Skip to content

ci: tag-driven release with tagpr + promote-stable#154

Open
neilkuan wants to merge 12 commits intomainfrom
feat/tag-driven-release
Open

ci: tag-driven release with tagpr + promote-stable#154
neilkuan wants to merge 12 commits intomainfrom
feat/tag-driven-release

Conversation

@neilkuan
Copy link
Copy Markdown
Collaborator

@neilkuan neilkuan commented Apr 9, 2026
edited
Loading

變更說明

改用 tagpr 自動化 release 流程,並保留 promote-stable 機制確保 stable image 跟 pre-release 是同一個 artifact。

核心原則:測過什麼就發什麼 (what you tested is what you ship)

之前 vs 之後
之前 之後
Release 觸發 手動打 tag(beta + stable 兩階段) tagpr 自動打 tag(merge Release PR 即 release)
版本管理 手動維護,Cargo.toml / Chart.yaml 不同步 tagpr 自動同步 Cargo.toml + Chart.yaml version/appVersion
CHANGELOG tagpr 自動產生
Pre-release beta tag 觸發完整 build 手動打 tag(e.g. v0.7.0-rc.1),完整 build
Stable release 也重新 build(跟 beta 不同 artifact) promote pre-release image(re-tag,不 rebuild,同一個 artifact)
Promote 方式 用 commit SHA 找 image(必須同 commit) 用 git tag 找最新 pre-release image(不同 commit 也能 promote)
Image 保證 beta ≠ stable pre-release = stable(同一個 image)
改動檔案
檔案 變更
.github/workflows/tagpr.yml 新增 — push to main 觸發 tagpr,GitHub App token(確保 tag push 觸發 build.yml)
.github/workflows/build.yml 兩條路徑:pre-release 完整 build / stable promote(用 version tag 找 pre-release image,re-tag)
.github/workflows/release.yml 移除重複 OCI push,保留 chart-releaser + install instructions
.tagpr 新增 — versionFile 同步 Cargo.toml + Chart.yaml,postVersionCommand 更新 appVersion
Cargo.toml version 0.1.0 → 0.6.0(對齊 Chart.yaml)
charts/openab/Chart.yaml version 0.6.1-beta.1 → 0.6.0,appVersion 從 git SHA 改為 semver
RELEASING.md 完整重寫,含 pre-release → stable 流程圖
Release Flow
Step 1: PR merge to main → tagpr 開 Release PR
        (更新 Cargo.toml + Chart.yaml + CHANGELOG)

Step 2: 打 pre-release tag → 完整 build → 測試
        git tag v0.7.0-rc.1 && git push origin v0.7.0-rc.1
        → build 4 images × 2 platforms
        → helm chart push OCI

Step 3: 測試通過 → merge Release PR
        → tagpr 打 v0.7.0 + GitHub Release
        → promote-stable: 找到 v0.7.0-rc.1 image → re-tag 為 0.7.0 / 0.7 / latest
        → helm chart push OCI

Step 4: release.yml 自動觸發
        → chart-releaser 更新 GitHub Pages index
        → 附加 install instructions
build.yml Job DAG
resolve-tag ← 驗證 tag 格式 + 解析 version / is_prerelease
    │
    ├─ is_prerelease=true ──► build-image (8 parallel: 4 variants × 2 platforms)
    │                             │
    │                             ▼
    │                         merge-manifests (tags: <sha> + version)
    │                             │
    │                             └──────────┐
    │                                        ▼
    └─ is_prerelease=false ─► promote-stable ──► release-chart (helm push OCI)
                              (git tag -l v0.7.0-*
                               → find latest rc
                               → verify image exists
                               → re-tag to stable)
Image Tags
Tag Stable (v0.7.0) Pre-release (v0.7.0-rc.1)
<sha> v (from pre-release) v
0.7.0 / 0.7.0-rc.1 v v
0.7 v x
latest v x
Version 同步(tagpr 自動處理)
檔案 欄位 更新方式
Cargo.toml version tagpr 內建 (versionFile)
charts/openab/Chart.yaml version tagpr 內建 (versionFile)
charts/openab/Chart.yaml appVersion postVersionCommand
GitHub Releases
Release Tag 內容
tagpr v0.7.0 CHANGELOG
chart-releaser openab-0.7.0 Version Info + Installation instructions
限制
  • Stable 必須先有 pre-release:promote-stable 查找 v{version}-* tag,找不到就失敗
  • promote 用 version tag 找 image:不依賴 commit SHA,pre-release 和 stable 可在不同 commit
  • 外部用戶不會裝到 pre-releasehelm install 預設只拿 stable,pre-release 需明確 --version

@neilkuan
ci: switch Build & Release to git tag driven flow
2b0c6e6 
- trigger: push tags v* (instead of push to main with paths filter)
- version: parsed from tag (v0.7.0-beta.1 → 0.7.0-beta.1)
- docker tags: sha + semver + major.minor + latest (stable only)
- bump-chart: version comes directly from tag, no more GITHUB_RUN_NUMBER
- workflow_dispatch: kept for manual trigger with explicit tag input
@neilkuan neilkuan requested a review from thepagent as a code owner April 9, 2026 00:24
neilkuan added 3 commits April 9, 2026 08:31
@neilkuan
ci: mark beta chart releases as pre-release
c9209b6
@neilkuan
ci: split chart release — beta pushes OCI only, stable opens PR
2f17914 
Beta (tag contains '-'):
  → release-chart-beta: helm package + push to OCI registry
  → no PR, main branch untouched

Stable (tag without '-'):
  → bump-chart-stable: update Chart.yaml + values.yaml → PR → auto merge
  → release.yml picks up Chart.yaml change → publish to GitHub Pages + OCI
@neilkuan
ci: add resolve-tag job, fix workflow_dispatch bug, deduplicate
94298a7 
- Add resolve-tag job: validates tag format, parses chart_version,
  image_sha, is_beta — single source of truth for all downstream jobs
- Fix: workflow_dispatch now uses inputs.tag instead of github.ref_name
  for beta/stable branching (github.ref_name is branch name, not tag)
- Remove 3× duplicated 'Resolve version tag' steps
- IMAGE_SHA computed once in resolve-tag, not repeated per job
neilkuan added 4 commits April 9, 2026 09:10
@neilkuan
ci: stable release promotes beta image instead of rebuilding
5de62e2 
- build-image + merge-manifests: only run for beta tags
- promote-stable: retag existing beta image with stable tags
  (version, major.minor, latest) using imagetools create
- verify beta image exists before promoting — fail fast if not
- bump-chart-stable now depends on promote-stable

This ensures "what you tested is what you ship" — the stable
release uses the exact same image artifact validated during beta.
@neilkuan
ci: add tagpr workflow and config for automated release PR
3939ce1
@neilkuan
ci: pin tagpr action to commit hash and bump checkout to v6
37f8c54
@neilkuan
ci: add tagpr workflow and config for automated release PR
0368480 
- Add tagpr.yml with GitHub App token (so tags trigger build.yml)
- Simplify build.yml: remove beta/stable two-stage, all tags do full build
- Add pre-release support: manual tags like v0.7.0-rc.1 won't overwrite latest
- Configure .tagpr to sync Cargo.toml + Chart.yaml version/appVersion
- Simplify release.yml: keep chart-releaser + install instructions
- Align Cargo.toml and Chart.yaml versions to 0.6.0
- Rewrite RELEASING.md with new tag-driven flow
@neilkuan neilkuan changed the title ci: switch Build & Release to git tag driven flow ci: tag-driven release with tagpr automation Apr 9, 2026
@neilkuan neilkuan requested a review from thepagent April 9, 2026 03:21
@neilkuan
ci: add promote-stable to guarantee pre-release = stable image
ba0510d 
- Pre-release tag (v0.7.0-rc.1): full build, image tags = sha + version
- Stable tag (v0.7.0): promote (re-tag) pre-release image, no rebuild
- Verify pre-release image exists before promote, fail if not found
- Update RELEASING.md with two-path flow diagram
@neilkuan neilkuan changed the title ci: tag-driven release with tagpr automation ci: tag-driven release with tagpr + promote-stable Apr 9, 2026
neilkuan added 3 commits April 9, 2026 11:48
@neilkuan
docs: rewrite RELEASING.md with complete release flow and constraints
52892ee
@neilkuan
ci: promote-stable finds pre-release image by version tag, not commit…
8f1f717 
… SHA

- promote-stable uses git tag -l to find latest pre-release tag (e.g. v0.7.0-rc.*)
- re-tags pre-release image to stable tags (no rebuild, same artifact)
- removes commit SHA dependency — pre-release and stable can be on different commits
- natural flow: pre-release first → test → merge Release PR → auto promote
@neilkuan
chore: update openab version to 0.6.0 in Cargo.lock
478d3d5
@the3mi
Copy link
Copy Markdown

the3mi commented Apr 9, 2026

Code Review: tagpr + promote-stable PR

Logic Test Results ✅

Tested the core flow — tag validation, pre-release detection, and promote-stable tag lookup all work correctly.

⚠️ One Issue Found: appVersion in postVersionCommand

.tagpr

When TAGPR_NEXT_VERSION=0.7.0 (stable), appVersion gets set to 0.7.0, but the promoted stable image was actually built from 0.7.0-rc.2.

Result: users see appVersion: 0.7.0 but the binary is from the rc build.

Suggested fix: Set appVersion to the actual pre-release tag that was promoted.

✅ Design Looks Good

  • promote-stable using git tag to find image (cross-commit promote) ✅
  • DAG split between pre-release build and stable promote ✅
  • versionFile sync across Cargo.toml + Chart.yaml ✅
  • RELEASING.md is thorough ✅

Questions

  1. APP_ID / APP_PRIVATE_KEY secrets — are these already set up in the repo? The workflow will fail without them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thepagent thepagent Awaiting requested review from thepagent thepagent is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@neilkuan @the3mi @thepagent