Skip to content

Simplify publisher to one branch per run#771

Merged
ptr727 merged 7 commits into
developfrom
feature/simplify-publisher
Jun 28, 2026
Merged

Simplify publisher to one branch per run#771
ptr727 merged 7 commits into
developfrom
feature/simplify-publisher

Conversation

@ptr727

@ptr727 ptr727 commented Jun 28, 2026

Copy link
Copy Markdown
Owner

Converts the publisher from the two-branch matrix to one branch per run (the model proven on the sibling repo), and folds in two repo-config fixes.

Publisher: one branch per run

  • schedule -> rebuild main only (native binaries + multi-arch Docker + GitHub release; refreshes latest and its ubuntu:rolling base for CVEs)
  • dispatch -> publish the branch it is started from (main -> stable/latest, develop -> prerelease/develop); guarded to main/develop

No matrix and no ref: switching. Because each run builds its trigger ref, github.ref already equals the branch being versioned, so NBGV classifies it correctly with no override (no IGNORE_GITHUB_REF, no GITHUB_REF override). This removes the matrix's cross-branch-ref bug class (the develop leg was publishing a clean version instead of X.Y.Z-g<sha>), and makes develop -> main a normal promotion PR (no admin bypass). WORKFLOW.md / AGENTS.md / task comments rewritten to the one-branch model; the per-runtime executable matrix and the Dependabot dual-target model are untouched.

repo-config fixes (also pending for the sibling repos)

  • configure.sh ruleset_id now distinguishes an absent ruleset from a real API error (lets gh surface its error, returns non-zero instead of a silent set -e abort), uses jq --arg + pipefail-safe selection, and pages the lookup.
  • repo-config README states the actual branch cleanup: auto-delete-on-merge is off (so a develop -> main promotion does not delete develop), and merged bot/feature branches are not auto-removed - they are cleaned up manually (merge UI or gh pr merge --delete-branch). (Verified: dependabot/* branches do persist.)
  • configure.sh marked executable.

Verification

actionlint, markdownlint clean; bash -n + shellcheck on configure.sh clean; CRLF preserved.

ptr727 and others added 2 commits June 28, 2026 16:18
ruleset_id now distinguishes an absent ruleset from a real API error (diagnoses to stderr
and returns non-zero instead of a silent set -e abort); repo-config README states actual
branch cleanup (Dependabot deletes its own merged branches; feature branches via the merge
UI or gh pr merge --delete-branch) rather than claiming the merge-bot passes --delete-branch.
Mark configure.sh executable.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop the two-branch matrix. The schedule rebuilds main only (refreshing latest + its
ubuntu:rolling base for CVEs); a dispatch publishes the branch it is started from. Building
only the trigger branch keeps github.ref aligned with the branch being versioned, so NBGV
classifies it correctly with no matrix, no ref switching, and no GITHUB_REF override; a
develop -> main promotion becomes a normal PR (no admin bypass). Scrub the matrix/leg
wording from the task comments, WORKFLOW.md, and AGENTS.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 28, 2026 23:18

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the release publishing model so each publisher run builds/releases only its trigger branch (schedule rebuilds main; manual dispatch publishes main or develop), eliminating the prior two-branch matrix and related cross-branch ref/versioning pitfalls. It also folds in a couple of repo-admin config clarifications and robustness improvements.

Changes:

  • Switch publish-release.yml from a main/develop matrix to a single publish job that targets github.ref_name (guarded to main/develop).
  • Refresh workflow/release model documentation (WORKFLOW.md, AGENTS.md) to describe the one-branch-per-run publisher behavior and rationale.
  • Improve repo-config documentation and make configure.sh ruleset lookup distinguish “absent ruleset” vs real API failure (with a clearer failure mode).

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
WORKFLOW.md Re-documents publisher architecture/guarantees for one-branch-per-run publishing.
repo-config/README.md Corrects branch cleanup description (Dependabot self-deletes; feature branches deleted via UI/CLI).
repo-config/configure.sh Adjusts ruleset lookup to surface API errors vs “no match” cases.
AGENTS.md Updates the release model summary to match the one-branch-per-run publisher behavior.
.github/workflows/validate-task.yml Comment wording aligned with the new publisher model (same validation gate).
.github/workflows/publish-release.yml Converts publisher to single job publishing the trigger branch; guarded to main/develop.
.github/workflows/get-version-task.yml Comment updates describing NBGV classification from the run’s ref (no override needed).
.github/workflows/build-release-task.yml Comment updates for orchestrating a single-branch release per run.
.github/workflows/build-executable-task.yml Comment updates reflecting the single threaded NBGV version (no per-leg wording).
.github/workflows/build-docker-task.yml Comment updates reflecting one-branch-per-run publisher inputs/assumptions.

Comment thread repo-config/configure.sh Outdated
Pass the ruleset name via jq --arg instead of interpolating it into the filter, matching the
rest of the script; a name with jq-significant characters would otherwise abort the run.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

Comment thread repo-config/configure.sh
Comment thread repo-config/README.md Outdated
Select the first ruleset match inside jq (`[...]|first // empty`) instead of `| head -1`,
which under pipefail can SIGPIPE jq and fail the function. Keep `gh pr merge --delete-branch`
in a single inline code span (was split across two lines).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Comment thread repo-config/configure.sh Outdated
Stop suppressing gh's stderr (drop 2>/dev/null) so the real failure cause (auth, rate
limit, network, missing gh) is visible; keep the script's added line generic rather than
asserting a specific cause.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Comment thread repo-config/README.md Outdated
Empirically dependabot/* branches persist (auto-delete-on-merge is off and the merge-bot
does not pass --delete-branch), so "Dependabot deletes its own merged branches" was wrong.
State it accurately: auto-delete is off so a develop -> main promotion does not delete
develop, and the trade-off is that merged bot/feature branches are cleaned up manually.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

Comment thread repo-config/configure.sh Outdated
Comment thread repo-config/README.md
The REST list endpoint defaults to 30 items; request per_page=100 so ruleset_id sees every
ruleset in one array (a repo has only a handful).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated no new comments.

@ptr727 ptr727 merged commit 9bdf5ca into develop Jun 28, 2026
13 checks passed
@ptr727 ptr727 deleted the feature/simplify-publisher branch June 28, 2026 23:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants