Skip to content

ci: automate weekly stable releases via release PRs (PRINFRA-170)#166

Open
somanshreddy wants to merge 5 commits into
mainfrom
06-11-ci_weekly_auto_stable_release
Open

ci: automate weekly stable releases via release PRs (PRINFRA-170)#166
somanshreddy wants to merge 5 commits into
mainfrom
06-11-ci_weekly_auto_stable_release

Conversation

@somanshreddy

@somanshreddy somanshreddy commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

Scope

Surfaces: CI / release pipeline | Module: Release automation

Summary

Automates the stable-release cadence without auto-publishing. A weekly cron opens a release/vX.Y.Z PR with a draft changelog; a human refines it (/changelog-cli), reviews, and merges, and the merge publishes. This removes the "did anyone remember to release?" burden while keeping a human gate, and mirrors the hyperframes publish model (release PR + protected environment).

Design decisions

Release PR instead of weekly auto-publish. The weekly job opens a PR; merging it (a human action) triggers the publish. So a release is never cut unattended, but the cadence is still automated. Manual on-demand cuts remain via release-stable.yml workflow_dispatch.

Publish trigger + version resolution. release-stable.yml runs on workflow_dispatch or a merged release/v* PR (pull_request: closed + a job if that requires merged == true). Version comes from the dispatch input or the release/vX.Y.Z branch name.

environment: release approval gate. An optional second human approval before publish. Until the release environment is created with a required reviewer, it is a no-op (the PR merge is still a gate).

Job-level concurrency. concurrency: stable-release sits on the release job (not workflow) so closed-PR runs that fail the if never enter the lock and cannot evict a pending real release; in-flight publishes finish and the monotonic guard rejects a lower version.

Signed draft notes. The draft releases/vX.Y.Z.md is committed via the GitHub contents API so it is verified (the repo requires signed commits).

Testing

Codex-aligned (3 rounds, 0 blocking) covering the publish if, version resolution, signed-commit path, concurrency/eviction, monotonic guard, and GoReleaser notes flag. Workflow/docs-only change.

Follow-ups (operator)

  • Create a release environment with a required reviewer to activate the approval gate.
  • Optionally provision a PAT/App token so bot-opened release PRs trigger PR CI (otherwise merge with admin; meaningful tests run in release-stable.yml post-merge).

@somanshreddy somanshreddy force-pushed the 06-11-ci_weekly_auto_stable_release branch from f13efd8 to ef13522 Compare June 12, 2026 12:51
somanshreddy and others added 5 commits June 22, 2026 22:57
Add a scheduled workflow that cuts a stable release once a week (Mon 09:00
UTC) and skips weeks with no new commits since the last stable tag. It
patch-bumps the latest stable tag and delegates the actual build/sign/publish
to the existing release-stable.yml via workflow_dispatch, so the release
logic stays in one place. Idempotent: skips if the computed tag already
exists. Documents the new automated path in RELEASE.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Address Codex review (F1/H1): release-stable.yml only guarded against an exact
duplicate tag, so a stale/queued dispatch (e.g. a weekly patch bump sent just
before a manual minor/major release) could publish a lower version and move the
S3 "stable" pointer backward. Add a guard that refuses any version not strictly
greater than the current latest stable tag (bootstrap with no tag is allowed).
Documented in RELEASE.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…NFRA-170)

Adopt the release-PR model (mirrors hyperframes' publish flow):

- weekly-stable-release.yml now OPENS a release/vX.Y.Z PR with a draft
  changelog (releases/vX.Y.Z.md, committed via the GitHub API so it is
  signed/verified) instead of dispatching a publish. Skips empty weeks and
  leaves an existing release branch untouched.
- release-stable.yml gains a pull_request:closed trigger and publishes only
  when a release/v* PR is MERGED (the human merge is the gate), or via manual
  workflow_dispatch. Version is resolved from the branch name or the dispatch
  input. Adds an 'environment: release' approval gate and uses
  releases/vX.Y.Z.md as the GitHub release notes when present.

The merge + environment approval replace weekly auto-publish, so a release is
never cut without a human, while the cron still removes the 'did anyone
remember?' burden. Manual on-demand cuts remain available.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Idempotency keys on an OPEN release PR, not the branch ref; delete a stale
  branch from a closed PR so a skipped week recurs instead of suppressing the
  version forever (F1).
- Add concurrency group to release-stable.yml so overlapping publishes can't
  race the S3 stable pointer backward (F2).
- RELEASE.md: minor/major cuts dispatch release-stable directly or hand-create
  the release branch (weekly only patch-bumps); note the bot-opened release PR
  does not auto-run PR CI (F3, F4).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…NFRA-170)

- release-stable.yml: move the stable-release concurrency group from workflow
  scope to the release job, so closed-PR runs that fail the job 'if' never enter
  the lock and cannot evict a pending real release (Codex R2-F1).
- RELEASE.md: correct the weekly skip-behavior bullet to match the open-PR
  idempotency (stale branch without an open PR is recreated) (Codex R2-F2).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@somanshreddy somanshreddy force-pushed the 06-11-ci_weekly_auto_stable_release branch from ef13522 to 89626ea Compare June 22, 2026 23:17
@somanshreddy somanshreddy changed the title ci: automate weekly stable releases (PRINFRA-170) ci: automate weekly stable releases via release PRs (PRINFRA-170) Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant