From c07f797fb3d31085e5f50b122a812acc0174b045 Mon Sep 17 00:00:00 2001 From: NagyVikt Date: Mon, 11 May 2026 12:32:39 +0200 Subject: [PATCH] ci: add release-please automation so today's fixes ship to npm `.github/workflows/release.yml` was correctly wired to publish on `release: types: [published]` but nothing triggered it. `@imdeadpool/guardex@7.0.42` on npm lagged behind ~7 merged fixes (PRs #545-551 in today's audit alone) because the manual bump step never happened. This change adds googleapis/release-please-action@v4 as a parallel workflow on `push: main`: - .github/workflows/release-please.yml -- runs the action with config + manifest files. - release-please-config.json -- `release-type: node`, package name, changelog sections (feat / fix / perf visible; chore / docs / refactor / test / build / ci / style hidden), `include-v-in-tag: true` so the tag format matches what release.yml expects. - .release-please-manifest.json -- pins current version 7.0.42 as baseline. Flow after this merges: release-please scans commits since v7.0.42, opens a "release X.Y.Z" PR that bumps package.json + writes CHANGELOG.md; merging that PR creates a GitHub release at the new tag; release.yml fires on release: published and ships to npm with provenance + cosign signing. OpenSpec notes at openspec/changes/agent-claude-add-release-please-automation-2026-05-11-12-30/notes.md Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release-please.yml | 32 ++++++++++++++ .release-please-manifest.json | 3 ++ .../.openspec.yaml | 2 + .../notes.md | 44 +++++++++++++++++++ release-please-config.json | 34 ++++++++++++++ 5 files changed, 115 insertions(+) create mode 100644 .github/workflows/release-please.yml create mode 100644 .release-please-manifest.json create mode 100644 openspec/changes/agent-claude-add-release-please-automation-2026-05-11-12-30/.openspec.yaml create mode 100644 openspec/changes/agent-claude-add-release-please-automation-2026-05-11-12-30/notes.md create mode 100644 release-please-config.json diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 0000000..82a243b --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,32 @@ +name: Release Please + +# Auto-opens / updates a "release PR" that bumps package.json based on +# conventional-commit prefixes since the last release. When that release PR +# is merged, googleapis/release-please-action creates a GitHub release and +# tag, which triggers the existing `release.yml` workflow's `release: +# types: [published]` listener to publish to npm with provenance + cosign +# signing. +# +# This closes the manual-bump gap that left @imdeadpool/guardex@7.0.42 on +# npm long after the repo had shipped further fixes. + +on: + push: + branches: + - main + +permissions: + contents: write + pull-requests: write + +jobs: + release-please: + if: github.repository == 'recodeee/gitguardex' + runs-on: ubuntu-latest + + steps: + - name: Run release-please + uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445 # v4.1.3 + with: + config-file: release-please-config.json + manifest-file: .release-please-manifest.json diff --git a/.release-please-manifest.json b/.release-please-manifest.json new file mode 100644 index 0000000..9fa1d05 --- /dev/null +++ b/.release-please-manifest.json @@ -0,0 +1,3 @@ +{ + ".": "7.0.42" +} diff --git a/openspec/changes/agent-claude-add-release-please-automation-2026-05-11-12-30/.openspec.yaml b/openspec/changes/agent-claude-add-release-please-automation-2026-05-11-12-30/.openspec.yaml new file mode 100644 index 0000000..81cd71f --- /dev/null +++ b/openspec/changes/agent-claude-add-release-please-automation-2026-05-11-12-30/.openspec.yaml @@ -0,0 +1,2 @@ +schema: spec-driven +created: 2026-05-11 diff --git a/openspec/changes/agent-claude-add-release-please-automation-2026-05-11-12-30/notes.md b/openspec/changes/agent-claude-add-release-please-automation-2026-05-11-12-30/notes.md new file mode 100644 index 0000000..1a6dd40 --- /dev/null +++ b/openspec/changes/agent-claude-add-release-please-automation-2026-05-11-12-30/notes.md @@ -0,0 +1,44 @@ +# add-release-please-automation (T1) + +Branch: `agent/claude/add-release-please-automation-2026-05-11-12-30` + +## Problem + +`.github/workflows/release.yml` is wired correctly (publish-on-`release: types: [published]`) but nothing in the repo triggers it. The package on npm sat at `@imdeadpool/guardex@7.0.42` while the repo accumulated multiple fixes (PRs #545-551 in today's audit alone). Consumers don't pick up fixes until someone manually bumps `package.json`, creates a tag, and cuts a GitHub release. + +## Approach + +Add `googleapis/release-please-action@v4` as a parallel workflow that runs on `push: main`: + +- `.github/workflows/release-please.yml` — invokes the action with the config + manifest files. +- `release-please-config.json` — `release-type: node`, package name, changelog sections (feat / fix / perf visible; chore / docs / refactor / test / build / ci / style hidden), `include-v-in-tag: true` so tags match the `vX.Y.Z` format `release.yml` already expects via `github.event.release.tag_name`. +- `.release-please-manifest.json` — pins current version `7.0.42` as baseline. + +## How it works after merge + +1. release-please scans commits since `v7.0.42`, classifies them by conventional-commit prefix. +2. Opens a "release-please: release X.Y.Z" PR that bumps `package.json` + writes `CHANGELOG.md`. +3. Merging that release PR creates a GitHub release at the new tag. +4. Existing `release.yml` listens for `release: types: [published]` and publishes to npm with provenance + cosign signing. + +## Scope + +- Three new files; no existing files modified. +- `chore(release): ...` / `chore(deps): ...` commits hidden from changelog by default. + +## Out of scope + +- Backfilling release notes for prior merged PRs (release-please picks them up from commits since last tag). +- Migrating off `release.yml` (kept as the publish handler). +- CI gate enforcing conventional-commits (today's commits already use it). + +## Risk + +- First release-please PR after merge accumulates all commits since `v7.0.42`. Likely just a patch bump (no `feat:` or `BREAKING CHANGE`). +- If `node-workspace` plugin causes issues at runtime (no real workspaces here), remove it from `release-please-config.json` plugins. + +## Cleanup + +- [ ] `gx branch finish --branch agent/claude/add-release-please-automation-2026-05-11-12-30 --base main --via-pr --wait-for-merge --cleanup` +- [ ] Record PR URL + `MERGED` state. +- [ ] Confirm sandbox worktree gone. diff --git a/release-please-config.json b/release-please-config.json new file mode 100644 index 0000000..58d7613 --- /dev/null +++ b/release-please-config.json @@ -0,0 +1,34 @@ +{ + "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", + "release-type": "node", + "packages": { + ".": { + "package-name": "@imdeadpool/guardex", + "changelog-path": "CHANGELOG.md", + "include-component-in-tag": false, + "include-v-in-tag": true, + "draft": false, + "prerelease": false, + "bump-minor-pre-major": false, + "bump-patch-for-minor-pre-major": false, + "changelog-sections": [ + { "type": "feat", "section": "Features" }, + { "type": "fix", "section": "Bug Fixes" }, + { "type": "perf", "section": "Performance" }, + { "type": "revert", "section": "Reverts" }, + { "type": "docs", "section": "Documentation", "hidden": true }, + { "type": "style", "section": "Styles", "hidden": true }, + { "type": "chore", "section": "Miscellaneous", "hidden": true }, + { "type": "refactor", "section": "Refactors", "hidden": true }, + { "type": "test", "section": "Tests", "hidden": true }, + { "type": "build", "section": "Build", "hidden": true }, + { "type": "ci", "section": "CI", "hidden": true } + ] + } + }, + "plugins": [ + { + "type": "node-workspace" + } + ] +}