feat(release): bootstrap release-please self-management for org-defaults repo#35
Conversation
…lts repo Adds release-please self-management to SpiceLabsHQ/.github so this repo gets versioned point releases (v0.1.0, v0.1.1, etc.) instead of the current rolling-v1-tag manual moves. What this adds -------------- - .github/workflows/release-please-self.yml — caller workflow on push:main invoking SpiceLabsHQ/.github/.github/workflows/release-please.yml@v1 with the Rosemary Releaser App secrets. The App identity ensures the release PR is authored by rosemary-releaser[bot] AND that tag pushes from the release PR merge can fire downstream workflows. - .github/workflows/release-cascade-check.yml — no-op smoke test that fires on tag push and emits a notice with the actor identity. Lets us confirm end-to-end that tag-cascade auth chain is healthy. - release-please-config.json — release-type: simple, single package at repo root, bootstrap-sha pinned to bce3abd so the first release window starts after PR #34 (the secret-rename) instead of scanning all history. - .release-please-manifest.json — initial state {".": "0.0.0"}. - version.txt — initial 0.0.0 placeholder that release-please will bump on each release (release-type: simple convention). Smoke-test sequence after merge ------------------------------- 1. push:main fires release-please-self.yml 2. release-please scans commits since bootstrap-sha → finds this feat: commit → proposes a release PR for v0.1.0 3. The release PR is authored by rosemary-releaser[bot] (proof point #1) 4. Merging the release PR creates tag v0.1.0 5. The tag push fires release-cascade-check.yml (proof point #2) 6. Cascade check's notice should show actor=rosemary-releaser[bot] Refs: DEV-225
There was a problem hiding this comment.
Verified against DEV-225 (Linear) — aligned. This PR implements Phase 5 (smoke test) of the release-please provisioning work, bootstrapping self-management for the .github repo.
Test coverage is appropriate for workflow infrastructure: the workflows themselves are the executable behavior, and the release-cascade-check.yml is the regression test that will prove tag-cascade auth works after merge. The PR body documents the complete smoke-test sequence with proof points.
Configuration is sound: release-type: simple matches the README's documented pattern for non-code-package repos; bootstrap-sha correctly pins to PR #34's merge (bce3abd) to avoid scanning pre-release-please history; manifest and version.txt follow conventions; caller workflow properly references the reusable workflow at @v1 and passes both App secrets with correct permissions.
Security: no hardcoded credentials, no command injection, no workflow-level write permissions, appropriate use of pull_request trigger (not pull_request_target), and the cascade-check workflow safely echoes environment variables without execution risk.
Nicely documented — the inline comments in both workflows explain the why, and the PR body provides the complete smoke-test runbook. Once merged, watch for the release PR to open authored by rosemary-releaser[bot], which will be proof-point #1 that the App auth chain is healthy. 🌿
— Pepper
Summary
Bootstraps release-please self-management for
SpiceLabsHQ/.github. Going forward this repo gets versioned point releases (v0.1.0,v0.1.1, …) authored by Rosemary Releaser, instead of the current rolling-v1-tag manual moves.This is the DEV-225 Phase 5 smoke test PR — also the permanent self-release setup for this repo. Two birds.
Files added
.github/workflows/release-please-self.ymlpush: maininvokingrelease-please.yml@v1with the Rosemary Releaser App secrets.github/workflows/release-cascade-check.yml::notice::with the actor identity — proves tag-cascade auth chain is healthyrelease-please-config.jsonrelease-type: simple, single package at root,bootstrap-shapinned tobce3abd(PR #34's merge) so the first release window starts here, not since the beginning of time.release-please-manifest.json{".": "0.0.0"}version.txt0.0.0— release-please bumps it on each release (release-type: simple convention)Smoke-test sequence after merge
push:mainfiresrelease-please-self.yml.bootstrap-sha(just this PR's feat: squash commit) → proposes release PR forv0.1.0.rosemary-releaser[bot](not the human who merged orgithub-actions[bot]). Confirm via PR's author chip on GitHub.v0.1.0created on main.release-cascade-check.ymlfires on thev0.1.0tag push. If GITHUB_TOKEN had leaked into the path, GitHub would suppress this trigger (recursion safety) and the workflow would stay silent.::notice::withactor=rosemary-releaser[bot](or similar App identity). Visible in the workflow run summary.Why
bootstrap-shaand not "scan all history"This repo has a substantial pre-DEV-214 history (Pepper rename, prompt iterations, etc.). Without
bootstrap-sha, the first release PR would scan it all and produce an unmanageable changelog. Pinning tobce3abd(the secret-rename merge from earlier today) means the first changelog covers only this PR's changes — clean smoke-test signal.bootstrap-shais ignored after the first release; subsequent runs use the previous tag as the lower bound.Why
release-type: simpleThe repo isn't a code package — it's a collection of reusable workflows.
simpletracks version inversion.txtonly, no language-specific package-file hooks. If we ever want version markers in README badges or workflow header comments, we add them viaextra-fileslater.Coexistence with the rolling
v1tagrelease-please will create
v1.0.0,v1.0.1, etc. — different tags from the existing rollingv1. The rollingv1continues to point at "latest released v1.x.y", advanced manually after each release-please-cut release (or via a separate workflow we can add later). For now, the rollingv1is unaffected.Test plan
rosemary-releaser[bot](proof point feat(workflows): centralize Claude Code PR review via reusable workflow #1)release-cascade-check.ymlfires on the resulting tag push (proof point chore: onboard this repo to centralized Claude PR review #2)actor=rosemary-releaser[bot]in the cascade-check workflow runRefs: DEV-225