Skip to content

chore: harden release workflow and update release runbook#83

Closed
edelauna wants to merge 1 commit into
mainfrom
chore/release-checklist-actions
Closed

chore: harden release workflow and update release runbook#83
edelauna wants to merge 1 commit into
mainfrom
chore/release-checklist-actions

Conversation

@edelauna

@edelauna edelauna commented May 13, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replaces the hardcoded R00-B0T actor check with a GitHub App token approach (actions/create-github-app-token@v3) so the changeset job can push and open PRs without triggering loop-prevention rules on GITHUB_TOKEN.
  • Renames Job 2 from "edit/approve" to "validate/approve" and replaces the changelog-push step with a real release-artifact validation: identity checks, SemVer format, CHANGELOG entry, README sync, and VSIX manifest verification.
  • Adds workspace package builds and POSTHOG_API_KEY to the validate step so the packaged artifact matches what ships.
  • Uses pnpm --filter ./src vsix (includes mkdirp ../bin) instead of bare exec vsce package.
  • Adds a loop-guard comment explaining the PR-title-based condition.
  • Updates .roo/commands/release.md for Zoo Code identity (zoo-code package name, ZooCodeOrganization publisher) and expands the runbook with the full release sequence: changeset prep → version-bump PR → tag → publish.

Required repository settings

Before the workflow can run end-to-end:

Setting Type Value
RELEASE_APP_ID Variable Roomote GitHub App ID
RELEASE_BOT_LOGIN Variable app/roomote
RELEASE_APP_PRIVATE_KEY Secret Roomote GitHub App private key (.pem)

Test plan

  • Merge a changeset PR to main and confirm Job 1 opens a PR titled "Zoo Code changeset version bump" authored by app/roomote
  • Confirm Job 2 triggers on that PR, passes validation, adds changelog-ready label, and auto-approves
  • Confirm Job 1 does not re-trigger when the version-bump PR is merged (loop guard)

Summary by CodeRabbit

  • Chores
    • Improved release automation to reduce recursive PRs, strengthen token usage, and tighten validation and approval flow for version bumps.
  • Documentation
    • Expanded and clarified release preparation guidance for the Zoo Code extension, including baseline selection, changelog/image handling, announcement coordination, and branch/PR/tag lifecycle.

Review Change Stack

@coderabbitai

coderabbitai Bot commented May 13, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 4bc35351-9b92-433a-a23e-0fd839c0e66d

📥 Commits

Reviewing files that changed from the base of the PR and between c0e6c4742dce39f64b52a90a0ceecf48f74e7f9b and 43065d0.

📒 Files selected for processing (2)
  • .github/workflows/changeset-release.yml
  • .roo/commands/release.md
✅ Files skipped from review due to trivial changes (1)
  • .roo/commands/release.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/changeset-release.yml

📝 Walkthrough

Walkthrough

The PR refactors the changeset-release GitHub Actions workflow to use a title-based version-bump guard and GitHub App token authentication, adds explicit bump commit/title settings, replaces changelog push steps with a comprehensive validation/build/VSIX inspection sequence, and expands release documentation rebranded for Zoo Code.

Changes

Release Process Automation and Documentation

Layer / File(s) Summary
Version bump PR creation and authentication
.github/workflows/changeset-release.yml
Run-name conditional logic updated to distinguish "Create PR" vs "Validate Version PR" by PR event and author/title. VERSION_BUMP_PR_TITLE env added; bump PR recursion guard skips by exact title; checkout uses GitHub App token.
Changesets PR creation and validation trigger
.github/workflows/changeset-release.yml
Changesets action now supplies explicit commit and title for the version-bump PR and authenticates with the GitHub App token. Validate-and-approve job triggers only for PRs authored by vars.RELEASE_BOT_LOGIN with the exact bump title; checkout-ref logic adjusted accordingly.
Release validation and build verification
.github/workflows/changeset-release.yml
Replaces changelog push with validation: Node/pnpm install (frozen lockfile), targeted workspace builds, package name/publisher/version SemVer checks, CHANGELOG.md heading verification, README parity check, production bundle generation, VSIX creation and embedded package.json verification, then changelog-ready labeling.
Auto-approval after validation
.github/workflows/changeset-release.yml
Auto-approve step now runs unconditionally after validation with an updated review message (removes prior label-gated gating in shown region).
Release process documentation
.roo/commands/release.md
Documentation rebranded to Zoo Code and expanded: baseline selection, PR/issue analysis, zoo-code changeset rules, release image insertion requirements, major/minor announcement and translation coordination, release-prep staging/PR steps, explicit post-merge version-bump PR responsibilities, and tagging/publishing ordering (tag after merge).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

