fix(ci): harden release workflow per CodeRabbit review#31
Merged
Conversation
- Scope write permissions to release job only; CI jobs inherit read-only - Pin release Node version to 22 instead of lts/* for validated runtime - Add concurrency group to serialize releases per ref Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Note
|
| Cohort / File(s) | Summary |
|---|---|
Workflow Configuration .github/workflows/release.yml |
Added concurrency group with cancel-in-progress disabled. Demoted top-level contents permission from write to read. Introduced job-level permissions block granting write access to contents, issues, pull-requests, and id-token. Pinned Node.js version to 22 in setup-node step. |
Estimated code review effort
🎯 2 (Simple) | ⏱️ ~7 minutes
Possibly related PRs
- feat(ci): semantic-release automated publishing pipeline #22: Directly modifies the same
.github/workflows/release.ymlfile with identical changes to concurrency, top-level/job permissions, and Node.js version pinning.
🚥 Pre-merge checks | ✅ 2 | ❌ 1
❌ Failed checks (1 warning)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Description check | The description provides a clear summary of changes and test plan, but does not follow the repository's PR template structure with sections like Type of change, Related issue, Tests added, or Checklist. | Restructure the description to follow the repository template, including Type of change (Bug fix), Related issue (#30), Tests added section, and completed Checklist items. |
✅ Passed checks (2 passed)
| Check name | Status | Explanation |
|---|---|---|
| Title check | ✅ Passed | The title clearly describes the main change: hardening the CI release workflow based on CodeRabbit review feedback, which aligns with the changeset's security and configuration improvements. |
| Docstring Coverage | ✅ Passed | No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check. |
✏️ Tip: You can configure your own custom pre-merge checks in the settings.
✨ Finishing Touches
🧪 Generate unit tests (beta)
- Create PR with unit tests
- Post copyable unit tests in a comment
- Commit unit tests in branch
feature/fix-chain-release-after-ci
Comment @coderabbitai help to get the list of available commands and usage tips.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/release.yml:
- Around line 15-17: The workflow-wide concurrency block is preventing new runs
from starting until the entire previous CI+release finishes; move the
concurrency key into the release job so only publishing is serialized.
Specifically, remove or delete the top-level concurrency block (concurrency,
group: release-${{ github.ref }}, cancel-in-progress) and add an equivalent
concurrency block under jobs.release (i.e., jobs: release: concurrency: group:
release-${{ github.ref }} cancel-in-progress: false) so build/test jobs can run
concurrently while the release job remains scoped and serialized.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 08e64262-db47-4467-902c-a2bf5dd9c775
📒 Files selected for processing (1)
.github/workflows/release.yml
Comment on lines
+15
to
+17
| concurrency: | ||
| group: release-${{ github.ref }} | ||
| cancel-in-progress: false |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Scope concurrency to the release job instead of the whole workflow.
At this level, every new main run waits for the previous run’s full CI and release sequence to finish. If the goal is only to prevent concurrent publishes, move concurrency under jobs.release so newer build and test jobs can start immediately.
Suggested change
-concurrency:
- group: release-${{ github.ref }}
- cancel-in-progress: false
-
permissions:
contents: read
jobs:
@@
release:
+ concurrency:
+ group: release-${{ github.ref }}
+ cancel-in-progress: false
needs: [build, test, lint, format, audit]
runs-on: ubuntu-latest🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/release.yml around lines 15 - 17, The workflow-wide
concurrency block is preventing new runs from starting until the entire previous
CI+release finishes; move the concurrency key into the release job so only
publishing is serialized. Specifically, remove or delete the top-level
concurrency block (concurrency, group: release-${{ github.ref }},
cancel-in-progress) and add an equivalent concurrency block under jobs.release
(i.e., jobs: release: concurrency: group: release-${{ github.ref }}
cancel-in-progress: false) so build/test jobs can run concurrently while the
release job remains scoped and serialized.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
22instead oflts/*to match tested matrixconcurrencygroup to serialize releases per ref (prevents race conditions)Addresses all 3 CodeRabbit review comments on PR #30.
Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit