chore: Add release workflows for automated pub.dev publishing#62
chore: Add release workflows for automated pub.dev publishing#62
Conversation
Add draft-release-publish and release-from-main GitHub Actions workflows for automated pub.dev publishing via OIDC. Reformat CHANGELOG.md to Keep a Changelog format. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
PR SummaryMedium Risk Overview Introduces an automated release process: Standardizes versioning by adding a Written by Cursor Bugbot for commit 2e78147. This will update automatically on new commits. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
flutter build ipa requires a Development Team even with --no-codesign, causing CI failures. Switch to flutter build ios --no-codesign which builds without requiring provisioning. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Device builds require a Development Team even with --no-codesign. Switch to --simulator which skips codesigning entirely. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Simulator builds require the iOS runtime to be installed. Use device build with CODE_SIGNING_ALLOWED=NO env var to skip codesigning without needing simulator runtimes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Flutter's --no-codesign flag doesn't reliably disable codesigning on newer Xcode versions. Use flutter build ios --config-only to generate the Xcode project, then call xcodebuild directly with CODE_SIGN_IDENTITY, CODE_SIGNING_REQUIRED, and CODE_SIGNING_ALLOWED overrides. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
macos-15 runners default to Xcode 16.4 with iOS 18.5 pre-installed. Pinning to Xcode 16.3 required iOS 18.4 which was removed from the runner image. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Split release into two workflows: create-release-tag.yml watches VERSION changes on main and pushes a v* tag; release-from-main.yml triggers on v* tag push so the OIDC token has ref_type=tag which pub.dev requires for trusted publishing - Change cancel-in-progress to false on release workflow to prevent inconsistent state from mid-release cancellation - Remove setup-and-version/release-and-tag job split in favor of simpler release job using github.ref_name for the tag - Restore setup-xcode step in pull-request.yml pinned to 16.4 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use MP_SEMANTIC_RELEASE_BOT token instead of default GITHUB_TOKEN. Tags pushed with GITHUB_TOKEN don't trigger other workflows, so the bot token is required for the release workflow to fire on tag push. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Pin all third-party actions to exact commit SHAs to prevent supply chain attacks from compromised action tags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- pull-request.yml: "Build and Test" → "Pull Request" - draft-release-publish.yml → release-draft.yml: "Release – Draft" - release-from-main.yml → release-publish.yml: "Release – Publish" - create-release-tag.yml → release-tag.yml: "Release – Tag" - Reorder bump-type options to patch, minor, major (most common first) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
nickolas-dimitrakas
left a comment
nickolas-dimitrakas
left a comment
There was a problem hiding this comment.
We should also separate out the pull-request.yml into pieces similar to how we have done in other repos (Ex: https://github.com/mParticle/mparticle-apple-sdk/blob/main/.github/workflows/pull-request.yml). But we can also do this in a separate PR.
Split monolithic pull-request.yml into reusable workflows: - test.yml: Unit tests - build-android.yml: Android APK and App Bundle builds - build-ios.yml: iOS build with xcodebuild - build-web.yml: Web build Both pull-request.yml and release-publish.yml now reference these reusable workflows, reducing duplication. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| if [ ! -f build/web/flutter.js ]; then | ||
| echo "Web build not found!" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
Web build check uses removed flutter.js file
Low Severity
The web build verification checks for build/web/flutter.js, but this file was removed in Flutter 3.22+ (replaced by flutter_bootstrap.js). The old workflow pinned Flutter to 3.19.3 where flutter.js existed; the new reusable workflow uses vars.FLUTTER_VERSION, so updating the Flutter version past 3.22 will cause this check to always fail. The example app's index.html also uses the pre-3.22 bootstrap pattern.
There was a problem hiding this comment.
ignoring this since we're pinning to 3.19.3 int he FLUTTER_VERSION. Rather than change this and make more fixes, I'd prefer to update this in the future to get this out and tested.
Add branches filter to prevent redundant CI runs on tag pushes. Without this, release tag pushes via PAT trigger both the release workflow (intended) and the full PR CI suite (wasteful). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Nickolas Dimitrakas <nickolas.dimitrakas@rokt.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
PRs created with GITHUB_TOKEN don't trigger CI workflows. Use MP_SEMANTIC_RELEASE_BOT PAT so the release PR triggers the pull-request workflow for CI validation before merge. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3 participants
Background
rokt-sdk-flutter) has a well-established release workflow pattern that we want to adopt for consistency across Flutter SDKs.macos-15runner images in January 2026, causing Xcode 16.3 builds to fail.What Has Changed
draft-release-publish.yml— manually triggered workflow that bumps the version (major/minor/patch), updatesVERSION,pubspec.yaml, andCHANGELOG.md, runs a dry-run publish, and creates a release PR targetingmainrelease-from-main.yml— triggers automatically whenVERSIONchanges onmain, runs tests, builds Android and iOS, publishes to pub.dev via OIDC trusted publishing (no stored credentials), creates av{version}git tag, and creates a GitHub release with changelog notesVERSIONfile (1.1.1) as the single source of truth for the SDK versionthomaseizinger/keep-a-changelog-new-releaseaction used in the draft workflowmParticle/mparticle-flutter-sdkwith tag patternv{{version}}— noPUB_DEV_*secrets requiredv0.2.0-alpha.1throughv1.1.1) on historical commitspull-request.yml— themacos-15runner now defaults to Xcode 16.4 with iOS 18.5 pre-installed. Also switched to usingxcodebuilddirectly withCODE_SIGN_IDENTITY="",CODE_SIGNING_REQUIRED=NO, andCODE_SIGNING_ALLOWED=NOto reliably skip codesigning in CI.Screenshots/Video
Checklist
Additional Notes
FLUTTER_VERSIONrepo variable must be set (e.g.,3.19.3) for the new release workflows to pick up the correct Flutter SDK versionpull-request.ymlstill uses a hardcodedFLUTTER_SDK_VERSIONenv var — this could be migrated tovars.FLUTTER_VERSIONin a follow-upmainbranch is required as the release target branchReference Issue (For employees only. Ignore if you are an outside contributor)