fix(workflows): publish-on-tag hardening + umbrella support#54
Open
jadb wants to merge 5 commits into
Open
Conversation
…s skip parse.lookup: replace hard-fail on missing ecosystem entry with ::notice:: + empty outputs. Umbrella / meta-component tags (release-please . root, e.g. poly-cite, poly-uri) finish green with every downstream job skipped via the empty ecosystem output. Downstream guards: publish-ts, publish-py, publish-rs, mirror, publish-php all gated on needs.parse.outputs.ecosystem != '' alongside their existing ecosystem-equality / mirror conditions. publish-php: missing PACKAGIST_USERNAME or PACKAGIST_TOKEN now ::notice:: + exit 0 instead of ::error:: + exit 1. A php-tag pipeline still publishes the mirror; "no credentials" means "don't notify Packagist," not "fail the release." Hard-fail belongs in the preflight, not the publish path. (secrets.* cannot appear in job-level if: — the gate stays in the step body.)
Re-running release-please after sibling-PR conflicts force a rebase previously required a noop commit to main. workflow_dispatch lets the bot's standing PRs be rebuilt against current main on demand.
…s, dispatch trigger
SKILL.md additions:
- Umbrella / meta-component tags — explains the new graceful-skip
contract (release-please . root, e.g. poly-cite/v0.1.0 finishes
green with every publish job skipped via empty ecosystem output).
- Bootstrap-mirror gotcha — two safe shapes (empty repo OR pre-
populated via git subtree split at the tag's source commit);
recovery path on non-fast-forward; rationale for not defaulting
to force-push.
- Re-runs use the tag's workflow snapshot — re-stating + linking
the mental-model concept page. Two recovery paths: delete +
recreate tag, or cut a new patch tag.
Caller templates (SKILL.md TL;DR + references/quick-start.md):
- Add workflow_dispatch: {} to publish.yml example with caveat
comment about snapshot semantics so adopters know the
trade-off up front.
Find-your-intent table: three new rows for the above sections.
ADR 0001 — proposed design for resolving the manifest-conflict cascade under release-please-action separate-pull-requests mode. Four options considered: upstream native rebase (no flag exists today), local release-please-rebase.yml reusable, single-PR mode (regresses per-component review ergonomics), community auto-rebase actions (can't resolve manifest merge semantics). Decision: pursue upstream report AND local reusable in parallel; retire the reusable when upstream lands a native fix. Implementation out of scope — separate task. Pointer added under SKILL.md "See also".
…agist no-creds common-pitfalls.md: new row for umbrella graceful-skip linking SKILL.md § Umbrella / meta-component tags; enrich existing snapshot-rerun row with SKILL.md § Re-runs and concepts/mental-model § Snapshot semantics cross-links. php.md: new "Packagist credentials missing" section + table row documenting the publish-php clean-skip on absent PACKAGIST_USERNAME / PACKAGIST_TOKEN; cross-links the umbrella graceful-skip design.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens
publish-on-tag.ymlfor the failure modes seen during thefirst multi-component publish runs in
hop-top/poly-citeand addsthe docs / ADR coverage to keep follow-on adopters from re-hitting
the same edges.
publish-on-tag.ymlUmbrella / meta-component tags now skip cleanly.
parse.lookupused to hard-fail with
::error::Unknown componentwhen a tag'scomponent prefix had no entry in the caller's
ecosystemsmap.release-please umbrella bumps (the
.root in a separate-PRsmanifest, e.g.
poly-cite/v0.1.0) hit this path by design andreddened otherwise-clean release runs. Replaced with a
::notice::+ empty outputs; every downstream job (publish-ts,publish-py,publish-rs,mirror,publish-php) now gates onneeds.parse.outputs.ecosystem != ''so the workflow finishesgreen with all publish jobs marked
skipped.publish-phpno longer reds out when Packagist credentialsaren't forwarded.
PACKAGIST_USERNAME/PACKAGIST_TOKENarealready declared in the
workflow_callsecrets:block, but acaller that hadn't wired them got
::error::… must be providedexit 1. Switched to::notice::+exit 0— "no credentials"means "don't notify Packagist," not "fail the release." Hard-fail
belongs in the preflight, not the publish path. (
secrets.*cannot appear in job-level
if:, so the gate stays in the stepbody.)
release-please.ymlworkflow_dispatch: {}added so the bot's standing PRs can berebuilt against current main on demand after sibling-PR conflicts
force a rebase. Previously required a no-op commit to main.
Docs (
SKILL.md,references/quick-start.md)Bootstrap-mirror gotcha (two safe shapes — empty mirror or
pre-populated via
git subtree splitat the tag's source commit— plus recovery on non-fast-forward and rationale for not
defaulting to
--force-push), and Re-runs use the tag'sworkflow snapshot, not main (with the two recovery paths:
delete + recreate tag, or cut a new patch tag).
SKILL.mdTL; DR +references/quick-start.md)now show
workflow_dispatch: {}on the callerpublish.yml,with a caveat comment about snapshot semantics so adopters know
the trade-off up front.
docs/adr/0001-release-please-rebase-automation.mdO(N²)manifest-conflictcascade under release-please-action
separate-pull-requests: true.Four options considered (upstream native rebase — no flag exists
today; local
release-please-rebase.ymlreusable; single-PR mode— regresses per-component review; community auto-rebase actions
— can't resolve manifest semantics). Decision: file upstream AND
scope the reusable in parallel; retire the reusable when upstream
lands a fix. Implementation out of scope — separate task.
Test plan
actionlint .github/workflows/*.ymlpasses locally.python3 -c "import yaml; yaml.safe_load(open('.github/workflows/publish-on-tag.yml'))"succeeds.<name>/v0.0.1with noecosystemsentry) on a sandbox caller repo; expect the workflow to finish green with every publish jobskipped.phptag from a caller that has NOT wiredPACKAGIST_USERNAME/PACKAGIST_TOKEN; expectpublish-phpto finish with the::notice::and the run to be green overall.release-please.ymlviagh workflow run release-please.yml --ref mainand confirm the bot PRs are rebuilt.publish.ymlexample inreferences/quick-start.mdis copy-paste-safe (no leftover comment-only lines, valid YAML).Notes
RELEASE_BOT_*secretsnotify-vanityjob) was already retired in commite775e3b (docs(skill): vanity-URL resolver + retire #50's notify-vanity mechanism #52) when the
notify-vanityjob was removed; the secretsare no longer referenced anywhere in
publish-on-tag.yml. Vanity-URL resolution now lives in the
hop-top/hop.topCloudflareWorker +
homebrew-tapoverrides perreferences/concepts/vanity-imports.md. That task was closed asN/A; no
publish-on-tag.ymlchange shipped for it here.