Skip to content

chore: prune Stainless-era CI cruft and vestigial release-doctor#1364

Merged
mattt merged 1 commit into
mainfrom
chore/prune-stainless-ci-cruft
May 20, 2026
Merged

chore: prune Stainless-era CI cruft and vestigial release-doctor#1364
mattt merged 1 commit into
mainfrom
chore/prune-stainless-ci-cruft

Conversation

@mattt
Copy link
Copy Markdown
Contributor

@mattt mattt commented May 20, 2026
edited
Loading

Summary

Cleans up CI scaffolding left over from Stainless's templates that no longer does anything in this repo.

`ci.yml` simplification

  • `on.push.branches` filter listed Stainless-internal codegen branches (`integrated/`, `stl-preview-*`, `codegen/`, `codegen/stl/**`) that never land in this repo. Replaced with `branches: [main]` so push runs fire only on merge.
  • `on.pull_request.branches-ignore` filter filtered the same Stainless preview branches. Dropped.
  • Job-level `if:` guards (`github.event_name == 'push' || github.event.pull_request.head.repo.fork` etc.) existed to short-circuit the duplicate runs you get when both `push` + `pull_request` fire for a same-repo PR. Under the new `on:` shape (push only on `main`, pull_request unfiltered) each commit triggers exactly one run, so the dedup is unnecessary.
  • `runs-on` toggled to `depot-ubuntu-24.04` when running under `stainless-sdks/increase-typescript`. We never run there. Simplified to `ubuntu-latest`.
  • `'codegen metadata'` head-commit guard skipped CI for Stainless's codegen housekeeping commits. We don't push those.
  • OIDC token + upload-artifact step in the build job pushed build tarballs to `pkg.stainless.com/s` for Stainless's preview UI. Dead endpoint for us. Dropped along with the `id-token: write` permission it required.

42 lines down to 4.

`release-doctor.yml` + `bin/check-release-environment` deletion

The doctor script is a literal no-op:

```bash
errors=()
lenErrors=${#errors[@]}
if [[ lenErrors -gt 0 ]]; then ... fi
echo "The environment is ready to push releases!"
```

It exists in Stainless templates as a pre-flight check for repos with publish secrets (`PYPI_TOKEN` etc.); this repo uses OIDC trusted publishing on npm so there's no token to check (`bin/publish-npm` falls back to `ACTIONS_ID_TOKEN_REQUEST_TOKEN` when `NPM_TOKEN` isn't set, and the workflow doesn't pass `NPM_TOKEN`).

Even with checks populated, the only failure mode it catches that the publish workflow doesn't is "secret literally not set" — which recovers in 30s by setting the secret and re-running publish. Without branch-protection enforcement (which we don't have), it's a soft warning, not a gate.

Test plan

  • All four scripts referenced in the new `ci.yml` exist (`scripts/bootstrap`, `scripts/build`, `scripts/lint`, `scripts/test`).
  • CI passes once on this PR (lint + build + test all run, no skips).
  • After merge: confirm next push to `main` runs CI exactly once (not twice via duplicate push/pull_request firing).

@mattt
chore: prune Stainless-era CI cruft and vestigial release-doctor
b767b44 
The Stainless templates left behind a bunch of CI scaffolding that's
no longer doing anything in this repo:

ci.yml
- `on.push.branches` filter listed Stainless-internal codegen branches
  (`integrated/**`, `stl-preview-*`, `codegen/**`, `codegen/stl/**`)
  that never land here. Replaced with `branches: [main]` so push runs
  fire only on merge.
- `on.pull_request.branches-ignore` filtered the same Stainless
  preview branches. Dropped — same reasoning.
- Job-level `if:` guards (`github.event_name == 'push' ||
  github.event.pull_request.head.repo.fork` etc.) existed to
  deduplicate the duplicate runs you get when both push + pull_request
  fire for a same-repo PR. Under the new `on:` shape (push only on
  main, pull_request unfiltered) each commit triggers exactly one run,
  so the dedup is unnecessary.
- `runs-on` toggled to `depot-ubuntu-24.04` when running under
  `stainless-sdks/increase-typescript`. We never run there. Simplified
  to `ubuntu-latest`.
- `'codegen metadata'` head-commit guard skipped CI for Stainless's
  codegen housekeeping commits. We don't push those.
- The build job's OIDC token + `upload-artifact.sh` step pushed build
  tarballs to `pkg.stainless.com/s` for Stainless's preview UI. Dead
  endpoint for us. Dropped along with the `id-token: write`
  permission it required.

release-doctor.yml + bin/check-release-environment
- The script was a literal no-op (`errors=()` array, never populated,
  always prints "ready"). It exists in templates as a pre-flight
  check for repos with publish secrets (PYPI_TOKEN etc.); this repo
  uses OIDC trusted publishing on npm so there's no token to check.
- Even with checks populated, the only failure mode it catches that
  the publish workflow doesn't is "secret literally not set" — which
  recovers in 30s by setting the secret and re-running publish.
  Without branch-protection enforcement (which we don't have), it's
  a soft warning, not a gate. Drop it entirely.
@mattt mattt merged commit 0ca0374 into main May 20, 2026
3 checks passed
@mattt mattt deleted the chore/prune-stainless-ci-cruft branch May 20, 2026 16:52
@increase-releases increase-releases Bot mentioned this pull request May 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mattt