From b6dee92e196e1724eaf4eb771a7beb8891152387 Mon Sep 17 00:00:00 2001
From: Baodi Shi <baodi@apache.org>
Date: Tue, 31 Mar 2026 16:47:08 +0800
Subject: [PATCH 1/2] Release v1.17.0

---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index f7a3588..e86536c 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "pulsar-client",
-  "version": "1.17.0-rc.0",
+  "version": "1.17.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "pulsar-client",
-      "version": "1.17.0-rc.0",
+      "version": "1.17.0",
       "hasInstallScript": true,
       "license": "Apache-2.0",
       "dependencies": {
diff --git a/package.json b/package.json
index d94e34b..5182dcf 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "pulsar-client",
-  "version": "1.17.0-rc.0",
+  "version": "1.17.0",
   "description": "Pulsar Node.js client",
   "main": "index.js",
   "types": "index.d.ts",

From b052ba74de92f9911a91ba3743d3c50272c04b19 Mon Sep 17 00:00:00 2001
From: Baodi Shi <baodi@apache.org>
Date: Tue, 31 Mar 2026 17:28:09 +0800
Subject: [PATCH 2/2] [fix][release] Skip docker build record artifacts when
 staging release

Recent release workflow runs include auxiliary *.dockerbuild artifacts uploaded by docker/build-push-action. Our staging script downloaded every artifact from the workflow run and tried to unzip them as release packages, which caused stage-release.sh to fail with BadZipFile before the actual napi tarballs were processed.\n\nSkip *.dockerbuild artifacts in download-release-artifacts.py and keep the error message explicit for unexpected non-zip artifacts so release managers can stage 1.17.x and master builds again.
---
 build-support/download-release-artifacts.py | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/build-support/download-release-artifacts.py b/build-support/download-release-artifacts.py
index 0fcbcbb..b3f62a5 100755
--- a/build-support/download-release-artifacts.py
+++ b/build-support/download-release-artifacts.py
@@ -53,6 +53,13 @@
     name = artifact['name']
     url = artifact['archive_download_url']
 
+    # docker/build-push-action uploads build records as auxiliary artifacts.
+    # They are not release packages and break the staging flow if we try to
+    # unpack them alongside the platform tarballs.
+    if name.endswith('.dockerbuild'):
+        print(f'Skipping auxiliary artifact {name}')
+        continue
+
     print(f'Downloading {name} from {url}')
     artifact_response = requests.get(url, headers=headers, stream=True)
     artifact_response.raise_for_status()
@@ -65,8 +72,15 @@
     try:
         dest_dir = os.path.join(dest_path, name)
         Path(dest_dir).mkdir(parents=True, exist_ok=True)
-        with zipfile.ZipFile(tmp_zip_path, 'r') as z:
-            z.extractall(dest_dir)
+        try:
+            with zipfile.ZipFile(tmp_zip_path, 'r') as z:
+                z.extractall(dest_dir)
+        except zipfile.BadZipFile as exc:
+            raise RuntimeError(
+                f'Artifact {name} is not a ZIP archive. '
+                'This usually means the workflow uploaded a non-release '
+                'auxiliary artifact that should be filtered out.'
+            ) from exc
     finally:
         os.unlink(tmp_zip_path)
 
@@ -74,4 +88,4 @@
     for name in files:
         shutil.move(os.path.join(root, name), dest_path)
     if not os.listdir(root):
-        os.rmdir(root)
\ No newline at end of file
+        os.rmdir(root)