Skip to content

ci(release): gate release-trigger on the release environment#23662

Merged
dkirov-dd merged 4 commits into
masterfrom
dk/release-trigger-environment
May 11, 2026
Merged

ci(release): gate release-trigger on the release environment#23662
dkirov-dd merged 4 commits into
masterfrom
dk/release-trigger-environment

Conversation

@dkirov-dd
Copy link
Copy Markdown
Contributor

@dkirov-dd dkirov-dd commented May 11, 2026
edited
Loading

Summary

  • Add environment: release to the dispatch job in release-trigger.yml so GitHub's deployment protection runs before the reusable release-dispatch.yml workflow starts — the prepare step (which creates tags) now requires manual approval
  • Remove the inner environment: release from release-dispatch.yml's dispatch job; a single gate at the trigger level is sufficient

Problem

The prepare job in release-dispatch.yml creates git tags before reaching the environment: release gate on the inner dispatch job, so tags could be created without a manual approval step.

Test plan

  • Trigger a push to master that touches a CHANGELOG to confirm the deployment approval gate fires before any tags are created

dkirov-dd and others added 2 commits May 11, 2026 13:41
@dkirov-dd @claude
ci(release): gate release-trigger on the release environment
b2c1e21 
The prepare job in release-dispatch.yml creates tags before reaching the
environment: release gate on the dispatch job. Adding environment: release
to the calling dispatch job in release-trigger.yml ensures GitHub's
deployment protection runs before the reusable workflow's jobs start,
so tagging requires manual approval.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@dkirov-dd @claude
ci(release): gate release-trigger on the release environment
5285a45 
Add environment: release to the dispatch job that calls the reusable
release-dispatch.yml workflow. GitHub's deployment protection now runs
before any of the reusable workflow's jobs start, so the prepare step
(which creates tags) requires manual approval.

The inner environment: release on release-dispatch.yml's dispatch job
is removed in integrations-core — a single gate at the trigger level
is sufficient.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@dkirov-dd dkirov-dd requested a review from a team as a code owner May 11, 2026 13:52
@dd-octo-sts
Copy link
Copy Markdown
Contributor

dd-octo-sts Bot commented May 11, 2026
edited
Loading

⚠️ Recommendation: Add qa/skip-qa label

This PR does not modify any files shipped with the agent.

To help streamline the release process, please consider adding the qa/skip-qa label if these changes do not require QA testing.

dkirov-dd and others added 2 commits May 11, 2026 13:59
@dkirov-dd @claude
ci(release): gate release-trigger via intermediate approve job
c269d30 
environment: release cannot be used on a job that calls a reusable
workflow (uses:). Instead, add an explicit approve job that holds the
environment gate; the dispatch job depends on it, so the reusable
workflow's prepare step (which creates tags) cannot run until a
reviewer approves the deployment.

Remove the previously-added environment: release from the dispatch
job (invalid) and the inner environment: release from release-dispatch.yml
(redundant — a single gate is sufficient).

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@dkirov-dd
Merge branch 'master' into dk/release-trigger-environment
f76a9c5
@dd-octo-sts
Copy link
Copy Markdown
Contributor

dd-octo-sts Bot commented May 11, 2026

Validation Report

All 20 validations passed.

Show details
Validation Description Status
agent-reqs Verify check versions match the Agent requirements file
ci Validate CI configuration and Codecov settings
codeowners Validate every integration has a CODEOWNERS entry
config Validate default configuration files against spec.yaml
dep Verify dependency pins are consistent and Agent-compatible
http Validate integrations use the HTTP wrapper correctly
imports Validate check imports do not use deprecated modules
integration-style Validate check code style conventions
jmx-metrics Validate JMX metrics definition files and config
labeler Validate PR labeler config matches integration directories
legacy-signature Validate no integration uses the legacy Agent check signature
license-headers Validate Python files have proper license headers
licenses Validate third-party license attribution list
metadata Validate metadata.csv metric definitions
models Validate configuration data models match spec.yaml
openmetrics Validate OpenMetrics integrations disable the metric limit
package Validate Python package metadata and naming
readmes Validate README files have required sections
saved-views Validate saved view JSON file structure and fields
version Validate version consistency between package and changelog

View full run

@dkirov-dd dkirov-dd added this pull request to the merge queue May 11, 2026
Merged via the queue into master with commit 58c447b May 11, 2026
31 of 32 checks passed
@dkirov-dd dkirov-dd deleted the dk/release-trigger-environment branch May 11, 2026 15:11
@dd-octo-sts dd-octo-sts Bot added this to the 7.79.0 milestone May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iliakur iliakur iliakur approved these changes

Assignees

No one assigned

Labels

dev/testing dev/tooling team/agent-integrations

Projects

None yet

Milestone

7.79.0

Development

Successfully merging this pull request may close these issues.

2 participants

@dkirov-dd @iliakur