewed commit: "fix: anchor merge-beta.sh / fix-beta.sh ..." | Re-trigger Greptile}