Skip to content

ci: extract prepare-release workflow to release-tools#2498

Merged
ctron merged 1 commit into
guacsec:release/0.5.zfrom
ctron:ci/extract_prepare_release_05z_1
Jul 14, 2026
Merged

ci: extract prepare-release workflow to release-tools#2498
ctron merged 1 commit into
guacsec:release/0.5.zfrom
ctron:ci/extract_prepare_release_05z_1

Conversation

@ctron

@ctron ctron commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replaces the inline prepare-release workflow with a thin caller to the reusable workflow in guacsec/trustify-release-tools
  • Follows the same pattern as the backport workflow

Depends on: guacsec/trustify-release-tools#57 being merged first.

Test plan

  • Merge release-tools PR first
  • Verify workflow is triggerable in the Actions tab on release/0.5.z

🤖 Generated with Claude Code

Summary by Sourcery

Extract prepare-release CI workflow into shared reusable workflow from trustify-release-tools and wire local workflow to call it

CI:

  • Replace inline prepare-release workflow steps with a reusable workflow invocation in guacsec/trustify-release-tools
  • Configure workflow inputs and secrets passthrough for the new reusable prepare-release workflow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Assisted-by: Claude Code
@sourcery-ai

sourcery-ai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Replace the inline prepare-release GitHub Actions workflow with a thin caller that delegates to the reusable workflow in guacsec/trustify-release-tools, passing through bump and version-override inputs and inheriting secrets.

File-Level Changes

Change Details Files
Replace bespoke prepare-release job implementation with a reusable workflow invocation from trustify-release-tools.
  • Removed all inline steps for permission checks, version bumping, schema/OpenAPI regeneration, branch creation, and PR creation from the prepare job.
  • Dropped explicit job-level conditions, runner configuration, and environment variables in favor of those defined in the shared workflow.
  • Configured the prepare job to inherit repository secrets and to call guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main.
  • Wired existing workflow inputs bump and version-override through to the reusable workflow via with parameters.
.github/workflows/prepare-release.yaml

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue, and left some high level feedback:

  • The previous if: github.repository_owner == 'guacsec' guard on the prepare job is removed; if this restriction is still desired it should be enforced inside the reusable workflow.
  • The local workflow no longer sets env: CARGO_TERM_COLOR: always; if colored cargo output is still useful in CI logs, consider preserving this configuration either here or in the shared workflow.
  • The reusable workflow is referenced via @main; consider pinning to a specific tag or commit to avoid unexpected behavior changes when the shared workflow’s main branch is updated.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The previous `if: github.repository_owner == 'guacsec'` guard on the `prepare` job is removed; if this restriction is still desired it should be enforced inside the reusable workflow.
- The local workflow no longer sets `env: CARGO_TERM_COLOR: always`; if colored cargo output is still useful in CI logs, consider preserving this configuration either here or in the shared workflow.
- The reusable workflow is referenced via `@main`; consider pinning to a specific tag or commit to avoid unexpected behavior changes when the shared workflow’s main branch is updated.

## Individual Comments

### Comment 1
<location path=".github/workflows/prepare-release.yaml" line_range="27-32" />
<code_context>
   prepare:
</code_context>
<issue_to_address>
**question (bug_risk):** Consider whether the repository-owner guard is still needed when delegating to the reusable workflow.

Previously this job was guarded with `if: github.repository_owner == 'guacsec'`, preventing it from running on forks or external repos. That condition is now gone. Unless the reusable workflow enforces the same restriction, release preparation may run in unintended contexts. Please either restore the `if:` here or ensure the called workflow provides equivalent protection.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment on lines 27 to +32
prepare:
if: github.repository_owner == 'guacsec'
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write

steps:
- uses: actions/checkout@v5

- name: Check permissions
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
PERMISSION=$(gh api "repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission" --jq '.permission')
if [[ "$PERMISSION" != "admin" && "$PERMISSION" != "maintain" ]]; then
echo "::error::Only maintainers can trigger this workflow. Your permission level: $PERMISSION"
exit 1
fi

- name: Validate bump type for release branches
run: |
REF="${{ github.ref_name }}"
BUMP="${{ inputs.bump }}"
OVERRIDE="${{ inputs.version-override }}"

if [[ "$REF" != release/* ]]; then
exit 0
fi

if [[ -z "$OVERRIDE" && "$BUMP" == "minor" ]]; then
echo "::error::Cannot use 'minor' bump on a release branch. Only alpha, beta, rc, and patch are allowed."
exit 1
fi

if [[ -n "$OVERRIDE" ]]; then
CURRENT_VERSION=$(grep -m1 '^version = ' Cargo.toml | sed 's/version = "\(.*\)"/\1/')
CURRENT_MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2)
OVERRIDE_MINOR=$(echo "$OVERRIDE" | cut -d. -f2)
if [[ "$CURRENT_MINOR" != "$OVERRIDE_MINOR" ]]; then
echo "::error::Version override changes minor version ($CURRENT_MINOR -> $OVERRIDE_MINOR), which is not allowed on release branches."
exit 1
fi
fi

- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ vars.TRUSTIFICATION_BOT_ID }}
private-key: ${{ secrets.TRUSTIFICATION_BOT_KEY }}

- uses: Swatinem/rust-cache@v2

- name: Install cargo-binstall
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
uses: taiki-e/install-action@v2
with:
tool: cargo-binstall

- name: Install cargo-release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: cargo binstall -y cargo-release

- name: Bump version
run: |
VERSION_ARG="${{ inputs.version-override || inputs.bump }}"
echo "Bumping version with: $VERSION_ARG"
cargo release version "${VERSION_ARG}" -x

- name: Determine new version
id: version
run: |
VERSION=$(grep -m1 '^version = ' Cargo.toml | sed 's/version = "\(.*\)"/\1/')
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
echo "New version: ${VERSION}"

- name: Update dependencies
run: cargo update

- name: Regenerate schemas
run: cargo xtask generate-schemas

- name: Regenerate OpenAPI spec
run: cargo xtask openapi

- name: Create branch, commit, and push
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
VERSION="${{ steps.version.outputs.version }}"

git config user.name "trustification-ci-bot[bot]"
git config user.email "199085543+trustification-ci-bot[bot]@users.noreply.github.com"
git checkout -b "prepare/${VERSION}"
git add -A
git commit -m "chore: prepare release ${VERSION}"
git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git"
git push origin "prepare/${VERSION}"

- name: Create pull request
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
VERSION="${{ steps.version.outputs.version }}"
BASE="${{ github.ref_name }}"

gh pr create \
--title "chore: prepare release ${VERSION}" \
--body "Automated release preparation:

- Bumped workspace version to \`${VERSION}\`
- Updated dependencies (\`cargo update\`)
- Regenerated schemas and OpenAPI spec

After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \
--base "${BASE}"
secrets: inherit
uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question (bug_risk): Consider whether the repository-owner guard is still needed when delegating to the reusable workflow.

Previously this job was guarded with if: github.repository_owner == 'guacsec', preventing it from running on forks or external repos. That condition is now gone. Unless the reusable workflow enforces the same restriction, release preparation may run in unintended contexts. Please either restore the if: here or ensure the called workflow provides equivalent protection.

@ctron
ctron merged commit 3bc1304 into guacsec:release/0.5.z Jul 14, 2026
5 checks passed
@github-project-automation github-project-automation Bot moved this to Done in Trustify Jul 14, 2026
@ctron
ctron deleted the ci/extract_prepare_release_05z_1 branch July 14, 2026 09:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

1 participant