Simplify publisher to one branch per run#771
Merged
Merged
Conversation
ruleset_id now distinguishes an absent ruleset from a real API error (diagnoses to stderr and returns non-zero instead of a silent set -e abort); repo-config README states actual branch cleanup (Dependabot deletes its own merged branches; feature branches via the merge UI or gh pr merge --delete-branch) rather than claiming the merge-bot passes --delete-branch. Mark configure.sh executable. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop the two-branch matrix. The schedule rebuilds main only (refreshing latest + its ubuntu:rolling base for CVEs); a dispatch publishes the branch it is started from. Building only the trigger branch keeps github.ref aligned with the branch being versioned, so NBGV classifies it correctly with no matrix, no ref switching, and no GITHUB_REF override; a develop -> main promotion becomes a normal PR (no admin bypass). Scrub the matrix/leg wording from the task comments, WORKFLOW.md, and AGENTS.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates the release publishing model so each publisher run builds/releases only its trigger branch (schedule rebuilds main; manual dispatch publishes main or develop), eliminating the prior two-branch matrix and related cross-branch ref/versioning pitfalls. It also folds in a couple of repo-admin config clarifications and robustness improvements.
Changes:
- Switch
publish-release.ymlfrom amain/developmatrix to a single publish job that targetsgithub.ref_name(guarded tomain/develop). - Refresh workflow/release model documentation (WORKFLOW.md, AGENTS.md) to describe the one-branch-per-run publisher behavior and rationale.
- Improve repo-config documentation and make
configure.shruleset lookup distinguish “absent ruleset” vs real API failure (with a clearer failure mode).
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| WORKFLOW.md | Re-documents publisher architecture/guarantees for one-branch-per-run publishing. |
| repo-config/README.md | Corrects branch cleanup description (Dependabot self-deletes; feature branches deleted via UI/CLI). |
| repo-config/configure.sh | Adjusts ruleset lookup to surface API errors vs “no match” cases. |
| AGENTS.md | Updates the release model summary to match the one-branch-per-run publisher behavior. |
| .github/workflows/validate-task.yml | Comment wording aligned with the new publisher model (same validation gate). |
| .github/workflows/publish-release.yml | Converts publisher to single job publishing the trigger branch; guarded to main/develop. |
| .github/workflows/get-version-task.yml | Comment updates describing NBGV classification from the run’s ref (no override needed). |
| .github/workflows/build-release-task.yml | Comment updates for orchestrating a single-branch release per run. |
| .github/workflows/build-executable-task.yml | Comment updates reflecting the single threaded NBGV version (no per-leg wording). |
| .github/workflows/build-docker-task.yml | Comment updates reflecting one-branch-per-run publisher inputs/assumptions. |
Pass the ruleset name via jq --arg instead of interpolating it into the filter, matching the rest of the script; a name with jq-significant characters would otherwise abort the run. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Select the first ruleset match inside jq (`[...]|first // empty`) instead of `| head -1`, which under pipefail can SIGPIPE jq and fail the function. Keep `gh pr merge --delete-branch` in a single inline code span (was split across two lines). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Stop suppressing gh's stderr (drop 2>/dev/null) so the real failure cause (auth, rate limit, network, missing gh) is visible; keep the script's added line generic rather than asserting a specific cause. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Empirically dependabot/* branches persist (auto-delete-on-merge is off and the merge-bot does not pass --delete-branch), so "Dependabot deletes its own merged branches" was wrong. State it accurately: auto-delete is off so a develop -> main promotion does not delete develop, and the trade-off is that merged bot/feature branches are cleaned up manually. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The REST list endpoint defaults to 30 items; request per_page=100 so ruleset_id sees every ruleset in one array (a repo has only a handful). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Converts the publisher from the two-branch matrix to one branch per run (the model proven on the sibling repo), and folds in two repo-config fixes.
Publisher: one branch per run
latestand itsubuntu:rollingbase for CVEs)main-> stable/latest,develop-> prerelease/develop); guarded tomain/developNo matrix and no
ref:switching. Because each run builds its trigger ref,github.refalready equals the branch being versioned, so NBGV classifies it correctly with no override (noIGNORE_GITHUB_REF, noGITHUB_REFoverride). This removes the matrix's cross-branch-ref bug class (the develop leg was publishing a clean version instead ofX.Y.Z-g<sha>), and makesdevelop -> maina normal promotion PR (no admin bypass). WORKFLOW.md / AGENTS.md / task comments rewritten to the one-branch model; the per-runtime executable matrix and the Dependabot dual-target model are untouched.repo-config fixes (also pending for the sibling repos)
configure.shruleset_idnow distinguishes an absent ruleset from a real API error (lets gh surface its error, returns non-zero instead of a silentset -eabort), usesjq --arg+ pipefail-safe selection, and pages the lookup.gh pr merge --delete-branch). (Verified: dependabot/* branches do persist.)configure.shmarked executable.Verification
actionlint, markdownlint clean;
bash -n+ shellcheck on configure.sh clean; CRLF preserved.