Restored rich Slack notification for release failures#28131
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
WalkthroughThe PR replaces the legacy Slack action with a custom curl/jq-based notifier that posts to RELEASE_NOTIFICATION_URL and treats posting errors as non-fatal. It adds a publish_ghost failure step to alert on npm publish failures, refactors GitHub release creation into an explicit create_release step, gates the success notification on that step's outcome, and adds a release-creation failure notification step that posts the same formatted Slack payload. 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
rob-ghost
force-pushed
the
fix/restore-release-failure-slack-notification
branch
from
812e2f0 to
3c11598
Compare
|
| Command | Status | Duration | Result |
|---|---|---|---|
nx run ghost:test:ci:integration |
✅ Succeeded | 1m 59s | View ↗ |
nx run @tryghost/admin-x-settings:test:acceptance |
✅ Succeeded | 9m 14s | View ↗ |
nx run ghost:test:ci:e2e |
✅ Succeeded | 7m 35s | View ↗ |
nx run ghost:test:ci:legacy |
✅ Succeeded | 3m 10s | View ↗ |
nx build @tryghost/sodo-search |
✅ Succeeded | <1s | View ↗ |
nx build @tryghost/signup-form |
✅ Succeeded | <1s | View ↗ |
nx build @tryghost/comments-ui |
✅ Succeeded | <1s | View ↗ |
nx build @tryghost/portal |
✅ Succeeded | <1s | View ↗ |
Additional runs (12) |
✅ Succeeded | ... | View ↗ |
☁️ Nx Cloud last updated this comment at 2026-05-26 15:01:33 UTC
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #28131 +/- ##
=======================================
Coverage 73.87% 73.87%
=======================================
Files 1529 1529
Lines 129757 129757
Branches 15567 15569 +2
=======================================
+ Hits 95854 95859 +5
+ Misses 32941 32912 -29
- Partials 962 986 +24
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
rob-ghost
force-pushed
the
fix/restore-release-failure-slack-notification
branch
2 times, most recently
from
c6713b7 to
155946b
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 1916-1919: The "Notify release failure" job lacks an explicit
permissions block and is inheriting GITHUB_TOKEN scopes; add a minimal
permissions declaration to remove token access by adding permissions: none (or
permissions: { contents: none } if you prefer explicit) under the "Notify
release failure" job definition so the job that only posts to Slack doesn't
receive repository token privileges.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 2904b8a4-c6ec-4668-b3fd-a39cf20a62f3
📒 Files selected for processing (2)
.github/workflows/ci.yml.github/workflows/release.yml
When the release flow lived in Ghost-Release it sent an on-call Slack alert on failure (grunt notify-release-failure). After the flow moved into Ghost, release.yml and ci.yml fell back to the generic slack-build "Test failure" message, which doesn't page on-call. Restores an on-call alert at every stage of a release, posting to the existing RELEASE_NOTIFICATION_URL secret. Both stages send the same message — "🚨 Ghost release failed", an @on-call-product page, and a link to the failed run: - release.yml: on a failed prepare/tag run. - ci.yml: a terminal notify_release_failure job that needs the whole publish chain (job_setup -> job_build_artifacts -> job_ghost-cli -> publish_ghost -> create_github_release) and fires on any failure within it. A single aggregator job catches jobs skipped by an upstream failure (e.g. a build failure skips publish_ghost entirely), which a per-job `if: failure()` step cannot. Replaces the per-job slack-build steps. Also gates the create_github_release "is loose!" announcement on the release step itself, so a failed GitHub Release can no longer announce a false success. refs #26760
rob-ghost
force-pushed
the
fix/restore-release-failure-slack-notification
branch
from
155946b to
56ae4d2
Compare
2 participants
Why
When the release flow lived in Ghost-Release, a failed release sent an on-call-paging Slack alert via the
notify-release-failuregrunt task. After the flow moved into Ghost,release.ymlandci.ymlfell back to the genericslack-build"Test failure" message — which doesn't page@on-call-product.A release now spans two workflows:
release.yml(prepare + push the tag) and the tag-triggeredci.ymlrun (build → npm publish → GitHub Release). Every stage should page on failure. This PR restores that, posting to the existingRELEASE_NOTIFICATION_URLsecret (already used for the "is loose!" success message), so no new secret is needed.The message
Both stages send the same message — title, on-call page, and a link to the failed run so someone can check what broke:
It deliberately doesn't try to describe what failed; the run link is the source of truth.
What changed
release.yml— replaces the genericslack-buildfailure step with the message above, on a failed prepare/tag run.ci.yml— adds a single terminalnotify_release_failurejob thatneedsthe whole publish chain (job_setup→job_build_artifacts→job_ghost-cli→publish_ghost→create_github_release) and fires onfailure()with the same message.Why a terminal job rather than per-job
if: failure()steps: a step only runs if its job runs. When an upstream job fails (e.g.job_build_artifacts, which builds the npm tarball),publish_ghostis skipped, so a per-job failure step there never fires — the release silently fails to publish with no alert.failure()on a job thatneedsthe whole chain is true if any job in it fails, so it catches the skipped cases too. This also replaces (and de-duplicates) the per-jobslack-buildsteps.ci.ymlcreate_github_release— gates the existing "is loose!" success announcement on the release step (steps.create_release.outcome) rather than the notes step, so a failedgh release createcan no longer announce a false success.Failure coverage
release.ymlci.ymlpublish chain →notify_release_failureNotes for reviewers
username: "Ghost CI"— the original used"Jenkins"(a relic). Switched to"Ghost CI"to match the workflow's own git identity.on-call-productsubteam mention is a hardcoded default, not a secret. The only privacy boundary is the webhook (RELEASE_NOTIFICATION_URL, already a secret): a fork points it at its own channel and gets its own alerts, while an unknown<!subteam^…>simply renders inert elsewhere.notify_release_failureis guarded togithub.repository == 'TryGhost/Ghost', andRELEASE_NOTIFICATION_URLisn't exposed to fork PRs, so the alerts only fire on real release runs in the canonical repo.refs #26760