Adopt branch-scoped self-publishing CI/CD (binaries + Docker)#770
Merged
Conversation
Replace the ProjectTemplate two-phase pipeline with a weekly scheduled + on-demand publisher and push CI. The publisher builds both branches in one run (executables + multi-arch Docker image + GitHub release); merges no longer publish. main = stable / Docker `latest`, develop = prerelease / Docker `develop`. - Workflows: drop date-badge, tool-versions, and docker-readme tasks plus the m4 template; add validate-task (unit tests + lint); rework publish-release (schedule/dispatch matrix, no push trigger), build-release (strip the multi-target enable_* inputs), build-docker (push the static Docker Hub overview on main), and test-pull-request (push CI, no paths-filter). - Add WORKFLOW.md (canonical CI/CD spec) and repo-config/ (rulesets + settings as code; Docker Hub secrets, no NuGet). - Add cspell.json as the single spell-check source; scrub ProjectTemplate / two-phase references from AGENTS, CODESTYLE, and copilot-instructions, and point workflow rules to WORKFLOW.md. - Static Docker/README.md replaces the m4 template; bump version floor 3.18 -> 3.19; update README and HISTORY. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR overhauls PlexCleaner’s CI/CD model to a branch-scoped publisher (weekly schedule + manual dispatch) plus push-based CI for all branches, adds a single canonical workflow contract document (WORKFLOW.md), and introduces “repo configuration as code” to keep branch rulesets/settings reproducible.
Changes:
- Add a unified validation workflow (
validate-task.yml) and run CI onpushfor every branch, with a single ruleset-bound required check job. - Rework the publisher (
publish-release.yml) to run only on schedule/dispatch and publish bothmainanddevelop. - Add
WORKFLOW.mdandrepo-config/to document and codify required GitHub settings/rulesets/secrets.
Reviewed changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| WORKFLOW.md | New canonical CI/CD workflow contract and operational checklist. |
| version.json | Bumps version floor to 3.19. |
| repo-config/settings.json | Codifies repo merge/automerge settings. |
| repo-config/ruleset-main.json | Codifies main branch ruleset and required check context. |
| repo-config/ruleset-develop.json | Codifies develop branch ruleset and required check context. |
| repo-config/README.md | Documents how repo-config is applied/audited and required-check lockstep. |
| repo-config/configure.sh | Adds gh api script to apply/audit settings, rulesets, and required secret names. |
| README.md | Updates release-notes summary to 3.19 and describes CI/CD rework. |
| HISTORY.md | Adds 3.19 release entry describing CI/CD rework and new workflow docs/config. |
| PlexCleaner.slnx | Updates solution-items list to match workflow/doc additions/removals. |
| PlexCleaner.code-workspace | Removes embedded cSpell word list (moved to cspell.json). |
| Docker/README.md | Adds static Docker Hub overview content to publish on main releases. |
| Docker/README.m4 | Removed (replaced by static Docker README). |
| cspell.json | Adds centralized cspell config/word list for editor + CI. |
| CODESTYLE.md | Updates wording to match this repo (removes unused Python section). |
| AGENTS.md | Updates references to point workflow rules to WORKFLOW.md and refreshes guidance. |
| .github/workflows/validate-task.yml | New reusable validation workflow (tests + format/lint/spell/actionlint). |
| .github/workflows/test-pull-request.yml | Switches CI to push on all branches; runs validate + smoke build; single required check job. |
| .github/workflows/publish-release.yml | Publisher becomes schedule/dispatch-only and builds a main/develop matrix. |
| .github/workflows/build-release-task.yml | Simplifies orchestration inputs; always builds both targets per run. |
| .github/workflows/build-executable-task.yml | Updates comments/structure around smoke vs full executable builds. |
| .github/workflows/build-docker-task.yml | Updates comments; adds Docker Hub description update step on main publish. |
| .github/workflows/get-version-task.yml | Updates docstrings; continues SHA-pinned NBGV versioning step. |
| .github/workflows/publish-docker-readme-task.yml | Removed (Docker Hub README push now handled in docker build task). |
| .github/workflows/build-toolversions-task.yml | Removed (no longer used for README generation). |
| .github/workflows/build-datebadge-task.yml | Removed (decorative workflow dropped). |
| .github/copilot-instructions.md | Updates references to CODESTYLE.md without language-section phrasing. |
| .gitattributes | Removes LF pin for deleted Docker/README.m4. |
| .editorconfig | Small wording tweak in the .NET style block header comment. |
The smoke build only proves each runtime compiles; the per-runtime upload feeds the release zip (a publish concern) and is not needed on smoke. It also kept the branch in the artifact name, which a feature branch's '/' makes invalid. Gate the upload on !smoke so smoke compiles only and only the publisher (branch main/develop) uploads. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…acies Address Copilot review: - The publisher built/published both branches but validated only the trigger ref. Move validation into build-release-task as a per-leg validate job (gated !smoke), so each publish leg validates the branch it ships and a failing test/lint blocks only that leg. validate-task gains a ref input; publish-release drops its single top-level validate. - WORKFLOW.md: fix the entry-workflow glossary fragment; remove the stale dotnet/nbgv@master no-pin exception (nbgv is SHA-pinned here); reword D4.6 for per-branch validation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 29 out of 29 changed files in this pull request and generated 5 comments.
Comments suppressed due to low confidence (1)
.github/workflows/publish-release.yml:38
- The job-level token permissions are restricted to
contents: write, but the called reusable workflows useactions/upload-artifactandactions/download-artifact(to aggregate and attach release assets). Withoutactions: write, artifact upload/download can fail with 403 and the publish run will not produce releases.
permissions:
contents: write
…ADME, version policy - P1: require DOCKER_HUB_* in the Dependabot secret store too (Dependabot push CI builds the Docker smoke, which logs in to Docker Hub), so bot auto-merge can go green. Update configure.sh, WORKFLOW.md, repo-config. - P1: thread the single NBGV version (SemVer2 + assembly versions) from build-release-task into build-executable/build-docker and drop their nested get-version jobs, so a detached-commit re-run cannot classify a branch differently from its release tag (one version per leg). - P2: configure.sh now asserts main does NOT require linear history (it would block the develop -> main merge-commit promotion). - P2: remove the deleted BYOB 'Last Build' badge + tools entry from README. - P2: keep the deliberate 3.18 -> 3.19 floor bump for the CI/CD overhaul and reconcile the AGENTS versioning policy to permit a maintainer-directed infrastructure bump (routine CI/dep/doc edits still leave it untouched). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Restrict publish-release workflow_dispatch to the default branch (main): the publisher builds both branches from their own refs, but the workflow logic resolves from the dispatch ref. - Skip CI on a branch-deletion push (all-zeros github.sha) via a !github.event.deleted guard on validate, smoke-build, and the aggregator, so a deletion no longer triggers a failing checkout/build. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…view) - build-executable/build-docker if-conditions now allowlist validate success or skipped explicitly instead of != 'failure' (which let cancelled through), per the repo's own D7.4 optional-dependency rule. - configure.sh check_secrets distinguishes a secrets API/auth error (note + skip) from a genuinely missing secret (FAIL), so a transient failure no longer reports every secret as absent. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ot review) check_secrets now FAILs the audit on a secrets-API error instead of noting and returning - an audit tool must not report 'Configuration matches' when it could not verify the required secrets. WORKFLOW.md 5D/6 reconciled: the App-installation check is best-effort (needs app-level auth), the secret-name checks fail if they cannot be queried. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comment on lines
+28
to
+32
| - name: Checkout code step | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| ref: ${{ inputs.ref }} | ||
|
|
Comment on lines
+49
to
+53
| - name: Checkout code step | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| ref: ${{ inputs.ref }} | ||
|
|
Comment on lines
+35
to
+42
| validate: | ||
| name: Validate job | ||
| if: ${{ !inputs.smoke }} | ||
| uses: ./.github/workflows/validate-task.yml | ||
| secrets: inherit | ||
| with: | ||
| ref: ${{ inputs.ref }} | ||
|
|
Comment on lines
43
to
49
| get-version: | ||
| name: Get version information job | ||
| uses: ./.github/workflows/get-version-task.yml | ||
| secrets: inherit | ||
| with: | ||
| ref: ${{ inputs.ref }} | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replaces the ProjectTemplate two-phase pipeline with a weekly scheduled + on-demand publisher and push CI. The publisher builds both branches in one run (executables + multi-arch Docker image + GitHub release); merges no longer publish - changes accumulate and ship in the next weekly run, which also refreshes the
ubuntu:rollingbase.main= stable / Dockerlatest,develop= prerelease / Dockerdevelop.Workflows
build-datebadge-task,build-toolversions-task,publish-docker-readme-task, andDocker/README.m4.validate-task.yml(unit tests + CSharpier /dotnet format style/ markdownlint / cspell / actionlint).publish-release.yml: schedule + dispatch only (matrix over both branches), nopushtrigger, noPUBLISH_ON_MERGE.test-pull-request.yml: push CI on every branch, validate + smoke both targets, nodorny/paths-filter.build-release-task.yml: strip the deadenable_*/expect_release_assetsmulti-target inputs.build-docker-task.yml: push a staticDocker/README.mdoverview to Docker Hub on eachmainpublish.Docs and config
WORKFLOW.md(canonical CI/CD spec) andrepo-config/(rulesets + settings as code; Docker Hub secrets, no NuGet).cspell.json(single spell-check source; migrated from the workspace).AGENTS.md,CODESTYLE.md,.github/copilot-instructions.md; point workflow rules toWORKFLOW.md.README.mdandHISTORY.md; fix the stale.slnxand.gitattributes.Verified locally: actionlint, markdownlint, cspell, YAML/JSON parse,
bash -n configure.sh, EOL per.editorconfig, no em-dashes, and Husky clean-compile.🤖 Generated with Claude Code