Skip to content

chore: add release workflow for setup-sourcebot#1279

Merged
brendan-kellam merged 2 commits into
mainfrom
brendan/release-setup-sourcebot-action
Jun 4, 2026
Merged

chore: add release workflow for setup-sourcebot#1279
brendan-kellam merged 2 commits into
mainfrom
brendan/release-setup-sourcebot-action

Conversation

@brendan-kellam
Copy link
Copy Markdown
Contributor

@brendan-kellam brendan-kellam commented Jun 4, 2026
edited by coderabbitai Bot
Loading

Summary

Adds a manually-triggered GitHub Action (.github/workflows/release-setup-sourcebot.yml) that automates releasing the setup-sourcebot CLI (packages/setupWizard) to the public npm registry.

Triggered via workflow_dispatch with a bump_type choice (patch/minor/major), matching the convention in release-prod.yml. In one job it:

  1. Mints the existing RELEASE_APP GitHub App token (to push to protected main).
  2. Bumps packages/setupWizard/package.json and guards against an existing setup-sourcebot-v<version> tag.
  3. Builds @sourcebot/schemas then setup-sourcebot.
  4. Packs with Yarn (rewrites the workspace:^ schemas dep to a concrete version range — something npm publish can't do on its own).
  5. Upgrades npm and publishes the tarball with OIDC Trusted Publishing (npm publish --provenance, no long-lived token).
  6. Commits the bump ([skip ci]), tags setup-sourcebot-v<version>, pushes to main, and cuts a GitHub release.

Publish happens before the git commit/tag so a late git failure can't leave a tag for a version that never reached npm. The setup-sourcebot-v tag prefix avoids colliding with the main product's v<version> tags.

Prerequisites (one-time, before first run)

  • npm Trusted Publisher: on npmjs.org, configure a trusted publisher for the setup-sourcebot package pointing at sourcebot-dev/sourcebot + workflow release-setup-sourcebot.yml. (The package already exists at 0.1.5, so trusted publishing can attach to it.)
  • RELEASE_APP_ID / RELEASE_APP_PRIVATE_KEY secrets already exist (shared with release-prod.yml); the App needs push access to main.

Notes

  • setupWizard versioning is independent of the main repo's CHANGELOG.md-driven release; its own package.json is the source of truth.
  • No product-facing change, so no CHANGELOG entry (CI tooling only).

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Improved release process automation for the setup-sourcebot package with automated versioning, building, and npm publishing.

@brendan-kellam @claude
chore: add release workflow for setup-sourcebot
c4babfd 
Adds a manually-triggered GitHub Action that publishes the setup-sourcebot
CLI (packages/setupWizard) to npm via OIDC Trusted Publishing, then bumps
the package version, commits it to main, tags it, and cuts a GitHub release.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 4, 2026

@brendan-kellam your pull request is missing a changelog!

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Jun 4, 2026
edited
Loading

Review Change Stack

Walkthrough

This PR adds a new GitHub Actions workflow for automating the release of the setup-sourcebot CLI. The workflow accepts a manual version bump type (patch/minor/major), generates a GitHub App token, bumps the package version, builds dependent workspaces, publishes the tarball to npm using OIDC provenance, and finally commits and tags the version change on main.

Changes

Release setup-sourcebot automation

Layer / File(s) Summary
Release workflow: token generation through npm publish and git push
.github/workflows/release-setup-sourcebot.yml		 Workflow accepts manual bump_type input, generates GitHub App token via actions/create-github-app-token, checks out main, bumps packages/setupWizard/package.json, validates the annotated tag does not exist, builds @sourcebot/schemas and setup-sourcebot workspaces in dependency order, packs the CLI, upgrades npm for OIDC compliance, publishes the tarball with --provenance --access public, commits the version bump, creates an annotated tag, and pushes both to main.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely summarizes the main change: adding a GitHub Actions release workflow for the setup-sourcebot package.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch brendan/release-setup-sourcebot-action

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-setup-sourcebot.yml:
- Around line 53-63: Replace unpinned action versions and remove unnecessary
submodule checkout: update uses for actions/checkout, actions/setup-node, and
actions/create-github-app-token to specific commit SHAs (pin the actions to
exact commit hashes instead of tags) and change or remove the checkout input
submodules: "true" (e.g., set submodules: false or remove the key) since
vendor/zoekt isn't used by the workspace builds; ensure the workflow still
passes the token through (token: ${{ steps.generate_token.outputs.token }})
after making these replacements.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d43101b7-5cbd-4d87-9a2f-90e721df8ff9

📥 Commits

Reviewing files that changed from the base of the PR and between bd47aab and c4babfd.

📒 Files selected for processing (1)
  • .github/workflows/release-setup-sourcebot.yml

Comment thread .github/workflows/release-setup-sourcebot.yml
@brendan-kellam brendan-kellam merged commit 4868d30 into main Jun 4, 2026
6 of 7 checks passed
@brendan-kellam brendan-kellam deleted the brendan/release-setup-sourcebot-action branch June 4, 2026 22:03
@github-actions github-actions Bot mentioned this pull request Jun 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brendan-kellam