ci: extract prepare-release workflow to release-tools#2498
Conversation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Assisted-by: Claude Code
Reviewer's guide (collapsed on small PRs)Reviewer's GuideReplace the inline prepare-release GitHub Actions workflow with a thin caller that delegates to the reusable workflow in guacsec/trustify-release-tools, passing through bump and version-override inputs and inheriting secrets. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- The previous
if: github.repository_owner == 'guacsec'guard on thepreparejob is removed; if this restriction is still desired it should be enforced inside the reusable workflow. - The local workflow no longer sets
env: CARGO_TERM_COLOR: always; if colored cargo output is still useful in CI logs, consider preserving this configuration either here or in the shared workflow. - The reusable workflow is referenced via
@main; consider pinning to a specific tag or commit to avoid unexpected behavior changes when the shared workflow’s main branch is updated.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The previous `if: github.repository_owner == 'guacsec'` guard on the `prepare` job is removed; if this restriction is still desired it should be enforced inside the reusable workflow.
- The local workflow no longer sets `env: CARGO_TERM_COLOR: always`; if colored cargo output is still useful in CI logs, consider preserving this configuration either here or in the shared workflow.
- The reusable workflow is referenced via `@main`; consider pinning to a specific tag or commit to avoid unexpected behavior changes when the shared workflow’s main branch is updated.
## Individual Comments
### Comment 1
<location path=".github/workflows/prepare-release.yaml" line_range="27-32" />
<code_context>
prepare:
</code_context>
<issue_to_address>
**question (bug_risk):** Consider whether the repository-owner guard is still needed when delegating to the reusable workflow.
Previously this job was guarded with `if: github.repository_owner == 'guacsec'`, preventing it from running on forks or external repos. That condition is now gone. Unless the reusable workflow enforces the same restriction, release preparation may run in unintended contexts. Please either restore the `if:` here or ensure the called workflow provides equivalent protection.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| prepare: | ||
| if: github.repository_owner == 'guacsec' | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v5 | ||
|
|
||
| - name: Check permissions | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| PERMISSION=$(gh api "repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission" --jq '.permission') | ||
| if [[ "$PERMISSION" != "admin" && "$PERMISSION" != "maintain" ]]; then | ||
| echo "::error::Only maintainers can trigger this workflow. Your permission level: $PERMISSION" | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Validate bump type for release branches | ||
| run: | | ||
| REF="${{ github.ref_name }}" | ||
| BUMP="${{ inputs.bump }}" | ||
| OVERRIDE="${{ inputs.version-override }}" | ||
|
|
||
| if [[ "$REF" != release/* ]]; then | ||
| exit 0 | ||
| fi | ||
|
|
||
| if [[ -z "$OVERRIDE" && "$BUMP" == "minor" ]]; then | ||
| echo "::error::Cannot use 'minor' bump on a release branch. Only alpha, beta, rc, and patch are allowed." | ||
| exit 1 | ||
| fi | ||
|
|
||
| if [[ -n "$OVERRIDE" ]]; then | ||
| CURRENT_VERSION=$(grep -m1 '^version = ' Cargo.toml | sed 's/version = "\(.*\)"/\1/') | ||
| CURRENT_MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2) | ||
| OVERRIDE_MINOR=$(echo "$OVERRIDE" | cut -d. -f2) | ||
| if [[ "$CURRENT_MINOR" != "$OVERRIDE_MINOR" ]]; then | ||
| echo "::error::Version override changes minor version ($CURRENT_MINOR -> $OVERRIDE_MINOR), which is not allowed on release branches." | ||
| exit 1 | ||
| fi | ||
| fi | ||
|
|
||
| - name: Generate GitHub App token | ||
| id: app-token | ||
| uses: actions/create-github-app-token@v2 | ||
| with: | ||
| app-id: ${{ vars.TRUSTIFICATION_BOT_ID }} | ||
| private-key: ${{ secrets.TRUSTIFICATION_BOT_KEY }} | ||
|
|
||
| - uses: Swatinem/rust-cache@v2 | ||
|
|
||
| - name: Install cargo-binstall | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| uses: taiki-e/install-action@v2 | ||
| with: | ||
| tool: cargo-binstall | ||
|
|
||
| - name: Install cargo-release | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: cargo binstall -y cargo-release | ||
|
|
||
| - name: Bump version | ||
| run: | | ||
| VERSION_ARG="${{ inputs.version-override || inputs.bump }}" | ||
| echo "Bumping version with: $VERSION_ARG" | ||
| cargo release version "${VERSION_ARG}" -x | ||
|
|
||
| - name: Determine new version | ||
| id: version | ||
| run: | | ||
| VERSION=$(grep -m1 '^version = ' Cargo.toml | sed 's/version = "\(.*\)"/\1/') | ||
| echo "version=${VERSION}" >> "$GITHUB_OUTPUT" | ||
| echo "New version: ${VERSION}" | ||
|
|
||
| - name: Update dependencies | ||
| run: cargo update | ||
|
|
||
| - name: Regenerate schemas | ||
| run: cargo xtask generate-schemas | ||
|
|
||
| - name: Regenerate OpenAPI spec | ||
| run: cargo xtask openapi | ||
|
|
||
| - name: Create branch, commit, and push | ||
| env: | ||
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | ||
| run: | | ||
| VERSION="${{ steps.version.outputs.version }}" | ||
|
|
||
| git config user.name "trustification-ci-bot[bot]" | ||
| git config user.email "199085543+trustification-ci-bot[bot]@users.noreply.github.com" | ||
| git checkout -b "prepare/${VERSION}" | ||
| git add -A | ||
| git commit -m "chore: prepare release ${VERSION}" | ||
| git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" | ||
| git push origin "prepare/${VERSION}" | ||
|
|
||
| - name: Create pull request | ||
| env: | ||
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | ||
| run: | | ||
| VERSION="${{ steps.version.outputs.version }}" | ||
| BASE="${{ github.ref_name }}" | ||
|
|
||
| gh pr create \ | ||
| --title "chore: prepare release ${VERSION}" \ | ||
| --body "Automated release preparation: | ||
|
|
||
| - Bumped workspace version to \`${VERSION}\` | ||
| - Updated dependencies (\`cargo update\`) | ||
| - Regenerated schemas and OpenAPI spec | ||
|
|
||
| After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \ | ||
| --base "${BASE}" | ||
| secrets: inherit | ||
| uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main |
There was a problem hiding this comment.
question (bug_risk): Consider whether the repository-owner guard is still needed when delegating to the reusable workflow.
Previously this job was guarded with if: github.repository_owner == 'guacsec', preventing it from running on forks or external repos. That condition is now gone. Unless the reusable workflow enforces the same restriction, release preparation may run in unintended contexts. Please either restore the if: here or ensure the called workflow provides equivalent protection.
Summary
guacsec/trustify-release-toolsDepends on: guacsec/trustify-release-tools#57 being merged first.
Test plan
release/0.5.z🤖 Generated with Claude Code
Summary by Sourcery
Extract prepare-release CI workflow into shared reusable workflow from trustify-release-tools and wire local workflow to call it
CI: