Skip to content

ci: promote final release when the rc fleet gate is green#219

Merged
joshua-temple merged 1 commit into
mainfrom
ci/promote-on-green
Jun 18, 2026
Merged

ci: promote final release when the rc fleet gate is green#219
joshua-temple merged 1 commit into
mainfrom
ci/promote-on-green

Conversation

@joshua-temple

@joshua-temple joshua-temple commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

Problem

When Fleet E2E (live GitHub) validates an rc tag vX.Y.Z-rc.N across the example fleet, promoting that rc to the final vX.Y.Z release is a manual step. The validated binary and the published binary should be the same artifact, and promotion should never happen off a red fleet or double-publish an already-released version.

Fix

Add .github/workflows/auto-promote.yaml, a maintainer-CI workflow:

  • Trigger + guard: workflow_run of "Fleet E2E (live GitHub)" on completion; proceeds only when conclusion == 'success' and the run was for an rc tag of shape vX.Y.Z-rc.N. The rc is resolved the same way fleet-e2e's resolve job does (head_branch, with a head_sha -> tag fallback).
  • Base version: strips -rc.N to compute vX.Y.Z.
  • Idempotency: no-op (log + exit 0) if the vX.Y.Z release or tag already exists.
  • Tag drives GoReleaser: cuts the final tag on the rc's exact commit, pushes it with GITHUB_TOKEN (which does not re-trigger workflows), then explicitly dispatches release.yaml --ref vX.Y.Z so GoReleaser builds that tag. The explicit dispatch is the deterministic path; the event-based Release trigger has been unreliable.
  • Signing: GPG-signs the tag when a CASCADE_RELEASE_GPG_KEY secret is configured; otherwise creates an annotated, unsigned tag and logs that clearly. Signing never blocks promotion.
  • Verify: watches the Release run to completion, then asserts the vX.Y.Z release is draft=false, prerelease=false, has 5 assets, and is the repo's latest release.

Least privilege: top-level contents: read; the promote job adds contents: write (tag/release) and actions: write (dispatch). The fleet PAT is used where a trigger-capable token is needed.

This is maintainer CI only - no generator or CLI change, and it does not collide with the generator-owned promote.yaml.

Verification

  • actionlint .github/workflows/auto-promote.yaml: clean.
  • Independent pre-merge review: APPROVE (no blockers).
  • Self-verifying: the workflow's final job asserts the published release shape (non-draft, non-prerelease, 5 assets, latest).

@joshua-temple
ci: promote final release when the rc fleet gate is green
4247272 
Add a maintainer-CI workflow that publishes the final vX.Y.Z release when
Fleet E2E (live GitHub) concludes success for an rc tag. It resolves the rc
the same way fleet-e2e does, strips -rc.N, skips when the release or tag
already exists, anchors the final tag to the rc's validated commit, drives
GoReleaser via an explicit release.yaml dispatch, optionally GPG-signs the
tag when a release key secret is set, and verifies the published release is
latest, non-prerelease, and carries the expected 5 assets.

Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
@joshua-temple joshua-temple enabled auto-merge (squash) June 18, 2026 03:58
@joshua-temple joshua-temple merged commit 56f12f9 into main Jun 18, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joshua-temple