Conversation
* Harden configure.sh ruleset_id; fix repo-config branch-cleanup doc ruleset_id now distinguishes an absent ruleset from a real API error (diagnoses to stderr and returns non-zero instead of a silent set -e abort); repo-config README states actual branch cleanup (Dependabot deletes its own merged branches; feature branches via the merge UI or gh pr merge --delete-branch) rather than claiming the merge-bot passes --delete-branch. Mark configure.sh executable. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Simplify publisher to one branch per run Drop the two-branch matrix. The schedule rebuilds main only (refreshing latest + its ubuntu:rolling base for CVEs); a dispatch publishes the branch it is started from. Building only the trigger branch keeps github.ref aligned with the branch being versioned, so NBGV classifies it correctly with no matrix, no ref switching, and no GITHUB_REF override; a develop -> main promotion becomes a normal PR (no admin bypass). Scrub the matrix/leg wording from the task comments, WORKFLOW.md, and AGENTS.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Use jq --arg for the ruleset name in ruleset_id Pass the ruleset name via jq --arg instead of interpolating it into the filter, matching the rest of the script; a name with jq-significant characters would otherwise abort the run. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Make ruleset_id pipefail-safe; keep README code span on one line Select the first ruleset match inside jq (`[...]|first // empty`) instead of `| head -1`, which under pipefail can SIGPIPE jq and fail the function. Keep `gh pr merge --delete-branch` in a single inline code span (was split across two lines). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Let gh surface its own error in ruleset_id Stop suppressing gh's stderr (drop 2>/dev/null) so the real failure cause (auth, rate limit, network, missing gh) is visible; keep the script's added line generic rather than asserting a specific cause. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Correct repo-config branch-cleanup wording (verified) Empirically dependabot/* branches persist (auto-delete-on-merge is off and the merge-bot does not pass --delete-branch), so "Dependabot deletes its own merged branches" was wrong. State it accurately: auto-delete is off so a develop -> main promotion does not delete develop, and the trade-off is that merged bot/feature branches are cleaned up manually. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Page the ruleset lookup (per_page=100) The REST list endpoint defaults to 30 items; request per_page=100 so ruleset_id sees every ruleset in one array (a repo has only a handful). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Promotes the develop-side CI/CD publisher refactor and repo-config hardening onto main, aligning main’s release automation and documentation with the “one branch per publish run” model while improving repo ruleset discovery robustness.
Changes:
- Update the release publisher workflow to publish only the trigger branch per run (schedule rebuilds
main; dispatch publishes the branch it is started from). - Harden
repo-config/configure.shruleset lookup to clearly distinguish “no match” vs real API failures and avoidpipefail/SIGPIPE pitfalls. - Refresh
WORKFLOW.md,AGENTS.md, and repo-config docs to reflect the one-branch publisher model and manual branch cleanup expectations.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| WORKFLOW.md | Updates the CI/CD contract documentation to the one-branch-per-run publisher model (schedule -> main, dispatch -> trigger branch). |
| AGENTS.md | Updates the release-model pointer text to match the new publisher behavior described in WORKFLOW.md. |
| repo-config/README.md | Clarifies that auto-delete-on-merge is off and documents manual cleanup of merged branches. |
| repo-config/configure.sh | Improves ruleset_id() error handling and robustness (no stderr suppression, jq --arg, pipefail-safe selection, per_page=100). |
| .github/workflows/publish-release.yml | Removes the two-branch matrix and publishes only github.ref_name (guarded to main/develop). |
| .github/workflows/validate-task.yml | Comment-only alignment to describe validating the trigger branch for publishing. |
| .github/workflows/get-version-task.yml | Comment-only alignment describing NBGV running against the trigger branch without ref overrides. |
| .github/workflows/build-release-task.yml | Comment-only alignment clarifying the publisher passes the run’s branch as the logical branch input. |
| .github/workflows/build-executable-task.yml | Comment-only alignment (“threaded” versioning wording) with the updated publisher model. |
| .github/workflows/build-docker-task.yml | Comment-only alignment explaining branch is passed explicitly under the one-branch-per-run publisher. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promotes the one-branch publisher conversion (PR #771) and the repo-config hardening from develop to main.
What lands on main
ref:switching. This removes the develop-clean versioning bug (develop now publishesX.Y.Z-g<sha>).configure.shruleset_idhardened (error-distinction with gh's own stderr,jq --arg, pipefail-safe selection,per_page=100); repo-config README states the actual branch cleanup (auto-delete off; manual cleanup).Standard promotion PR with review (no admin bypass). No application/image change.