Skip to content

ci: migrate release process from GitHub Actions to Buildkite with Chinmina#136

Merged
jamestelfer merged 8 commits intomainfrom
migrate-release-to-buildkite-chinmina
Apr 10, 2026
Merged

ci: migrate release process from GitHub Actions to Buildkite with Chinmina#136
jamestelfer merged 8 commits intomainfrom
migrate-release-to-buildkite-chinmina

Conversation

@jamestelfer
Copy link
Copy Markdown
Member

@jamestelfer jamestelfer commented Jan 5, 2026
edited
Loading

Purpose

Simplify and consolidate the cfparams release process by removing the dependency on GitHub Actions and AWS Secrets Manager. The current hybrid approach requires Buildkite to trigger GitHub Actions, which then performs the actual release work. This is complicated and relies on long-lived credentials stored in AWS Secrets Manager.

Going for a Buildkite-only pipeline with Chinmina for ephemeral GitHub authentication makes the release process more straightforward.

Notably:

  1. Chinmina provides short-lived tokens scoped to specific operations, eliminating the need to manage and rotate secrets in AWS Secrets Manager.
  2. git-cliff works better for pre-release versions than our previous strategy, and gets rid of a Node dependency.

Context

Required follow-up before release

The .goreleaser.yaml change from brews: to homebrew_casks: is correct for GoReleaser v2 — pre-compiled binaries should be Casks, not Formulas. However, existing users of brew install cultureamp/tap/cfparams will hit a silent failure once the Formula is replaced by a Cask in the tap.

cultureamp/homebrew-tap changes

Replace Formula/cfparams.rb with a disabled stub:

class Cfparams < Formula
  desc "Wrangle parameters for AWS CloudFormation"
  homepage "https://github.com/cultureamp/cfparams"

  # cfparams is now distributed as a Homebrew cask.
  # Install with: brew install --cask cultureamp/tap/cfparams
  disable\! date: "2026-04-10", because: :discontinued, replacement_cask: "cfparams"

  def install; end
end

This makes brew install cultureamp/tap/cfparams fail with a clear message pointing to the cask, rather than silently doing nothing.

Also ensure the tap has a Casks/ directory — GoReleaser writes the cask file there by default (since directory: Formula was removed from .goreleaser.yaml).

After the first release

Update the README install command from brew install cultureamp/tap/cfparams to brew install --cask cultureamp/tap/cfparams once the install path is confirmed.

@jamestelfer jamestelfer force-pushed the migrate-release-to-buildkite-chinmina branch from 6e28768 to 0061686 Compare January 9, 2026 06:02
@jamestelfer
ci: remove GitHub Actions release workflow
13567e0 
In preparation for a full migration of the release
process to Buildkite.
@jamestelfer jamestelfer force-pushed the migrate-release-to-buildkite-chinmina branch 3 times, most recently from 393d86b to 8f943af Compare January 10, 2026 12:33
@jamestelfer
ci: add Buildkite release pipeline with Chinmina
71fc311 
Replace the hybrid Buildkite/GitHub Actions release workflow with a
Buildkite-only pipeline using Chinmina for ephemeral GitHub authentication.

The release process is entirely in Buildkite, and no longer requires
GitHub personal access tokens.
@jamestelfer jamestelfer force-pushed the migrate-release-to-buildkite-chinmina branch 3 times, most recently from 531360b to 2b2db5b Compare January 10, 2026 12:54
@jamestelfer
ci: publish release notes to GitHub in native format
bdc7c59 
Add release section to goreleaser config to ensure changelog is
properly published to GitHub releases with appropriate header and
footer formatting.
@jamestelfer
ci: resolve goreleaser deprecation warnings
7dd8508 
- Change snapshot.name_template to snapshot.version_template
- Change archives.format to archives.formats
- Rename brews to homebrew_casks (removes custom test and install
  scripts as casks use a different structure)

These changes address all deprecation warnings from GoReleaser v2.
@jamestelfer
build: add goreleaser to local tooling
06d314b
@jamestelfer jamestelfer force-pushed the migrate-release-to-buildkite-chinmina branch from 2b2db5b to 06d314b Compare January 10, 2026 13:02
@jamestelfer jamestelfer changed the title Migrate release process from GitHub Actions to Buildkite with Chinmina ci: migrate release process from GitHub Actions to Buildkite with Chinmina Jan 10, 2026
anshbajpai01
anshbajpai01 reviewed Apr 9, 2026
View reviewed changes
Comment thread .buildkite/hooks/pre-command
anshbajpai01
anshbajpai01 reviewed Apr 9, 2026
View reviewed changes
Comment thread .goreleaser.yaml
anshbajpai01
anshbajpai01 previously approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@anshbajpai01 anshbajpai01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jamestelfer
Copy link
Copy Markdown
Member Author

jamestelfer commented Apr 10, 2026

Before this merges I'll do a once-over to make sure there isn't anything left over here.

@jamestelfer
ci: remove scripts superseded by ci_release
f4ac075 
ci_calculate_version, ci_create_tag, and ci_goreleaser were left over
from an earlier multi-step pipeline design. ci_release now inlines all
three functions, making these scripts dead code.
@jamestelfer
ci: apply shell style guide to ci_release
0f4172c 
Address review feedback: use [[ ]] over [ ], split local declarations
from command-substitution assignments onto separate lines, quote all
command substitutions and variable expansions consistently.
@jamestelfer
Copy link
Copy Markdown
Member Author

jamestelfer commented Apr 10, 2026

Required follow-up: homebrew-tap formula deprecation

The .goreleaser.yaml change from brews: to homebrew_casks: is correct for GoReleaser v2 — pre-compiled binaries should be Casks, not Formulas. However, existing users who have brew install cultureamp/tap/cfparams will hit a silent failure once the Formula is replaced by a Cask in the tap.

Required change in cultureamp/homebrew-tap

Replace Formula/cfparams.rb with a disabled stub:

class Cfparams < Formula
  desc "Wrangle parameters for AWS CloudFormation"
  homepage "https://github.com/cultureamp/cfparams"

  # cfparams is now distributed as a Homebrew cask.
  # Install with: brew install --cask cultureamp/tap/cfparams
  disable\! date: "2026-04-10", because: :discontinued, replacement_cask: "cfparams"

  def install; end
end

This makes brew install cultureamp/tap/cfparams fail with a clear message pointing to the cask, rather than silently doing nothing.

Also check

  • The tap will need a Casks/ directory; GoReleaser writes the cask file there by default (since directory: Formula was removed from .goreleaser.yaml)
  • Update the README install command from brew install cultureamp/tap/cfparams to brew install --cask cultureamp/tap/cfparams after the first cask-based release confirms the install path

This tap change should land at the same time as or before this PR is merged and a release is cut.

@jamestelfer
ci: address review feedback
7f4e069 
- Add inline comments to pipeline.yaml explaining Chinmina plugin
  options: exclusive:true behaviour, pipeline: vs org: scope prefixes,
  and why both plugins reference the same binary-release profile
- Pin git-cliff docker image to v2.12.0 (was :latest)
- Update AGENTS.md release process steps to reflect Chinmina replacing
  OIDC/AWS Secrets Manager
@jamestelfer jamestelfer force-pushed the migrate-release-to-buildkite-chinmina branch from 4aba2bf to 7f4e069 Compare April 10, 2026 04:43
@jamestelfer jamestelfer merged commit b38be04 into main Apr 10, 2026
4 checks passed
@jamestelfer jamestelfer deleted the migrate-release-to-buildkite-chinmina branch April 10, 2026 05:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anshbajpai01 anshbajpai01 anshbajpai01 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamestelfer @anshbajpai01