ci: automate weekly stable releases via release PRs (PRINFRA-170)#166
Open
somanshreddy wants to merge 5 commits into
Open
ci: automate weekly stable releases via release PRs (PRINFRA-170)#166somanshreddy wants to merge 5 commits into
somanshreddy wants to merge 5 commits into
Conversation
f13efd8 to
ef13522
Compare
Add a scheduled workflow that cuts a stable release once a week (Mon 09:00 UTC) and skips weeks with no new commits since the last stable tag. It patch-bumps the latest stable tag and delegates the actual build/sign/publish to the existing release-stable.yml via workflow_dispatch, so the release logic stays in one place. Idempotent: skips if the computed tag already exists. Documents the new automated path in RELEASE.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Address Codex review (F1/H1): release-stable.yml only guarded against an exact duplicate tag, so a stale/queued dispatch (e.g. a weekly patch bump sent just before a manual minor/major release) could publish a lower version and move the S3 "stable" pointer backward. Add a guard that refuses any version not strictly greater than the current latest stable tag (bootstrap with no tag is allowed). Documented in RELEASE.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…NFRA-170) Adopt the release-PR model (mirrors hyperframes' publish flow): - weekly-stable-release.yml now OPENS a release/vX.Y.Z PR with a draft changelog (releases/vX.Y.Z.md, committed via the GitHub API so it is signed/verified) instead of dispatching a publish. Skips empty weeks and leaves an existing release branch untouched. - release-stable.yml gains a pull_request:closed trigger and publishes only when a release/v* PR is MERGED (the human merge is the gate), or via manual workflow_dispatch. Version is resolved from the branch name or the dispatch input. Adds an 'environment: release' approval gate and uses releases/vX.Y.Z.md as the GitHub release notes when present. The merge + environment approval replace weekly auto-publish, so a release is never cut without a human, while the cron still removes the 'did anyone remember?' burden. Manual on-demand cuts remain available. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Idempotency keys on an OPEN release PR, not the branch ref; delete a stale branch from a closed PR so a skipped week recurs instead of suppressing the version forever (F1). - Add concurrency group to release-stable.yml so overlapping publishes can't race the S3 stable pointer backward (F2). - RELEASE.md: minor/major cuts dispatch release-stable directly or hand-create the release branch (weekly only patch-bumps); note the bot-opened release PR does not auto-run PR CI (F3, F4). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…NFRA-170) - release-stable.yml: move the stable-release concurrency group from workflow scope to the release job, so closed-PR runs that fail the job 'if' never enter the lock and cannot evict a pending real release (Codex R2-F1). - RELEASE.md: correct the weekly skip-behavior bullet to match the open-PR idempotency (stale branch without an open PR is recreated) (Codex R2-F2). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
ef13522 to
89626ea
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Scope
Surfaces: CI / release pipeline | Module: Release automation
Summary
Automates the stable-release cadence without auto-publishing. A weekly cron opens a
release/vX.Y.ZPR with a draft changelog; a human refines it (/changelog-cli), reviews, and merges, and the merge publishes. This removes the "did anyone remember to release?" burden while keeping a human gate, and mirrors the hyperframes publish model (release PR + protected environment).Design decisions
Release PR instead of weekly auto-publish. The weekly job opens a PR; merging it (a human action) triggers the publish. So a release is never cut unattended, but the cadence is still automated. Manual on-demand cuts remain via
release-stable.ymlworkflow_dispatch.Publish trigger + version resolution.
release-stable.ymlruns onworkflow_dispatchor a mergedrelease/v*PR (pull_request: closed+ a jobifthat requiresmerged == true). Version comes from the dispatch input or therelease/vX.Y.Zbranch name.environment: releaseapproval gate. An optional second human approval before publish. Until thereleaseenvironment is created with a required reviewer, it is a no-op (the PR merge is still a gate).Job-level concurrency.
concurrency: stable-releasesits on the release job (not workflow) so closed-PR runs that fail theifnever enter the lock and cannot evict a pending real release; in-flight publishes finish and the monotonic guard rejects a lower version.Signed draft notes. The draft
releases/vX.Y.Z.mdis committed via the GitHub contents API so it is verified (the repo requires signed commits).Testing
Codex-aligned (3 rounds, 0 blocking) covering the publish
if, version resolution, signed-commit path, concurrency/eviction, monotonic guard, and GoReleaser notes flag. Workflow/docs-only change.Follow-ups (operator)
releaseenvironment with a required reviewer to activate the approval gate.release-stable.ymlpost-merge).