Skip to content

Adopt branch-scoped self-publishing CI/CD (binaries + Docker)#770

Merged
ptr727 merged 7 commits into
developfrom
feature/branch-scoped-cicd
Jun 28, 2026
Merged

Adopt branch-scoped self-publishing CI/CD (binaries + Docker)#770
ptr727 merged 7 commits into
developfrom
feature/branch-scoped-cicd

Conversation

@ptr727

@ptr727 ptr727 commented Jun 28, 2026

Copy link
Copy Markdown
Owner

Replaces the ProjectTemplate two-phase pipeline with a weekly scheduled + on-demand publisher and push CI. The publisher builds both branches in one run (executables + multi-arch Docker image + GitHub release); merges no longer publish - changes accumulate and ship in the next weekly run, which also refreshes the ubuntu:rolling base. main = stable / Docker latest, develop = prerelease / Docker develop.

Workflows

  • Drop build-datebadge-task, build-toolversions-task, publish-docker-readme-task, and Docker/README.m4.
  • Add validate-task.yml (unit tests + CSharpier / dotnet format style / markdownlint / cspell / actionlint).
  • publish-release.yml: schedule + dispatch only (matrix over both branches), no push trigger, no PUBLISH_ON_MERGE.
  • test-pull-request.yml: push CI on every branch, validate + smoke both targets, no dorny/paths-filter.
  • build-release-task.yml: strip the dead enable_*/expect_release_assets multi-target inputs.
  • build-docker-task.yml: push a static Docker/README.md overview to Docker Hub on each main publish.

Docs and config

  • Add WORKFLOW.md (canonical CI/CD spec) and repo-config/ (rulesets + settings as code; Docker Hub secrets, no NuGet).
  • Add cspell.json (single spell-check source; migrated from the workspace).
  • Scrub ProjectTemplate / two-phase references from AGENTS.md, CODESTYLE.md, .github/copilot-instructions.md; point workflow rules to WORKFLOW.md.
  • Bump version floor 3.18 -> 3.19; refresh README.md and HISTORY.md; fix the stale .slnx and .gitattributes.

Verified locally: actionlint, markdownlint, cspell, YAML/JSON parse, bash -n configure.sh, EOL per .editorconfig, no em-dashes, and Husky clean-compile.

🤖 Generated with Claude Code

Replace the ProjectTemplate two-phase pipeline with a weekly scheduled +
on-demand publisher and push CI. The publisher builds both branches in one
run (executables + multi-arch Docker image + GitHub release); merges no
longer publish. main = stable / Docker `latest`, develop = prerelease /
Docker `develop`.

- Workflows: drop date-badge, tool-versions, and docker-readme tasks plus
  the m4 template; add validate-task (unit tests + lint); rework
  publish-release (schedule/dispatch matrix, no push trigger), build-release
  (strip the multi-target enable_* inputs), build-docker (push the static
  Docker Hub overview on main), and test-pull-request (push CI, no
  paths-filter).
- Add WORKFLOW.md (canonical CI/CD spec) and repo-config/ (rulesets +
  settings as code; Docker Hub secrets, no NuGet).
- Add cspell.json as the single spell-check source; scrub ProjectTemplate /
  two-phase references from AGENTS, CODESTYLE, and copilot-instructions, and
  point workflow rules to WORKFLOW.md.
- Static Docker/README.md replaces the m4 template; bump version floor
  3.18 -> 3.19; update README and HISTORY.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 28, 2026 16:38

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR overhauls PlexCleaner’s CI/CD model to a branch-scoped publisher (weekly schedule + manual dispatch) plus push-based CI for all branches, adds a single canonical workflow contract document (WORKFLOW.md), and introduces “repo configuration as code” to keep branch rulesets/settings reproducible.

Changes:

  • Add a unified validation workflow (validate-task.yml) and run CI on push for every branch, with a single ruleset-bound required check job.
  • Rework the publisher (publish-release.yml) to run only on schedule/dispatch and publish both main and develop.
  • Add WORKFLOW.md and repo-config/ to document and codify required GitHub settings/rulesets/secrets.

Reviewed changes

Copilot reviewed 29 out of 29 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
WORKFLOW.md New canonical CI/CD workflow contract and operational checklist.
version.json Bumps version floor to 3.19.
repo-config/settings.json Codifies repo merge/automerge settings.
repo-config/ruleset-main.json Codifies main branch ruleset and required check context.
repo-config/ruleset-develop.json Codifies develop branch ruleset and required check context.
repo-config/README.md Documents how repo-config is applied/audited and required-check lockstep.
repo-config/configure.sh Adds gh api script to apply/audit settings, rulesets, and required secret names.
README.md Updates release-notes summary to 3.19 and describes CI/CD rework.
HISTORY.md Adds 3.19 release entry describing CI/CD rework and new workflow docs/config.
PlexCleaner.slnx Updates solution-items list to match workflow/doc additions/removals.
PlexCleaner.code-workspace Removes embedded cSpell word list (moved to cspell.json).
Docker/README.md Adds static Docker Hub overview content to publish on main releases.
Docker/README.m4 Removed (replaced by static Docker README).
cspell.json Adds centralized cspell config/word list for editor + CI.
CODESTYLE.md Updates wording to match this repo (removes unused Python section).
AGENTS.md Updates references to point workflow rules to WORKFLOW.md and refreshes guidance.
.github/workflows/validate-task.yml New reusable validation workflow (tests + format/lint/spell/actionlint).
.github/workflows/test-pull-request.yml Switches CI to push on all branches; runs validate + smoke build; single required check job.
.github/workflows/publish-release.yml Publisher becomes schedule/dispatch-only and builds a main/develop matrix.
.github/workflows/build-release-task.yml Simplifies orchestration inputs; always builds both targets per run.
.github/workflows/build-executable-task.yml Updates comments/structure around smoke vs full executable builds.
.github/workflows/build-docker-task.yml Updates comments; adds Docker Hub description update step on main publish.
.github/workflows/get-version-task.yml Updates docstrings; continues SHA-pinned NBGV versioning step.
.github/workflows/publish-docker-readme-task.yml Removed (Docker Hub README push now handled in docker build task).
.github/workflows/build-toolversions-task.yml Removed (no longer used for README generation).
.github/workflows/build-datebadge-task.yml Removed (decorative workflow dropped).
.github/copilot-instructions.md Updates references to CODESTYLE.md without language-section phrasing.
.gitattributes Removes LF pin for deleted Docker/README.m4.
.editorconfig Small wording tweak in the .NET style block header comment.

Comment thread WORKFLOW.md Outdated
Comment thread WORKFLOW.md Outdated
Comment thread version.json
Comment thread .github/workflows/publish-release.yml Outdated
Comment thread .github/workflows/build-executable-task.yml
ptr727 and others added 2 commits June 28, 2026 09:43
The smoke build only proves each runtime compiles; the per-runtime upload
feeds the release zip (a publish concern) and is not needed on smoke. It
also kept the branch in the artifact name, which a feature branch's '/'
makes invalid. Gate the upload on !smoke so smoke compiles only and only
the publisher (branch main/develop) uploads.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…acies

Address Copilot review:
- The publisher built/published both branches but validated only the
  trigger ref. Move validation into build-release-task as a per-leg
  validate job (gated !smoke), so each publish leg validates the branch
  it ships and a failing test/lint blocks only that leg. validate-task
  gains a ref input; publish-release drops its single top-level validate.
- WORKFLOW.md: fix the entry-workflow glossary fragment; remove the stale
  dotnet/nbgv@master no-pin exception (nbgv is SHA-pinned here); reword
  D4.6 for per-branch validation.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 28, 2026 16:54

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (1)

.github/workflows/publish-release.yml:38

  • The job-level token permissions are restricted to contents: write, but the called reusable workflows use actions/upload-artifact and actions/download-artifact (to aggregate and attach release assets). Without actions: write, artifact upload/download can fail with 403 and the publish run will not produce releases.
    permissions:
      contents: write

Comment thread .github/workflows/publish-release.yml
Comment thread version.json
Comment thread .github/workflows/test-pull-request.yml
Comment thread .github/workflows/test-pull-request.yml
Comment thread .github/workflows/test-pull-request.yml Outdated
ptr727 and others added 2 commits June 28, 2026 10:07
…ADME, version policy

- P1: require DOCKER_HUB_* in the Dependabot secret store too (Dependabot
  push CI builds the Docker smoke, which logs in to Docker Hub), so bot
  auto-merge can go green. Update configure.sh, WORKFLOW.md, repo-config.
- P1: thread the single NBGV version (SemVer2 + assembly versions) from
  build-release-task into build-executable/build-docker and drop their
  nested get-version jobs, so a detached-commit re-run cannot classify a
  branch differently from its release tag (one version per leg).
- P2: configure.sh now asserts main does NOT require linear history (it
  would block the develop -> main merge-commit promotion).
- P2: remove the deleted BYOB 'Last Build' badge + tools entry from README.
- P2: keep the deliberate 3.18 -> 3.19 floor bump for the CI/CD overhaul and
  reconcile the AGENTS versioning policy to permit a maintainer-directed
  infrastructure bump (routine CI/dep/doc edits still leave it untouched).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Restrict publish-release workflow_dispatch to the default branch (main):
  the publisher builds both branches from their own refs, but the workflow
  logic resolves from the dispatch ref.
- Skip CI on a branch-deletion push (all-zeros github.sha) via a
  !github.event.deleted guard on validate, smoke-build, and the aggregator,
  so a deletion no longer triggers a failing checkout/build.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 28, 2026 17:13

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 3 comments.

Comment thread .github/workflows/build-release-task.yml Outdated
Comment thread .github/workflows/build-release-task.yml Outdated
Comment thread repo-config/configure.sh Outdated
…view)

- build-executable/build-docker if-conditions now allowlist validate
  success or skipped explicitly instead of != 'failure' (which let
  cancelled through), per the repo's own D7.4 optional-dependency rule.
- configure.sh check_secrets distinguishes a secrets API/auth error
  (note + skip) from a genuinely missing secret (FAIL), so a transient
  failure no longer reports every secret as absent.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 3 comments.

Comment thread repo-config/configure.sh
Comment thread repo-config/configure.sh
Comment thread repo-config/configure.sh
…ot review)

check_secrets now FAILs the audit on a secrets-API error instead of noting
and returning - an audit tool must not report 'Configuration matches' when
it could not verify the required secrets. WORKFLOW.md 5D/6 reconciled: the
App-installation check is best-effort (needs app-level auth), the secret-name
checks fail if they cannot be queried.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ptr727 ptr727 requested a review from Copilot June 28, 2026 18:28
@ptr727 ptr727 merged commit 49140e4 into develop Jun 28, 2026
13 checks passed
@ptr727 ptr727 deleted the feature/branch-scoped-cicd branch June 28, 2026 18:30

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 4 comments.

Comment on lines +28 to +32
- name: Checkout code step
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ inputs.ref }}

Comment on lines +49 to +53
- name: Checkout code step
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ inputs.ref }}

Comment on lines +35 to +42
validate:
name: Validate job
if: ${{ !inputs.smoke }}
uses: ./.github/workflows/validate-task.yml
secrets: inherit
with:
ref: ${{ inputs.ref }}

Comment on lines 43 to 49
get-version:
name: Get version information job
uses: ./.github/workflows/get-version-task.yml
secrets: inherit
with:
ref: ${{ inputs.ref }}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants