Skip to content

Promote develop to main: one-branch publisher + repo-config hardening#772

Merged
ptr727 merged 1 commit into
mainfrom
develop
Jun 28, 2026
Merged

Promote develop to main: one-branch publisher + repo-config hardening#772
ptr727 merged 1 commit into
mainfrom
develop

Conversation

@ptr727

@ptr727 ptr727 commented Jun 28, 2026

Copy link
Copy Markdown
Owner

Promotes the one-branch publisher conversion (PR #771) and the repo-config hardening from develop to main.

What lands on main

  • Publisher rebuilt to one branch per run (schedule -> main, dispatch -> the branch it is started from); no two-branch matrix, no ref: switching. This removes the develop-clean versioning bug (develop now publishes X.Y.Z-g<sha>).
  • configure.sh ruleset_id hardened (error-distinction with gh's own stderr, jq --arg, pipefail-safe selection, per_page=100); repo-config README states the actual branch cleanup (auto-delete off; manual cleanup).
  • WORKFLOW.md / AGENTS.md / task comments rewritten to the one-branch model. Dependabot dual-target and the per-runtime executable matrix untouched.

Standard promotion PR with review (no admin bypass). No application/image change.

* Harden configure.sh ruleset_id; fix repo-config branch-cleanup doc

ruleset_id now distinguishes an absent ruleset from a real API error (diagnoses to stderr
and returns non-zero instead of a silent set -e abort); repo-config README states actual
branch cleanup (Dependabot deletes its own merged branches; feature branches via the merge
UI or gh pr merge --delete-branch) rather than claiming the merge-bot passes --delete-branch.
Mark configure.sh executable.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Simplify publisher to one branch per run

Drop the two-branch matrix. The schedule rebuilds main only (refreshing latest + its
ubuntu:rolling base for CVEs); a dispatch publishes the branch it is started from. Building
only the trigger branch keeps github.ref aligned with the branch being versioned, so NBGV
classifies it correctly with no matrix, no ref switching, and no GITHUB_REF override; a
develop -> main promotion becomes a normal PR (no admin bypass). Scrub the matrix/leg
wording from the task comments, WORKFLOW.md, and AGENTS.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Use jq --arg for the ruleset name in ruleset_id

Pass the ruleset name via jq --arg instead of interpolating it into the filter, matching the
rest of the script; a name with jq-significant characters would otherwise abort the run.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Make ruleset_id pipefail-safe; keep README code span on one line

Select the first ruleset match inside jq (`[...]|first // empty`) instead of `| head -1`,
which under pipefail can SIGPIPE jq and fail the function. Keep `gh pr merge --delete-branch`
in a single inline code span (was split across two lines).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Let gh surface its own error in ruleset_id

Stop suppressing gh's stderr (drop 2>/dev/null) so the real failure cause (auth, rate
limit, network, missing gh) is visible; keep the script's added line generic rather than
asserting a specific cause.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Correct repo-config branch-cleanup wording (verified)

Empirically dependabot/* branches persist (auto-delete-on-merge is off and the merge-bot
does not pass --delete-branch), so "Dependabot deletes its own merged branches" was wrong.
State it accurately: auto-delete is off so a develop -> main promotion does not delete
develop, and the trade-off is that merged bot/feature branches are cleaned up manually.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Page the ruleset lookup (per_page=100)

The REST list endpoint defaults to 30 items; request per_page=100 so ruleset_id sees every
ruleset in one array (a repo has only a handful).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 28, 2026 23:44

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Promotes the develop-side CI/CD publisher refactor and repo-config hardening onto main, aligning main’s release automation and documentation with the “one branch per publish run” model while improving repo ruleset discovery robustness.

Changes:

  • Update the release publisher workflow to publish only the trigger branch per run (schedule rebuilds main; dispatch publishes the branch it is started from).
  • Harden repo-config/configure.sh ruleset lookup to clearly distinguish “no match” vs real API failures and avoid pipefail/SIGPIPE pitfalls.
  • Refresh WORKFLOW.md, AGENTS.md, and repo-config docs to reflect the one-branch publisher model and manual branch cleanup expectations.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file
File Description
WORKFLOW.md Updates the CI/CD contract documentation to the one-branch-per-run publisher model (schedule -> main, dispatch -> trigger branch).
AGENTS.md Updates the release-model pointer text to match the new publisher behavior described in WORKFLOW.md.
repo-config/README.md Clarifies that auto-delete-on-merge is off and documents manual cleanup of merged branches.
repo-config/configure.sh Improves ruleset_id() error handling and robustness (no stderr suppression, jq --arg, pipefail-safe selection, per_page=100).
.github/workflows/publish-release.yml Removes the two-branch matrix and publishes only github.ref_name (guarded to main/develop).
.github/workflows/validate-task.yml Comment-only alignment to describe validating the trigger branch for publishing.
.github/workflows/get-version-task.yml Comment-only alignment describing NBGV running against the trigger branch without ref overrides.
.github/workflows/build-release-task.yml Comment-only alignment clarifying the publisher passes the run’s branch as the logical branch input.
.github/workflows/build-executable-task.yml Comment-only alignment (“threaded” versioning wording) with the updated publisher model.
.github/workflows/build-docker-task.yml Comment-only alignment explaining branch is passed explicitly under the one-branch-per-run publisher.

@ptr727 ptr727 merged commit 94eecb5 into main Jun 28, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants