ci: add Release Please stable release flow with GitHub App token [VOL-367]#38
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces a Release Please–based stable release flow. It adds Release Please configuration and a workflow that opens/updates release PRs on main, and refactors publish-cli.yml so it triggers only on SemVer tags (removing the previous main-branch/nightly path). Version integrity is now enforced by requiring the tag to match package.json. Documentation is updated to describe the new process and the required RELEASE_PLEASE_TOKEN.
Changes:
- Add
release-please-config.jsonand.release-please-manifest.json(seeded at0.0.4, matchingpackage.json) plus arelease-please.ymlworkflow using a PAT so tags trigger follow-on workflows. - Make
publish-cli.ymltag-only: drop themaintrigger and nightly build/alias logic, and reject tag ↔package.jsonversion drift. - Update
CONTRIBUTING.mdto document the Release Please process and required token/variable.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
release-please-config.json |
Defines the root node package, tag format, and changelog path for Release Please. |
.release-please-manifest.json |
Seeds the tracked version at 0.0.4. |
.github/workflows/release-please.yml |
Adds the workflow that creates/updates release PRs and tags via a PAT. |
.github/workflows/publish-cli.yml |
Switches to tag-only publishing, adds version-match validation, removes nightly logic and now-unused append_historical_assets. |
CONTRIBUTING.md |
Documents the new Release Please release process and required secret/variable. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
f2d8d62 to
4d4b912
Compare
ddbf863 to
21cfe15
Compare
tkkhq
left a comment
There was a problem hiding this comment.
Code Review — PR #38: ci: add Release Please stable release flow with GitHub App token [VOL-367]
Verification: No baseline verification was run: pr_review_verify reported verification disabled because no user-level verificationBaselines are configured (platform darwin). No PR code was executed, so the unsandboxed-PR-code risk was not exercised. Review is source-grounded: I independently fetched the full publish-cli.yml at head SHA ef84306 to confirm the nightly early-exit and trigger-filter claims, and the heavy passes confirmed the release-please config, manifest/package.json (both 0.1.0), bootstrap-sha ancestry, and SHA pins against upstream tags.
Overview
This PR introduces a Release Please based stable-release flow for the CLI. It adds release-please-config.json (node release-type, @volcano.dev/cli, changelog sections) and .release-please-manifest.json (seeded at 0.1.0), plus .github/workflows/release-please.yml, which runs on pushes to main/workflow_dispatch, mints a short-lived GitHub App installation token (down-scoped to contents/pull-requests/issues) via actions/create-github-app-token, runs release-please-action, and enables squash auto-merge on any created release PR. A GitHub App token is used instead of the default GITHUB_TOKEN specifically so the release tag/release triggers the follow-on publish workflow.
publish-cli.yml is refactored so stable publishing happens only from stable SemVer tags: the removed nightly regex in validate-release-ref is inert (that job early-exits for main, and nightly tags are excluded by the !v*.*.*-nightly.* trigger filter), resolve-release now reads package.json via a newly added setup-node and rejects tag/package.json drift, the old imperative npm version step is replaced by a verify-only guard, and npm publish now runs --provenance --access public with continue-on-error removed now that OIDC trusted publishing is live. All third-party actions are pinned to commit SHAs with trailing version comments and a new dependabot.yml keeps them current. CONTRIBUTING.md documents the flow and required App variable/secret; package.json is bumped 0.0.5 -> 0.1.0.
The nightly-from-main path is preserved unchanged, and the stable tag-driven flow is internally consistent across validate-release-ref, resolve-release, and publish-npm.
Strengths
- All third-party GitHub Actions are pinned to commit SHAs with matching version comments, and a new
dependabot.ymlgroup keeps the pins current — verified pins match upstream tags. - The GitHub App token is explicitly down-scoped (
permission-contents/pull-requests/issues: write) and the workflow default token is least-privilegecontents: read, with the PEM in a secret and app-id in a repo variable. - The stable tag <->
package.jsonversion-match guard is consistent acrossresolve-releaseandpublish-npm, and replaces the imperativenpm versionmutation with a fail-loud verify-only check. npm publish --provenance --access publicwith OIDC trusted publishing (noNPM_TOKEN) and removal ofcontinue-on-errorso publish failures now fail the release.- Nightly-from-
mainis deliberately preserved:validate-release-refearly-exits onmainand nightly tags are excluded at the trigger, so removingNIGHTLY_SEMVER_REbreaks nothing. release-please.ymlserializes runs via a stable concurrency group withcancel-in-progress: false, bounds runtime withtimeout-minutes: 10, and consumesRELEASE_PRSviaenv:(not inline${{ }}) with numericjqparsing — no injection surface.- Manifest (
0.1.0) matchespackage.json(0.1.0), andbootstrap-shais a real ancestor ofmain;CONTRIBUTING.mdclearly documents the process and required secret/variable.
Findings — 0 total (0 inline, 0 summary-only)
No issues found.
Correctness / Security / Performance
- Correctness: Nightly-from-main path preserved; job ordering acyclic; tag<->package.json version-match guards consistent across resolve-release and publish-npm.
- Security: Least-privilege default token + down-scoped App token, secrets/vars handled correctly, actions SHA-pinned, and untrusted inputs consumed via env with no shell/command-injection surface.
- Performance: Release job is bounded (timeout-minutes: 10), concurrency serialized without cancellation, and the auto-merge loop is bounded by created release PRs with no retrigger loop.
Verdict
Suggested verdict: approve
This is an internally consistent CI/config change with no substantiated blocking defects across all five passes; the nightly path is provably preserved and the stable tag-driven flow, token scoping, and SHA pins are correct. The PR body's stale references to a 0.0.4 seed are cosmetic (the actual code uses a consistent 0.1.0) and are not code defects.
Confidence: 0.90
swkeever
left a comment
There was a problem hiding this comment.
Overview
Adds a Release Please stable-release flow: Conventional Commits on main drive a release PR (auto-merged via squash) that bumps package.json/CHANGELOG/manifest, then Release Please cuts the vX.Y.Z tag using a GitHub App installation token so the tag-driven publish-cli.yml actually fires (the default GITHUB_TOKEN can't trigger follow-on workflows). publish-cli.yml is tightened to publish stable only from tags that match package.json, and all actions are SHA-pinned with a Dependabot config to keep pins current.
Assessment
Well-constructed and the design is sound. Verified against the live repo/registry:
- Baseline fully reconciles — npm
latestis0.1.0,package.json/manifest are0.1.0, andbootstrap-sha(0d63cdf) dereferences from the existingv0.1.0annotated tag. No version drift; the first post-merge run won't cut a spurious release (onlyci/docs/choresince bootstrap). --provenanceis safe:repository.urlis present inpackage.json, so provenance generation won't error.- Removing
NIGHTLY_SEMVER_REfrompublish-cli.ymlis safe — nightly tags are excluded from the tag trigger (!v*.*.*-nightly.*) and only ever flow through therefs/heads/mainpath, so the tag branch never sees them. - App token is down-scoped to contents/PRs/issues; workflow-level
GITHUB_TOKENis read-only; concurrency serializes release runs. Good hygiene. - Removing
continue-on-errorand thenpm versionstep is the right call now that trusted publishing is live and Release Please owns the version. - Pinned
release-please-actionSHA resolves to a realv4release (4.4.1);create-github-app-token→ v3.2.0. Pins are valid.
One cosmetic consistency nit inline; non-blocking. Approving.
Minor, non-blocking (no action required)
npm publish --access publicis redundant withpublishConfig.access: "public"already inpackage.json;--provenanceis likewise implicit under OIDC trusted publishing. Both are harmless/defensive.
Summary
Add a Release Please flow so stable CLI releases are cut from Conventional Commits on
mainvia a release PR, and makepublish-clipublish only from the resulting stable tag. Release Please authenticates with a short-lived GitHub App token instead of a personal access token, so the release tag/release triggers the tag-driven publish workflow without depending on an individual's credentials (VOL-367).Why
GITHUB_TOKENcannot trigger follow-on workflows, so the release tag would not startpublish-cli. A non-default token is required; a GitHub App token replaces the PAT and is not tied to a person.Changes
release-please-config.jsonand.release-please-manifest.json(@volcano.dev/cli, node release-type). Baseline reconciled to the already-published0.1.0:bootstrap-shapoints at thev0.1.0commit, the manifest andpackage.jsonare set to0.1.0, and richer changelog sections plus a Conventional-Commit release-PR title are configured..github/workflows/release-please.yml: mint an installation token viaactions/create-github-app-token(SHA-pinned, down-scoped to contents/pull-requests/issues) fromVOLCANO_APP_ID(variable) andVOLCANO_APP_KEY(secret), run Release Please, and enable squash auto-merge on the release PR. Addsworkflow_dispatch, a concurrency group, and a job timeout.publish-cli.yml: publish stable releases only from tags, validate the tag is stable SemVer (vMAJOR.MINOR.PATCH), reachable fromorigin/main, and matchespackage.json; reject tag/package.jsondrift; nightly builds frommainare unchanged. Publish to npm with--provenanceand fail the release on a publish error (trusted publishing is live).github-actionsDependabot config to keep the pins current.CONTRIBUTING.md.Requirements
VOLCANO_APP_ID(repository variable) andVOLCANO_APP_KEY(repository secret): a GitHub App installed on this repo with Contents and Pull requests read/write.VOLCANO_FIRST_PARTY_DEVICE_CLIENT_ID_PRODUCTION.Release flow
main.release-pleasemaintains a release PR that bumpspackage.jsonandCHANGELOG; squash auto-merge is armed on it.vX.Y.Ztag and GitHub Release.publish-cli.yml: validate the tag, build and cosign-sign the multi-platform binaries, upload release assets andSHA256SUMS, and publish to npm via OIDC trusted publishing.Verification
git diff --checkbash -non the release/publish shell stepsnpm pack --dry-run --ignore-scriptsmake build FIRST_PARTY_DEVICE_CLIENT_ID=volcano-cli VERSION=v0.1.0and./volcano --version