feat: support release lookup

[alphabetc1]

Motivation

Tired of digging through release notes to figure out which release contains a specific PR or commit...so I built a release lookup tool.
Ideally, every release triggers a workflow that rebuilds the index and deploys the tool to https://docs.sglang.io/.

It also supports building the index locally and serving it via a local HTTP server.

cd docs/release_lookup

# 1. Start a local server
python3 -m http.server 8000

# 2. Open in browser
# http://localhost:8000/index.html

Modifications

Architecture: Purely Static Solution (No Backend Service Required)

generate_index.py(python) -> release_index.json(static index file) -> index.html(website search)

Index Generation (generate_index.py)

• Iterates over all tags matching v* and gateway-v* patterns
• Handles two independent release lines: main and gateway (using separate seen_commits sets)
• Extracts PR numbers from commit messages
• Outputs a compact JSON format (tags are represented by numeric indices; commits use 8-character short hashes)

Frontend Query (index.html)

• Runs entirely in the browser, loading the static JSON file
• Supports input in the following forms:
  • PR number
  • PR URL
  • Commit hash
• Displays results for both main and gateway release lines

Accuracy Tests

Benchmarking and Profiling

Local Testing

cd docs/release_lookup

# 1. Generate the index (Optional)
python3 generate_index.py --output release_index.json

# 2. Start a local server
python3 -m http.server 8000

# 3. Open in browser
# http://localhost:8000/index.html

CI Testing

Workflows collaborate:

• release-docs.yml: Triggered when files in the docs/ directory change
  • Builds the release index
  • Copies the release_lookup/ directory to the output folder
  • Deploys to sgl-project.github.io

Live URL(after release): https://sgl-project.github.io/release_lookup/

Checklist

• Format your code according to the Format code with pre-commit.
• Add unit tests according to the Run and add unit tests.
• Update documentation according to Write documentations.
• Provide accuracy and speed benchmark results according to Test the accuracy and Benchmark the speed.
• Follow the SGLang code style guidance.

Review Process

1. Ping Merge Oncalls to start the PR flow. See the PR Merge Process.
2. Get approvals from CODEOWNERS and other reviewers.
3. Trigger CI tests with comments or contact authorized users to do so.
   • /tag-run-ci-label, /rerun-failed-ci, /tag-and-rerun-ci
4. After green CI and required approvals, ask Merge Oncalls to merge.

[gemini-code-assist]

Summary of Changes

Hello @alphabetc1, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new, entirely static Git tag lookup utility designed to enhance user experience by providing a straightforward way to identify the release version associated with any given pull request or commit. This capability empowers users to quickly ascertain if a bug fix has been deployed, evaluate the necessity of version upgrades, and effectively trace the release lifecycle of specific changes within the project. The tool operates client-side, leveraging a pre-generated index, ensuring efficiency and ease of deployment.

Highlights

• New Git Tag Lookup Tool: Introduces a new static tool to determine the earliest release tag for a given PR or commit, addressing user needs for release tracking and bug fix verification.
• Static Architecture: The solution is entirely static, comprising a Python script (generate_index.py) that builds a tag_index.json file, and an index.html frontend that queries this file directly in the browser, eliminating the need for a backend service.
• Comprehensive Index Generation: The generate_index.py script now iterates over v* and gateway-v* tags, independently processing main and gateway release lines, extracting PR numbers from commit messages, and outputting a compact JSON format.
• User-Friendly Frontend: The index.html provides a browser-based interface supporting various input formats (PR number, PR URL, commit hash) and displays results for both main and gateway release lines.
• CI/CD Integration: Automated workflows (update-tag-index.yml and release-docs.yml) are set up to generate and commit the latest tag_index.json on new releases and deploy the lookup tool to GitHub Pages.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• docs/tag_lookup/README.md
  • Added a new README file detailing the purpose, usage, and underlying logic of the SGLang Tag Lookup Tool.
• docs/tag_lookup/example_index.json
  • Introduced an example JSON index file to demonstrate the structure and content of the generated tag index.
• docs/tag_lookup/generate_index.py
  • Implemented a Python script to parse Git history, identify release tags (v* and gateway-v*), extract associated commits and PR numbers, and generate a compact JSON index.
  • Designed to handle independent 'main' and 'gateway' release lines.
  • Includes logic for compacting the output JSON for efficiency.
• docs/tag_lookup/index.html
  • Created the frontend HTML page for the tag lookup tool, featuring a user interface to input PR numbers, URLs, or commit hashes.
  • Includes JavaScript logic to load the static JSON index and display relevant release tag information.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/release-docs.yml
  • .github/workflows/update-tag-index.yml

Activity

• No specific review comments or activity have been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a git tag lookup tool, which is a great feature for developers. The implementation includes a Python script to generate a static index from git history and an HTML page to provide a search interface. The overall approach is solid.

My review has identified a few issues:

• A critical Cross-Site Scripting (XSS) vulnerability in index.html that needs to be addressed.
• A high-severity security risk in generate_index.py due to the use of shell=True with subprocess.
• Some medium-severity suggestions for improving code quality and performance in both the Python script and the HTML file.

Please review the comments for details and suggested fixes.

[gemini-code-assist]

There is a Cross-Site Scripting (XSS) vulnerability here. The key variable, which comes directly from user input, is used to construct the label which is then inserted into the DOM using innerHTML. A malicious user could provide input like <img src=x onerror=alert(1)> to execute arbitrary JavaScript. You should escape the user-provided content before rendering it as HTML. A safe way is to build the DOM nodes and set their textContent instead of using innerHTML with template strings containing user data.

Suggested change

	resultDiv.innerHTML = `
	<div class="result-content result-error">
	<div class="result-row">
	<span class="result-label">Status</span>
	<span>Not Found</span>
	</div>
	<div style="margin-top: 8px;">
	The ${queryType} <strong>${label}</strong> has not been included in any release tag yet, or is not in the index.
	</div>
	</div>
	`;
	resultDiv.innerHTML = `
	<div class="result-content result-error">
	<div class="result-row">
	<span class="result-label">Status</span>
	<span>Not Found</span>
	</div>
	<div style="margin-top: 8px;" id="not-found-message">
	</div>
	</div>
	`;
	const messageEl = document.getElementById('not-found-message');
	const strongEl = document.createElement('strong');
	strongEl.textContent = label;
	messageEl.append(`The ${queryType} `, strongEl, ' has not been included in any release tag yet, or is not in the index.');

[gemini-code-assist]

Constructing shell commands with f-strings can be risky if any variable comes from an untrusted source, which can lead to shell injection vulnerabilities. While chunk seems to contain safe data (commit hashes) in this context, it is a best practice to avoid shell=True and pass arguments as a list to subprocess functions.

This would require modifying run_git to accept a list of arguments instead of a string. For example:

# in run_git
def run_git(cmd_list):
    # shell=False is the default
    output = subprocess.check_output(cmd_list, ...)

# here
cmd_list = ["git", "show", "-s", "--format=%H|%B%n--END-COMMIT--"] + chunk
raw_logs = run_git(cmd_list)

[gemini-code-assist]

The tag_info parameter is populated here but its value is never used anywhere in the script. It can be removed from the function signature and this assignment. You should also remove the variable initialization and its use in the calls to this function within main().

Suggested change

	def process_tag_line(tags, tag_info, commit_map, pr_map, tag_type, tag_to_idx):
	"""Process a single release line (main or gateway) independently."""
	seen_commits = set()
	for tag in tags:
	tag_name = tag["name"]
	print(f"Processing {tag_name}...")
	tag_info[tag_name] = {"date": tag["date"], "type": tag["type"]}
	def process_tag_line(tags, commit_map, pr_map, tag_type, tag_to_idx):
	"""Process a single release line (main or gateway) independently."""
	seen_commits = set()
	for tag in tags:
	tag_name = tag["name"]
	print(f"Processing {tag_name}...")

[gemini-code-assist]

The chunk_size is a magic number. It would be better to define it as a constant at the top of the file (e.g., COMMIT_CHUNK_SIZE = 1000) for clarity and easier modification.

[gemini-code-assist]

This line performs a linear search over all commit hashes in the index by creating an array of keys first. If the number of commits is large, this could be slow and cause a noticeable delay in the UI. While this is a good fallback for partial hashes, consider if there's a more performant way to handle prefix searches, for example by pre-processing the commit hashes into a more search-friendly data structure like a Trie. However, for the expected scale, this might be an acceptable trade-off.

[alphabetc1]

/tag-and-rerun-ci

[alphabetc1]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a very useful git tag lookup tool, which will undoubtedly help users track which releases contain their changes. The implementation is clean, with a Python script for index generation and a static HTML/JS frontend for searching. The separation of concerns is well-executed.

I've identified two significant issues that need to be addressed:

1. A potential for data corruption in generate_index.py due to short SHA collisions.
2. A critical Cross-Site Scripting (XSS) vulnerability in index.html.

My review includes detailed comments and code suggestions to resolve these issues. Once they are addressed, this will be an excellent addition to the project.

[gemini-code-assist]

Using innerHTML with unescaped data from git tags creates a Cross-Site Scripting (XSS) vulnerability. A malicious tag name (e.g., <script>alert(1)</script>) could execute arbitrary code in the user's browser. To fix this, you should construct the DOM elements programmatically using document.createElement and set their content with .textContent, which automatically escapes any HTML.

        resultDiv.innerHTML = ''; // Clear previous results

        for (const tagRef of tagRefs) {
            const tagInfo = getTagInfo(tagRef);
            const dateStr = formatDate(tagInfo.date);
            const tagUrl = `${repoUrl}/releases/tag/${tagInfo.name}`;
            const badgeClass = tagInfo.type === 'gateway' ? 'badge-gateway' : 'badge-main';

            const resultCard = document.createElement('div');
            resultCard.className = 'result-content result-success';
            resultCard.style.marginBottom = '0.75rem';

            // Release row
            const releaseRow = document.createElement('div');
            releaseRow.className = 'result-row';
            const releaseLabel = document.createElement('span');
            releaseLabel.className = 'result-label';
            releaseLabel.textContent = 'Release';
            const releaseLink = document.createElement('a');
            releaseLink.href = tagUrl;
            releaseLink.target = '_blank';
            releaseLink.className = 'tag-link';
            releaseLink.textContent = tagInfo.name; // Safely sets text
            releaseRow.append(releaseLabel, releaseLink);

            // Date row
            const dateRow = document.createElement('div');
            dateRow.className = 'result-row';
            const dateLabel = document.createElement('span');
            dateLabel.className = 'result-label';
            dateLabel.textContent = 'Date';
            const dateValue = document.createElement('span');
            dateValue.textContent = dateStr;
            dateRow.append(dateLabel, dateValue);

            // Module row
            const moduleRow = document.createElement('div');
            moduleRow.className = 'result-row';
            const moduleLabel = document.createElement('span');
            moduleLabel.className = 'result-label';
            moduleLabel.textContent = 'Module';
            const moduleBadge = document.createElement('span');
            moduleBadge.className = `badge ${badgeClass}`;
            moduleBadge.textContent = tagInfo.type;
            moduleRow.append(moduleLabel, moduleBadge);

            resultCard.append(releaseRow, dateRow, moduleRow);
            resultDiv.appendChild(resultCard);
        }

[gemini-code-assist]

Using short SHAs as keys here can lead to collisions if two different commits share the same prefix. This would cause data for one of them to be lost. To fix this, let's use the full SHA as the key within this function. The conversion to short SHAs and collision checking will be handled later in main.