Suggested reviewers

  • hannesrudolph

Poem

🐰 A rabbit hops through workflows bright,
With tokens swapped and guards set tight,
It builds, it checks, each VSIX sight—
Zoo Code's release now rolls tonight,
Hooray for tags and CI delight!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description is missing the required 'Related GitHub Issue' section; it lacks a Closes: # reference linking to an approved issue as mandated by the template. Add 'Closes: #<issue_number>' at the top of the description to link this PR to its approved GitHub Issue, as required by the template.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title 'chore: harden release workflow and update release runbook' accurately captures the main objectives: strengthening the release workflow and updating documentation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/release-checklist-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented May 13, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@edelauna edelauna changed the title feat: release workflow chore: harden release workflow and update release runbook May 13, 2026
@edelauna edelauna marked this pull request as ready for review May 13, 2026 13:33
@edelauna edelauna requested a review from hannesrudolph as a code owner May 13, 2026 13:33

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/changeset-release.yml (1)

7-7: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Skip validate-approve on closed events.

The workflow triggers on types: [closed, opened, labeled]. When the bot's version-bump PR merges, Job 1 is correctly suppressed by the title-based loop guard — but Job 2's if: does not filter on github.event.action, so the full validation pipeline (install, build, bundle, vsix package, metadata checks) re-runs on the closed event and then attempts to auto-approve an already-merged PR. Add an action filter to skip closed-event runs.

🛠️ Proposed fix
     if: >
         github.event_name == 'pull_request' &&
+        github.event.action != 'closed' &&
         github.event.pull_request.base.ref == 'main' &&
         github.event.pull_request.user.login == vars.RELEASE_BOT_LOGIN &&
         github.event.pull_request.title == 'Zoo Code changeset version bump'

Also applies to: 75-79

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/changeset-release.yml at line 7, The workflow currently
triggers on pull_request types including "closed", and the second job (the
validation/auto-approve job that lacks an action filter) runs on closed events
and tries to approve an already-merged PR; update that job's existing if:
condition (the job that performs install/build/bundle/vsix/metadata checks and
auto-approve) to also require github.event.action != 'closed' (e.g. add &&
github.event.action != 'closed' to its if: expression), and apply the same
change to the other occurrences around the 75-79 region so closed-event runs are
skipped.
🧹 Nitpick comments (2)
.roo/commands/release.md (1)

69-74: ⚡ Quick win

Make the staging command robust when no release image exists.

Step 7 makes the image optional, but the sample git add command always includes releases/[version]-release.png. Consider showing an optional/conditional add pattern to avoid failed copy-paste runs.

Suggested doc tweak
- git add .changeset/v[version].md README.md releases/[version]-release.png
+ git add .changeset/v[version].md README.md
+ # If generated:
+ git add releases/[version]-release.png
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.roo/commands/release.md around lines 69 - 74, The git add sample in the
release staging steps currently always includes releases/[version]-release.png
which breaks copy-paste when no image exists; change the single git add line so
the image is added conditionally (e.g., keep adding .changeset/v[version].md and
README.md unconditionally and add releases/[version]-release.png only if the
file exists, or split into two commands where the second command only runs when
the file is present) and update the example line in .roo/commands/release.md
accordingly so users won’t get errors when no release image is present.
.github/workflows/changeset-release.yml (1)

12-12: ⚡ Quick win

Centralize the version-bump PR title to avoid drift.

The literal "Zoo Code changeset version bump" is duplicated at lines 23 and 79 in job-level if: conditions in addition to env.VERSION_BUMP_PR_TITLE on line 12. GitHub Actions does not expose the workflow-level env context inside job-level if: expressions, so env.VERSION_BUMP_PR_TITLE cannot be reused there — but vars.* is available at job-level. Promoting this to a repo/org variable (e.g. vars.VERSION_BUMP_PR_TITLE) lets all three sites reference one source of truth and prevents the loop guard and validate-approve gate from silently desynchronizing from the title actually sent to changesets/action.

♻️ Proposed refactor
 env:
   REPO_PATH: ${{ github.repository }}
   GIT_REF: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || 'main' }}
-  VERSION_BUMP_PR_TITLE: Zoo Code changeset version bump
+  VERSION_BUMP_PR_TITLE: ${{ vars.VERSION_BUMP_PR_TITLE }}
     if: >
       ( github.event_name == 'pull_request' &&
       github.event.pull_request.merged == true &&
       github.event.pull_request.base.ref == 'main' &&
-      github.event.pull_request.title != 'Zoo Code changeset version bump' ) ||
+      github.event.pull_request.title != vars.VERSION_BUMP_PR_TITLE ) ||
       github.event_name == 'workflow_dispatch'
     if: >
         github.event_name == 'pull_request' &&
         github.event.pull_request.base.ref == 'main' &&
         github.event.pull_request.user.login == vars.RELEASE_BOT_LOGIN &&
-        github.event.pull_request.title == 'Zoo Code changeset version bump'
+        github.event.pull_request.title == vars.VERSION_BUMP_PR_TITLE

Then add VERSION_BUMP_PR_TITLE alongside RELEASE_APP_ID / RELEASE_BOT_LOGIN in the repo variables documented in the PR description.

Also applies to: 23-23, 79-79

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/changeset-release.yml at line 12, Replace the duplicated
literal PR title with a single repo-level variable and reference it via vars:
create a repository variable named VERSION_BUMP_PR_TITLE (value "Zoo Code
changeset version bump"), update the two job-level if: expressions that
currently contain the literal string to use vars.VERSION_BUMP_PR_TITLE, and
update the workflow-level env (the top-level VERSION_BUMP_PR_TITLE env) to
reference vars.VERSION_BUMP_PR_TITLE so all three sites (workflow env and both
job if expressions) come from the same repo variable.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/changeset-release.yml:
- Around line 116-119: The workflow step uses a non-existent pnpm filter
'@roo-code/build' which causes the build to be skipped; either replace
'@roo-code/build' with the correct workspace package name (e.g., the actual
package that needs building) or remove that filter line entirely so only 'pnpm
--filter `@roo-code/vscode-webview` build' runs; update the step where the filters
are declared to reference the correct package identifier(s) or drop the invalid
'@roo-code/build' entry so downstream vsix artifacts are built from the intended
package.

---

Outside diff comments:
In @.github/workflows/changeset-release.yml:
- Line 7: The workflow currently triggers on pull_request types including
"closed", and the second job (the validation/auto-approve job that lacks an
action filter) runs on closed events and tries to approve an already-merged PR;
update that job's existing if: condition (the job that performs
install/build/bundle/vsix/metadata checks and auto-approve) to also require
github.event.action != 'closed' (e.g. add && github.event.action != 'closed' to
its if: expression), and apply the same change to the other occurrences around
the 75-79 region so closed-event runs are skipped.

---

Nitpick comments:
In @.github/workflows/changeset-release.yml:
- Line 12: Replace the duplicated literal PR title with a single repo-level
variable and reference it via vars: create a repository variable named
VERSION_BUMP_PR_TITLE (value "Zoo Code changeset version bump"), update the two
job-level if: expressions that currently contain the literal string to use
vars.VERSION_BUMP_PR_TITLE, and update the workflow-level env (the top-level
VERSION_BUMP_PR_TITLE env) to reference vars.VERSION_BUMP_PR_TITLE so all three
sites (workflow env and both job if expressions) come from the same repo
variable.

In @.roo/commands/release.md:
- Around line 69-74: The git add sample in the release staging steps currently
always includes releases/[version]-release.png which breaks copy-paste when no
image exists; change the single git add line so the image is added conditionally
(e.g., keep adding .changeset/v[version].md and README.md unconditionally and
add releases/[version]-release.png only if the file exists, or split into two
commands where the second command only runs when the file is present) and update
the example line in .roo/commands/release.md accordingly so users won’t get
errors when no release image is present.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 6e951dac-426f-44e7-aa54-966a47f9fe3d

📥 Commits

Reviewing files that changed from the base of the PR and between 7535a56 and c0e6c4742dce39f64b52a90a0ceecf48f74e7f9b.

📒 Files selected for processing (2)
  • .github/workflows/changeset-release.yml
  • .roo/commands/release.md

Comment thread .github/workflows/changeset-release.yml
uses: actions/create-github-app-token@v3
with:
app-id: ${{ vars.RELEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}

@edelauna edelauna May 14, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@edelauna edelauna force-pushed the chore/release-checklist-actions branch from c0e6c47 to 43065d0 Compare May 14, 2026 03:41
@edelauna

Copy link
Copy Markdown
Contributor Author

Closing in favour of: #142

@edelauna edelauna closed this May 16, 2026
@edelauna edelauna deleted the chore/release-checklist-actions branch May 16, 2026 00:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant