ci: extract prepare-release workflow to release-tools#2496
Conversation
Reviewer's GuideThis PR refactors the prepare-release GitHub Actions workflow to delegate to a reusable workflow in the trustify-release-tools repo and generalizes CycloneDX SBOM ingestion to accept multiple JSON input sources via a new JsonSource abstraction. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- In the new
prepare-releaseworkflow that calls the reusable workflow, the previousif: github.repository_owner == 'guacsec'guard has been dropped; if this guard is still required, consider either re‑adding it here or ensuring the reusable workflow enforces the same restriction. - The
JsonSourcetrait consumesselfinparse_json, which meansserde_json::Valuemust be owned and is moved on parse; if you expect to reuse or share values, consider changing the trait to take&self(or&mut self) and adjust the impls to avoid unnecessary moves.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In the new `prepare-release` workflow that calls the reusable workflow, the previous `if: github.repository_owner == 'guacsec'` guard has been dropped; if this guard is still required, consider either re‑adding it here or ensuring the reusable workflow enforces the same restriction.
- The `JsonSource` trait consumes `self` in `parse_json`, which means `serde_json::Value` must be owned and is moved on parse; if you expect to reuse or share values, consider changing the trait to take `&self` (or `&mut self`) and adjust the impls to avoid unnecessary moves.
## Individual Comments
### Comment 1
<location path=".github/workflows/prepare-release.yaml" line_range="31" />
<code_context>
-
- After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \
- --base "${BASE}"
+ secrets: inherit
+ uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main
+ with:
</code_context>
<issue_to_address>
**🚨 issue (security):** Reconsider `secrets: inherit` when calling a reusable workflow from another repository
Because this reusable workflow lives in a different repository, `secrets: inherit` exposes all job secrets to it and increases the impact of a compromise in that repo. If it doesn’t genuinely need full access, prefer explicitly passing only the required secrets or using repo-specific tokens instead of inheriting everything.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
|
|
||
| After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \ | ||
| --base "${BASE}" | ||
| secrets: inherit |
There was a problem hiding this comment.
🚨 issue (security): Reconsider secrets: inherit when calling a reusable workflow from another repository
Because this reusable workflow lives in a different repository, secrets: inherit exposes all job secrets to it and increases the impact of a compromise in that repo. If it doesn’t genuinely need full access, prefer explicitly passing only the required secrets or using repo-specific tokens instead of inheriting everything.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Assisted-by: Claude Code
5f7d662 to
74970fe
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2496 +/- ##
==========================================
+ Coverage 71.66% 71.67% +0.01%
==========================================
Files 453 453
Lines 27517 27517
Branches 27517 27517
==========================================
+ Hits 19719 19723 +4
+ Misses 6667 6657 -10
- Partials 1131 1137 +6 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Summary
guacsec/trustify-release-toolsDepends on: guacsec/trustify-release-tools PR being merged first.
Test plan
🤖 Generated with Claude Code
Summary by Sourcery
Delegate the prepare-release GitHub Actions workflow to a reusable workflow in trustify-release-tools and generalize CycloneDX SBOM ingestion to support multiple JSON input sources.
Enhancements:
CI: