Add GitHub release workflow

[hasithakn]

Overview

Add GitHub workflow to release openFGC

Changes

• $subject

Summary by CodeRabbit

• Chores

  • Added an automated release pipeline with version management, validation, artifact packaging, and release note generation
  • Multi-platform builds and packaging for Linux, macOS, and Windows (multiple architectures)
  • Release artifacts now include build metadata, API specifications, and a version file
  • Version updated to v0.1.0 and automated progression for the next cycle

• Tests

  • Integration tests adjusted to use 127.0.0.1 for database connectivity

[coderabbitai]

Walkthrough

Adds a GitHub Actions "Release Builder" workflow for version preparation, testing, cross-platform builds, artifact publishing, release creation with generated notes, and automated next-version bump. build.sh now copies version.txt and API specs into outputs; version.txt content changed to v0.1.0. Integration test DB host changed to 127.0.0.1.

Changes

Cohort / File(s)	Summary
Release Workflow ​.github/workflows/release-builder.yml	New end-to-end release workflow: prepares/validates release version, checks tag absence, runs unit and integration tests, cross-compiles/packages for multiple platforms, uploads artifacts, generates release notes, creates git tag & GitHub release, and bumps version.txt.
Build Script build.sh	Add PACKAGE_VERSION (strips leading v), copy VERSION/version.txt and API specs into build outputs and distribution, print build metadata, and include integration-test deployment copy.
Version File version.txt	Literal version updated from v0.5.0 to v0.1.0.
Integration Test Config tests/integration/repository/conf/deployment.yaml	Configuration change: database.consent hostname changed from localhost to 127.0.0.1.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant GH as "GitHub Actions"
    participant Repo as "Git Repository"
    participant Runner as "CI Runner"
    participant DB as "MySQL Service"
    participant API as "GitHub Release API"

    User->>GH: workflow_dispatch (version, prerelease)
    GH->>Repo: read version.txt or input, validate semver, check tag absence
    Repo-->>GH: tag existence
    GH->>Runner: checkout, setup Go, run unit tests
    Runner-->>GH: unit test results
    GH->>DB: start MySQL service for integration
    GH->>Runner: build server binary, run integration tests against DB
    Runner-->>GH: integration results
    GH->>Runner: build/packages for multiple platforms
    Runner-->>GH: upload artifacts
    GH->>Repo: create and push git tag
    GH->>API: create release with generated notes and attach artifacts
    API-->>GH: release published
    GH->>Repo: compute next dev version, update `version.txt`, commit & push
    GH-->>User: workflow complete

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 I hopped through CI at break of dawn,
Packed versions, specs, and tests until gone,
I tagged the tree and pushed with a cheer,
Bumped the file for the next dev year,
A tiny rabbit release engineer.

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete and largely vague. It provides only a brief overview and does not follow the required template structure with sections like Purpose, Goals, Approach, Release notes, etc.	Complete the PR description using the repository template. Include Purpose (with issue links), Goals, Approach, Release notes, Documentation impact, Testing details (unit and integration test coverage), and other required sections.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add GitHub release workflow' is clear and directly related to the main changeset, which introduces a comprehensive GitHub Actions workflow for automating the release process.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release-builder.yml:
- Around line 224-230: The "🏷️ Create Git Tag" step currently creates and
pushes the annotated tag immediately (uses TAG_VERSION from
needs.prepare.outputs.version, runs git tag -a and git push origin
"$TAG_VERSION"), which can leave the repo in a partial-release state if later
steps fail; change the workflow so this step only creates the local annotated
tag (run git tag -a but do not run git push) and move the git push origin
"$TAG_VERSION" invocation to the end of the release job sequence (after release
notes generation, GitHub release creation, and the post-release version bump),
ensuring the tag is only published once all subsequent release steps succeed.
- Around line 269-295: The release body builds download links and unzip examples
using the stripped variable ver (which removes the leading "v"), but built
artifacts use the verbatim VERSION with the "v" prefix; update the table,
baseUrl references, and the unzip example to use currentTag (or make ver
preserve the "v" by setting ver = currentTag when currentTag already contains
the prefix) so filenames like consent-server-${currentTag}-linux-x64.zip match
the produced archives and the PRODUCT_FOLDER/VERSION usage in build.sh.
- Around line 23-35: Add an early guard job that fails the workflow unless the
manual dispatch is targeting the main branch: create a job (e.g., verify-ref)
that runs before any release steps and checks github.ref or github.ref_name and
exits non‑zero if it is not "main". Reference the workflow inputs
(version/prerelease) remain unchanged; implement the check as a shell step or
actions/github-script step that inspects github.ref_name (or github.ref ==
'refs/heads/main') and calls exit 1 when not main so the workflow cannot tag or
push from feature branches.
- Around line 61-70: The workflow branch that reads version.txt sets
PRERELEASE="true" unconditionally and ignores github.event.inputs.prerelease,
preventing stable releases when VERSION is sourced from version.txt; change the
branch so after setting VERSION=$(tr -d '[:space:]' < version.txt) it preserves
or uses the provided input by assigning PRERELEASE="${{
github.event.inputs.prerelease }}" (or defaulting to "true" only if that input
is empty), so that PRERELEASE respects the caller's
github.event.inputs.prerelease value instead of always forcing "true"; update
the logic around VERSION and PRERELEASE in the workflow_dispatch handling and
the version.txt branch accordingly.

In `@build.sh`:
- Around line 244-251: The run/start logic mismatches the built artifact name on
Windows: build_binary() emits consent-server.exe for GO_OS=windows but the
run/start block checks and executes "./consent-server" which causes rebuilds and
failures; update the run_server/start block to reference the same artifact
variable used by build_binary (BINARY_NAME) and check for/execute
"$OUTPUT_DIR/$BINARY_NAME" (including the .exe on Windows), or ensure
build_binary sets BINARY_NAME to include the .exe suffix so both the existence
check and the exec use the same symbol (BINARY_NAME) consistently.

In `@version.txt`:
- Line 1: version.txt was changed from v0.5.0 to v0.1.0 which will cause
build.sh to generate older-looking tags and artifacts; revert or set version.txt
to the intended release version (e.g., restore v0.5.0 or bump to the correct new
release) so build.sh’s use of that value for archive names and embedded binary
metadata stays accurate, and coordinate with the release/versioning step that
updates version.txt to avoid accidental downgrades.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 55721a30-e1f5-4f27-8d6b-6f479365d819

📥 Commits

Reviewing files that changed from the base of the PR and between ad5a9bd and 1c554c5.

📒 Files selected for processing (3)

• .github/workflows/release-builder.yml
• build.sh
• version.txt

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/release-builder.yml (2)

60-71: Consider quoting shell variables for robustness.

Static analysis flags potential word-splitting issues. While version strings are unlikely to contain spaces, quoting the test expressions is safer:

♻️ Suggested improvement

-          if [ "${{ github.event_name }}" == "workflow_dispatch" ] && [ -n "${{ github.event.inputs.version }}" ]; then
+          if [ "${{ github.event_name }}" == "workflow_dispatch" ] && [ -n "${{ github.event.inputs.version }}" ]; then
             VERSION="${{ github.event.inputs.version }}"
             PRERELEASE="${{ github.event.inputs.prerelease }}"
           else
             if [ ! -f version.txt ] || [ -z "$(cat version.txt | tr -d '[:space:]')" ]; then

The current code is functionally fine for version strings, but wrapping ${{ github.event.inputs.version }} and ${{ github.event.inputs.prerelease }} in quotes within assignments ensures safety if inputs ever contain unexpected characters.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-builder.yml around lines 60 - 71, The shell logic
should quote variables to avoid word-splitting: update the conditional and
assignments that reference github.event.inputs.version and
github.event.inputs.prerelease so the test expressions and variable assignments
use quoted expansions (e.g., use "${{ github.event.inputs.version }}" and "${{
github.event.inputs.prerelease }}" and assign VERSION and PRERELEASE as "${VAR}"
rather than unquoted VAR); modify the if condition and the lines setting VERSION
and PRERELEASE to use quoted variable expansions to make checks and assignments
robust.

---

409-424: Minor: PATCH variable is extracted but unused.

The version parsing extracts PATCH (line 413), but the next version calculation always resets patch to 0 (line 424). This is correct behavior for bumping to the next development version, but the unused variable could be removed or replaced with a placeholder for clarity.

♻️ Optional cleanup

           if [[ $RELEASE_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+) ]]; then
             MAJOR="${BASH_REMATCH[1]}"
             MINOR="${BASH_REMATCH[2]}"
-            PATCH="${BASH_REMATCH[3]}"
+            # PATCH captured but intentionally unused; next dev version resets to .0
           elif [[ $RELEASE_VERSION =~ ^([0-9]+)\.([0-9]+) ]]; then

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-builder.yml around lines 409 - 424, The workflow
parses RELEASE_VERSION into MAJOR/MINOR/PATCH but PATCH is never used when
computing NEXT_VERSION; update the parsing block to avoid creating an unused
variable by either removing the PATCH assignment or assigning it to a clear
placeholder (e.g., "_" or a comment) in both regex branches, ensuring MAJOR and
MINOR are still set and NEXT_VERSION remains computed as
"${MAJOR}.${NEXT_MINOR}.0"; reference variables: RELEASE_VERSION, MAJOR, MINOR,
PATCH, NEXT_MINOR, NEXT_VERSION.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release-builder.yml:
- Around line 60-71: The shell logic should quote variables to avoid
word-splitting: update the conditional and assignments that reference
github.event.inputs.version and github.event.inputs.prerelease so the test
expressions and variable assignments use quoted expansions (e.g., use "${{
github.event.inputs.version }}" and "${{ github.event.inputs.prerelease }}" and
assign VERSION and PRERELEASE as "${VAR}" rather than unquoted VAR); modify the
if condition and the lines setting VERSION and PRERELEASE to use quoted variable
expansions to make checks and assignments robust.
- Around line 409-424: The workflow parses RELEASE_VERSION into
MAJOR/MINOR/PATCH but PATCH is never used when computing NEXT_VERSION; update
the parsing block to avoid creating an unused variable by either removing the
PATCH assignment or assigning it to a clear placeholder (e.g., "_" or a comment)
in both regex branches, ensuring MAJOR and MINOR are still set and NEXT_VERSION
remains computed as "${MAJOR}.${NEXT_MINOR}.0"; reference variables:
RELEASE_VERSION, MAJOR, MINOR, PATCH, NEXT_MINOR, NEXT_VERSION.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d2d5d9e3-a3b8-4db1-9fb7-262977f568d3

📥 Commits

Reviewing files that changed from the base of the PR and between 1c554c5 and 362aa93.

📒 Files selected for processing (3)

• .github/workflows/release-builder.yml
• build.sh
• tests/integration/repository/conf/deployment.yaml

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

.github/workflows/release-builder.yml (2)

61-71: ⚠️ Potential issue | 🟠 Major

The prerelease input is still ignored when version is left blank.

When the user provides no version input (relying on version.txt), line 70 hardcodes PRERELEASE="true", discarding the prerelease input. This makes it impossible to cut a stable release from version.txt.

🐛 Proposed fix

-          if [ "${{ github.event_name }}" == "workflow_dispatch" ] && [ -n "${{ github.event.inputs.version }}" ]; then
-            VERSION="${{ github.event.inputs.version }}"
-            PRERELEASE="${{ github.event.inputs.prerelease }}"
-          else
+          PRERELEASE="${{ github.event.inputs.prerelease }}"
+          if [ -n "${{ github.event.inputs.version }}" ]; then
+            VERSION="${{ github.event.inputs.version }}"
+          else
             if [ ! -f version.txt ] || [ -z "$(cat version.txt | tr -d '[:space:]')" ]; then
               echo "❌ Error: version.txt not found or empty"
               exit 1
             fi
             VERSION=$(tr -d '[:space:]' < version.txt)
-            PRERELEASE="true"
           fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-builder.yml around lines 61 - 71, The PR hardcodes
PRERELEASE="true" when falling back to version.txt which ignores the workflow
input; update the else branch to set PRERELEASE from the workflow input
(PRERELEASE="${{ github.event.inputs.prerelease }}") and provide a sensible
default if that input is empty (e.g., PRERELEASE="${{
github.event.inputs.prerelease || 'true' }}") so that VERSION continues to be
read from version.txt but the prerelease choice respects the workflow input;
adjust references to VERSION and PRERELEASE in the script accordingly.

---

58-80: ⚠️ Potential issue | 🟠 Major

Prevent releases from non-main refs.

Nothing stops a manual dispatch from a feature branch. The workflow tags the checked-out commit and pushes version.txt back to ${{ github.ref_name }} (line 436), which could publish unmerged code and mutate the wrong branch.

🛡️ Proposed guard

       - name: 📝 Determine Release Version
         id: get_version
         run: |
+          if [ "$GITHUB_REF_NAME" != "main" ]; then
+            echo "❌ Releases must be cut from main"
+            exit 1
+          fi
+
           if [ "${{ github.event_name }}" == "workflow_dispatch" ] && [ -n "${{ github.event.inputs.version }}" ]; then

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-builder.yml around lines 58 - 80, Add a guard in
the "📝 Determine Release Version" step to prevent manual dispatches from
non-main branches: detect the current ref (using github.event_name and
github.ref_name or GITHUB_REF) and if the event is workflow_dispatch ensure the
ref name equals "main" (or your canonical release branch) otherwise fail early
with an error; update the logic around VERSION/PRERELEASE determination (the
variables set in this step) so the workflow exits before continuing or pushing
version.txt when the ref check fails.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release-builder.yml:
- Line 295: Replace the corrupted Unicode character in the GitHub Actions step
name (the "name" value currently shown as "� Generate Detailed Release Notes")
with a valid character or emoji (e.g., "🔎 Generate Detailed Release Notes" or
just "Generate Detailed Release Notes"); update the step's name field so the
YAML contains a valid UTF-8 character sequence and the step displays correctly
in the Actions UI.
- Around line 182-192: The MySQL wait loop in the "⏳ Wait for MySQL to be Ready"
step currently breaks on success but does not fail when the 30 attempts expire;
update the shell logic so that if the loop finishes without a successful
mysqladmin ping it prints a clear error (e.g., "MySQL did not become ready after
30 attempts") and exits non‑zero (exit 1). Locate the for-loop block and either
set a flag (e.g., READY=false -> READY=true on success) and check it after the
loop or use an if-check around the loop to call echo with the timeout message
and exit 1 when the service never becomes ready.

---

Duplicate comments:
In @.github/workflows/release-builder.yml:
- Around line 61-71: The PR hardcodes PRERELEASE="true" when falling back to
version.txt which ignores the workflow input; update the else branch to set
PRERELEASE from the workflow input (PRERELEASE="${{
github.event.inputs.prerelease }}") and provide a sensible default if that input
is empty (e.g., PRERELEASE="${{ github.event.inputs.prerelease || 'true' }}") so
that VERSION continues to be read from version.txt but the prerelease choice
respects the workflow input; adjust references to VERSION and PRERELEASE in the
script accordingly.
- Around line 58-80: Add a guard in the "📝 Determine Release Version" step to
prevent manual dispatches from non-main branches: detect the current ref (using
github.event_name and github.ref_name or GITHUB_REF) and if the event is
workflow_dispatch ensure the ref name equals "main" (or your canonical release
branch) otherwise fail early with an error; update the logic around
VERSION/PRERELEASE determination (the variables set in this step) so the
workflow exits before continuing or pushing version.txt when the ref check
fails.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 89452a7c-f3ff-407c-a42d-34673f5979c4

📥 Commits

Reviewing files that changed from the base of the PR and between 362aa93 and 6123dd9.

📒 Files selected for processing (1)

• .github/workflows/release-builder.yml