Skip to content

ci: extract prepare-release workflow to release-tools#2499

Merged
ctron merged 1 commit into
guacsec:release/0.4.zfrom
ctron:ci/extract_prepare_release_04z_1
Jul 14, 2026
Merged

ci: extract prepare-release workflow to release-tools#2499
ctron merged 1 commit into
guacsec:release/0.4.zfrom
ctron:ci/extract_prepare_release_04z_1

Conversation

@ctron

@ctron ctron commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replaces the inline prepare-release workflow with a thin caller to the reusable workflow in guacsec/trustify-release-tools
  • Follows the same pattern as the backport workflow

Depends on: guacsec/trustify-release-tools#57 being merged first.

Test plan

  • Merge release-tools PR first
  • Verify workflow is triggerable in the Actions tab on release/0.4.z

🤖 Generated with Claude Code

Summary by Sourcery

CI:

  • Replace inline prepare-release workflow with a thin wrapper that reuses the shared prepare-release workflow from guacsec/trustify-release-tools.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Assisted-by: Claude Code
@sourcery-ai

sourcery-ai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Replaces the inline prepare-release GitHub Actions workflow with a thin caller that delegates to the reusable workflow in guacsec/trustify-release-tools, passing through existing inputs and inheriting secrets.

File-Level Changes

Change Details Files
Replace inline prepare-release implementation with call to shared reusable workflow
  • Removed all job-level configuration specific to running the prepare-release job locally (conditions, runner, steps, and supporting environment).
  • Configured the prepare job to inherit repository secrets so the reusable workflow can access required tokens and credentials.
  • Pointed the prepare job to use the reusable workflow defined in guacsec/trustify-release-tools and wired through the bump and version-override inputs.
.github/workflows/prepare-release.yaml

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@ctron
ctron merged commit e014dac into guacsec:release/0.4.z Jul 14, 2026
3 checks passed
@github-project-automation github-project-automation Bot moved this to Done in Trustify Jul 14, 2026

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 2 issues, and left some high level feedback:

  • The reusable workflow is referenced with @main; consider pinning it to a specific tag or commit to avoid unexpected behavior from upstream changes.
  • The previous if: github.repository_owner == 'guacsec' guard has been removed; if this restriction is still desired, it should either be reintroduced here or enforced in the shared workflow.
  • Review whether secrets: inherit is strictly necessary for this job and, if not, narrow the secrets exposure to only what the reusable workflow requires.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The reusable workflow is referenced with `@main`; consider pinning it to a specific tag or commit to avoid unexpected behavior from upstream changes.
- The previous `if: github.repository_owner == 'guacsec'` guard has been removed; if this restriction is still desired, it should either be reintroduced here or enforced in the shared workflow.
- Review whether `secrets: inherit` is strictly necessary for this job and, if not, narrow the secrets exposure to only what the reusable workflow requires.

## Individual Comments

### Comment 1
<location path=".github/workflows/prepare-release.yaml" line_range="31" />
<code_context>
-
-          After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \
-            --base "${BASE}"
+    secrets: inherit
+    uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main
+    with:
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Using `secrets: inherit` for an external reusable workflow may broaden secret exposure unnecessarily.

This setup exposes every secret available to this workflow to `guacsec/trustify-release-tools`. If that workflow doesn’t require all of them, restrict exposure by explicitly listing only the needed secrets in the caller and/or the reusable workflow to align with least-privilege principles.

Suggested implementation:

```
    uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main
    secrets:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # Add other explicitly required secrets below, e.g.:
      # RELEASE_BOT_PAT: ${{ secrets.RELEASE_BOT_PAT }}
    with:

```

1. Confirm which secrets the reusable workflow in `guacsec/trustify-release-tools` actually needs (e.g. `GITHUB_TOKEN`, `RELEASE_BOT_PAT`, etc.) and remove any unused entries from the `secrets:` mapping above.
2. If the reusable workflow expects secrets under different names, adjust the keys (left side) to match those expected input names and map them to the appropriate `${{ secrets.* }}` values from this repository.
</issue_to_address>

### Comment 2
<location path=".github/workflows/prepare-release.yaml" line_range="32" />
<code_context>
-          After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \
-            --base "${BASE}"
+    secrets: inherit
+    uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main
+    with:
+      bump: ${{ inputs.bump }}
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Referencing the reusable workflow at `@main` can introduce instability and security risk vs pinning to a specific ref.

Relying on `@main` allows upstream changes in `guacsec/trustify-release-tools` to silently change this workflow’s behavior. To keep releases reproducible and improve supply-chain security, please pin this to a specific tag or commit SHA (e.g., `@vX.Y.Z` or `@<sha>`) and update only when you intentionally adopt changes.

Suggested implementation:

```
    # Pin to a specific ref (tag or commit SHA) for reproducibility and supply-chain security.
    # Update this ref intentionally when adopting changes from guacsec/trustify-release-tools.
    uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@vX.Y.Z

```

Replace `@vX.Y.Z` with the actual tag or commit SHA you want to pin to in `guacsec/trustify-release-tools`.  
If your project has a release policy or existing pinned refs elsewhere, align this value with that policy (for example, use the latest stable release tag from that repository).
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.


After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \
--base "${BASE}"
secrets: inherit

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Using secrets: inherit for an external reusable workflow may broaden secret exposure unnecessarily.

This setup exposes every secret available to this workflow to guacsec/trustify-release-tools. If that workflow doesn’t require all of them, restrict exposure by explicitly listing only the needed secrets in the caller and/or the reusable workflow to align with least-privilege principles.

Suggested implementation:

    uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main
    secrets:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # Add other explicitly required secrets below, e.g.:
      # RELEASE_BOT_PAT: ${{ secrets.RELEASE_BOT_PAT }}
    with:

  1. Confirm which secrets the reusable workflow in guacsec/trustify-release-tools actually needs (e.g. GITHUB_TOKEN, RELEASE_BOT_PAT, etc.) and remove any unused entries from the secrets: mapping above.
  2. If the reusable workflow expects secrets under different names, adjust the keys (left side) to match those expected input names and map them to the appropriate ${{ secrets.* }} values from this repository.

After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \
--base "${BASE}"
secrets: inherit
uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Referencing the reusable workflow at @main can introduce instability and security risk vs pinning to a specific ref.

Relying on @main allows upstream changes in guacsec/trustify-release-tools to silently change this workflow’s behavior. To keep releases reproducible and improve supply-chain security, please pin this to a specific tag or commit SHA (e.g., @vX.Y.Z or @<sha>) and update only when you intentionally adopt changes.

Suggested implementation:

    # Pin to a specific ref (tag or commit SHA) for reproducibility and supply-chain security.
    # Update this ref intentionally when adopting changes from guacsec/trustify-release-tools.
    uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@vX.Y.Z

Replace @vX.Y.Z with the actual tag or commit SHA you want to pin to in guacsec/trustify-release-tools.
If your project has a release policy or existing pinned refs elsewhere, align this value with that policy (for example, use the latest stable release tag from that repository).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

1 participant