self.version in metapackages considered harmful

Here's a patch.

No, really, here's a patch.

Update the test to match the patch.

I have fixed it.

The means that the meta packages will change when we tag a Drupal release. I think we need to update https://www.drupal.org/core/maintainers/create-core-release and https://github.com/xjm/drupal_core_release/pull/8 has landed.

However the requirement to do this exists already so I think we can proceed here.

This should be mentioned in the beta1 release notes (and needs a release note).

(Also I can't decide if it needs a CR? Maybe?)

Fixed minor typo in Issue Summary.

Here's the patches for all the supported versions. I'm not sure what the purpose of a CR or a release note would be here. We're changing the meta-packages and as such I don't think there is anything for a user to do. @Mixologic am I correct that a user will not need to make any changes as a result of this? I think the only people this affects is Drupal core release managers.

The 8.9.x patch is exactly the same as #9 but included here for completeness and simplicity.

Cleaning up tags. (Did someone lowercase a bunch of issue tags recently? Violates our text standards and is disruptive... off-topic.) The release note needs to explain the disruption, and the CR at least needs to describe the change required for core development process: new command to run every time a release is created or a module is added, and the new files it will change. It might make sense to append this to the other CR from the previous issue.

I've lost track of which issue it is that adds the test files that also get automatically updated; can we reference it here?

I feel like I should resurrect the happy chx tag...

I just combined this patch with #3086644-55: LegacyProject composer templates wrongly reference 8.x + fix test coverage which will probably be the eventual test for all this.

Running COMPOSER_ROOT_VERSION=8.9.x-dev composer update --lock yielded changes like this:

diff --git a/composer/Metapackage/CoreRecommended/composer.json b/composer/Metapackage/CoreRecommended/composer.json
index aef8a4008f..3e6d102798 100644
--- a/composer/Metapackage/CoreRecommended/composer.json
+++ b/composer/Metapackage/CoreRecommended/composer.json
@@ -7,7 +7,7 @@
         "webflo/drupal-core-strict": "*"
     },
     "require": {
-        "drupal/core": "self.version",
+        "drupal/core": "8.9.x-dev",

After that, the tests still pass, so +1 RTBC.

Still testing to ensure this will work with release scripts, so this is blocked until that's resolved.

So I applied this locally and tested it with the changes to the tagging script that @Mixologic submitted a PR for. I got this diff if I tagged it as 8.8.0:

[ibnsina:drupal | Fri 15:35:39] $ git show
commit f3a4251ffa0fe82c02d23cacdd180c10bcd72b35 (HEAD -> 8.8.x)
Author: xjm <xjm@65776.no-reply.drupal.org>
Date:   Fri Nov 15 15:34:27 2019 -0600

    Back to dev.

diff --git a/composer/Metapackage/CoreRecommended/composer.json b/composer/Metapackage/CoreRecommended/composer.json
index 55ca7579cb..755b7fe691 100644
--- a/composer/Metapackage/CoreRecommended/composer.json
+++ b/composer/Metapackage/CoreRecommended/composer.json
@@ -7,7 +7,7 @@
         "webflo/drupal-core-strict": "*"
     },
     "require": {
-        "drupal/core": "8.8.0",
+        "drupal/core": "8.8.x-dev",
         "asm89/stack-cors": "1.2.0",
         "composer/installers": "v1.7.0",
         "composer/semver": "1.5.0",
diff --git a/composer/Metapackage/PinnedDevDependencies/composer.json b/composer/Metapackage/PinnedDevDependencies/composer.json
index 4d74ebf6ba..959b64d6db 100644
--- a/composer/Metapackage/PinnedDevDependencies/composer.json
+++ b/composer/Metapackage/PinnedDevDependencies/composer.json
@@ -7,7 +7,7 @@
         "webflo/drupal-core-require-dev": "*"
     },
     "require": {
-        "drupal/core": "8.8.0",
+        "drupal/core": "8.8.x-dev",
         "behat/mink": "1.8.0 | 1.7.1.1 | 1.7.x-dev",
         "behat/mink-browserkit-driver": "1.3.3",
         "behat/mink-goutte-driver": "v1.2.1",
diff --git a/core/lib/Drupal.php b/core/lib/Drupal.php
index 780ff3060e..ca0f8c3e29 100644
--- a/core/lib/Drupal.php
+++ b/core/lib/Drupal.php
@@ -82,7 +82,7 @@ class Drupal {
   /**
    * The current system version.
    */
-  const VERSION = '8.8.0';
+  const VERSION = '8.8.1-dev';
 

So on the one hand... yay, something worked. On the other, though, the values in the metapackages themselves look wrong. They don't match the core version constant. Is that intentional or is it just a bug in the script? The correct version constant for 8.8 at present is 8.8.0-dev, not 8.8.x-dev. After 8.8.1 it's 8.8.1-dev, etc.

There were also no changes to core's own composer.json or composer.lock, and I was expecting there to be.

It's because there is no 8.8.1 dev branch. We only have the 8.8.x branch. If this was 8.8.1-dev composer wouldn't be able to work out that this means get the 8.8.x branch.

So it looks like it worked for the tag: when VERSION was 8.8.0, then drupal/core was also required as 8.8.0.

As far as VERSION = 8.8.1-dev, I think that 8.8.x-dev is the correct version constraint for the drupal/core package, as @alexpott explained in #29.

+1 on #29 with the disclaimer that I don't know enough about the release script to really know all the implications.

Here's what \Drupal\Composer\Composer::drupalVersionBranch() does with \Drupal::VERSION:

    return preg_replace('#\.[0-9]+-dev#', '.x-dev', \Drupal::VERSION);

So if you set \Drupal::VERSION to 8.8.1-alpha1, then that will make it through to the metapackages because it's expected to be a tagged release, and Composer can figure out a tagged release. Otherwise dev is major.minor.x-dev, and then Composer knows to just get that branch.

Alright, so according to #30, #27 is WAD. But what #28, about all the self.version in composer.lock and core/composer.json?

self.version is not harmful in "replace", so core's composer.json does not have to change. Core does not have its own composer.lock; the project-level composer.lock serves this purpose for the entire project, including core.

So we do or do not expect composer.lock to change each time core issues a new release?

If I am not mistaken, issuing a release will modify core/lib/Drupal.php, but not composer.json or core/composer.json, so the metapackages will change, but composer.lock will not.

I did not test to verify tho.

It's possible that we won't see a change to composer.lock, because maybe no dependencies were changed since the last tagged release. But even if there's no change, we should see a change to the metapackages to reflect the tagged release.

So, for instance, after applying the patch in #18, and then changing \Drupal::VERSION to 8.8.1-alpha1, I do composer update -lock. There's no change to composer.lock, but I do see this change, and it's the right one:

diff --git a/composer/Metapackage/CoreRecommended/composer.json b/composer/Metapackage/CoreRecommended/composer.json
index 8ff7b01629..c00b5f36c5 100644
--- a/composer/Metapackage/CoreRecommended/composer.json
+++ b/composer/Metapackage/CoreRecommended/composer.json
@@ -7,7 +7,7 @@
         "webflo/drupal-core-strict": "*"
     },
     "require": {
-        "drupal/core": "self.version",
+        "drupal/core": "8.8.1-alpha1",
         "asm89/stack-cors": "1.2.0",
         "composer/installers": "v1.7.0",
         "composer/semver": "1.5.0",
diff --git a/composer/Metapackage/PinnedDevDependencies/composer.json b/composer/Metapackage/PinnedDevDependencies/composer.json
index 06e6cf8640..0c44f64086 100644
--- a/composer/Metapackage/PinnedDevDependencies/composer.json
+++ b/composer/Metapackage/PinnedDevDependencies/composer.json
@@ -7,7 +7,7 @@
         "webflo/drupal-core-require-dev": "*"
     },
     "require": {
-        "drupal/core": "self.version",
+        "drupal/core": "8.8.1-alpha1",
         "behat/mink": "1.8.0 | 1.7.1.1 | 1.7.x-dev",
         "behat/mink-browserkit-driver": "1.3.3",
         "behat/mink-goutte-driver": "v1.2.1",
diff --git a/core/lib/Drupal.php b/core/lib/Drupal.php
index 4de3044b23..5b6b49aabc 100644
--- a/core/lib/Drupal.php
+++ b/core/lib/Drupal.php
@@ -82,7 +82,7 @@ class Drupal {
   /**
    * The current system version.
    */
-  const VERSION = '8.8.0-dev';
+  const VERSION = '8.8.1-alpha1';
 
   /**
    * Core API compatibility.

So then let's change \Drupal::VERSION to 8.8.2-dev, and after composer update -lock we see this, because 8.8.2 dev work will be commits after the last tagged release on the 8.8.x branch:

diff --git a/composer/Metapackage/CoreRecommended/composer.json b/composer/Metapackage/CoreRecommended/composer.json
index 8ff7b01629..755b7fe691 100644
--- a/composer/Metapackage/CoreRecommended/composer.json
+++ b/composer/Metapackage/CoreRecommended/composer.json
@@ -7,7 +7,7 @@
         "webflo/drupal-core-strict": "*"
     },
     "require": {
-        "drupal/core": "self.version",
+        "drupal/core": "8.8.x-dev",
         "asm89/stack-cors": "1.2.0",
         "composer/installers": "v1.7.0",
         "composer/semver": "1.5.0",
diff --git a/composer/Metapackage/PinnedDevDependencies/composer.json b/composer/Metapackage/PinnedDevDependencies/composer.json
index 06e6cf8640..959b64d6db 100644
--- a/composer/Metapackage/PinnedDevDependencies/composer.json
+++ b/composer/Metapackage/PinnedDevDependencies/composer.json
@@ -7,7 +7,7 @@
         "webflo/drupal-core-require-dev": "*"
     },
     "require": {
-        "drupal/core": "self.version",
+        "drupal/core": "8.8.x-dev",
         "behat/mink": "1.8.0 | 1.7.1.1 | 1.7.x-dev",
         "behat/mink-browserkit-driver": "1.3.3",
         "behat/mink-goutte-driver": "v1.2.1",
diff --git a/core/lib/Drupal.php b/core/lib/Drupal.php
index 4de3044b23..7ad133815e 100644
--- a/core/lib/Drupal.php
+++ b/core/lib/Drupal.php
@@ -82,7 +82,7 @@ class Drupal {
   /**
    * The current system version.
    */
-  const VERSION = '8.8.0-dev';
+  const VERSION = '8.8.2-dev';
 
   /**
    * Core API compatibility.

This is all without changing the lock file, but still reflecting the release (or non-release) version of core in the metapackages.

The product (drupal/legacy-project or drupal/recommended-project) won't have a lock file. Only the dev version (drupal/drupal) will.

Thanks for running the update, @mile23. #36 LGTM.

Alright, I've tested the updates I made to the script with a normal security release, and confirmed that the necessary merges are handled correctly. Thanks for your patience on this issue.

Updating issue credit for everyone who helped with testing, docs updates, etc.

Committed to 9.0.x, 8.9.x, and 8.8.x. Thanks!

I'm leaving the DrupalSouth tag on even though the event hasn't started yet because I'm on a plane flying there... that counts, right?

Published the CR.