Suggested change

	short_sha = sha[:SHORT_HASH_LEN]
	tag_idx = tag_to_idx[tag_name]
	# Store tag index for this release line
	if short_sha not in commit_map:
	commit_map[short_sha] = {}
	commit_map[short_sha][tag_type] = tag_idx
	tag_idx = tag_to_idx[tag_name]
	# Use full SHA as key during processing to prevent collisions
	if sha not in commit_map:
	commit_map[sha] = {}
	commit_map[sha][tag_type] = tag_idx

[gemini-code-assist]

To complete the fix for potential SHA collisions, we need to adjust the main function. First, we'll rename commit_map to commit_map_full to reflect that it uses full SHAs. Then, after processing, we'll create the final commit_map with short SHAs, performing a collision check at that time.

After applying the suggestion below, insert this block of code right after (after line 152):

    # Convert full SHAs to short SHAs, checking for collisions
    commit_map = {}
    short_to_full_map = {}
    for full_sha, data in commit_map_full.items():
        short_sha = full_sha[:SHORT_HASH_LEN]
        if short_sha in short_to_full_map and short_to_full_map[short_sha] != full_sha:
            print(
                f"CRITICAL: Short SHA collision detected for '{short_sha}'\n"
                f"  Commit 1: {short_to_full_map[short_sha]}\n"
                f"  Commit 2: {full_sha}\n"
                "Please increase SHORT_HASH_LEN and re-run.",
                file=sys.stderr,
            )
            sys.exit(1)
        commit_map[short_sha] = data
        short_to_full_map[short_sha] = full_sha

The rest of the function can then use commit_map as before.

Suggested change

	pr_map = {}
	commit_map = {}
	process_tag_line(main_tags, commit_map, pr_map, "m", tag_to_idx)
	process_tag_line(gateway_tags, commit_map, pr_map, "g", tag_to_idx)
	pr_map = {}
	commit_map_full = {}
	process_tag_line(main_tags, commit_map_full, pr_map, "m", tag_to_idx)
	process_tag_line(gateway_tags, commit_map_full, pr_map, "g", tag_to_idx)

[alphabetc1]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a very useful git tag lookup tool. The implementation is well-done, with a Python script for generating a compact and efficient index, and a client-side search page. The Python script is robust, handling different release lines and potential short SHA collisions. The frontend is fast, using a binary search for commit lookups. I found one high-severity security vulnerability in the frontend code that should be addressed. Overall, great work on this feature.

[gemini-code-assist]

The current implementation has a Cross-Site Scripting (XSS) vulnerability. The renderResult function constructs HTML using string concatenation and sets it with innerHTML. The tagInfo.name is taken directly from a git tag name and included in the HTML. Since git tag names can contain arbitrary characters, including < and >, a malicious tag name like v1.0<script>alert(1)</script> could lead to arbitrary JavaScript execution on this page.

To fix this, you should avoid building HTML with strings. Instead, use DOM manipulation APIs like document.createElement and set dynamic content using textContent, which automatically escapes any special HTML characters. A good approach is to use a hybrid method: use innerHTML for the static template, then populate the dynamic, untrusted parts using textContent.

        resultDiv.innerHTML = ''; // Clear previous results

        for (const tagRef of tagRefs) {
            const tagInfo = getTagInfo(tagRef);
            const dateStr = formatDate(tagInfo.date);
            const tagUrl = `${repoUrl}/releases/tag/${tagInfo.name}`;
            const badgeClass = tagInfo.type === 'gateway' ? 'badge-gateway' : 'badge-main';

            const container = document.createElement('div');
            container.className = 'result-content result-success';
            container.style.marginBottom = '0.75rem';

            container.innerHTML = `
                <div class="result-row">
                    <span class="result-label">Release</span>
                    <a href="${tagUrl}" target="_blank" class="tag-link"></a>
                </div>
                <div class="result-row">
                    <span class="result-label">Date</span>
                    <span>${dateStr}</span>
                </div>
                <div class="result-row">
                    <span class="result-label">Module</span>
                    <span class="badge ${badgeClass}">${tagInfo.type}</span>
                </div>
            `;
            container.querySelector('.tag-link').textContent = tagInfo.name; // Set name safely
            resultDiv.appendChild(container);
        }