Skip to content

ci: harden release attach and skip release-PR builds by path#74

Merged
mledour merged 1 commit into
mainfrom
ci/release-robustness
Jun 22, 2026
Merged

ci: harden release attach and skip release-PR builds by path#74
mledour merged 1 commit into
mainfrom
ci/release-robustness

Conversation

@mledour

@mledour mledour commented Jun 22, 2026

Copy link
Copy Markdown
Owner

Addresses the CI findings (1–3) from the latest code review.

1 · Release could ship notes-less (medium)

Dropping generate_release_notes left the attach step correct only when release-please had already created the Release. On a hand-pushed tag (the old docs literally said git tag … && git push) or a race, softprops/action-gh-release finds no Release and creates one whose body is only the static install block — no changelog, silently.

Fix: a guard step ensures the Release exists; if it's missing it's created with gh release create --generate-notes, so a Release is never notes-less.

2 · append_body not idempotent (medium)

One click of Re-run jobs on an already-green release re-appended the whole install block.

Fix: the block carries an HTML-comment marker (<!-- xrt:install-block -->); the guard step greps for it and the attach step is gated on its absence, so re-runs are no-ops. (A failed body check fails safe → append.) Note: a re-run of a fully-attached release therefore also skips asset re-upload — intended; delete the assets/marker to force a refresh.

3 · Brittle branch-name skip (low-med)

#73 skipped the build on !startsWith(github.head_ref, 'release-please--'). That couples to release-please's configurable branch name and would also skip a human PR branch named release-please--*.

Fix: the reviewer's contractual gate — paths-ignore on the pull_request trigger for version.txt / CHANGELOG.md / .release-please-manifest.json. Keys on the changed files, never skips a real code PR, and leaves push/tag events untouched (signed release build still runs on the tag).

Not changed

Findings 4–6 (overlay) ship separately; finding 6 (dead usedW arithmetic) and 7 (bit-exact golden) are declined with rationale in the chat triage.

🤖 Generated with Claude Code

Addresses three code-review findings on the release pipeline:

1. The attach step dropped generate_release_notes, so if no Release
   existed for the tag (a hand-pushed tag, or release-please racing behind
   this fast job) softprops would CREATE one whose body is only the static
   install block — no changelog, silently. Add a guard that creates the
   Release with GitHub auto-generated notes when it's missing, so a Release
   is never shipped notes-less.

2. append_body was not idempotent: re-running the release job ("Re-run
   jobs") re-appended the install block. Tag the block with an
   HTML-comment marker and skip the append when it's already present, so
   re-runs are no-ops. A failed body check fails safe to append.

3. Replace the `release-please--` branch-name `if` skip (brittle: couples
   to release-please's configurable branch naming, and a human branch
   named release-please--* would skip the build/snapshot gate) with a
   contractual paths-ignore on the pull_request trigger: skip PRs that
   touch only version.txt / CHANGELOG.md / the manifest. push and tag
   events carry no paths filter, so the signed release build still runs on
   the v*.*.* tag.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@mledour mledour merged commit 9cdcb4f into main Jun 22, 2026
3 checks passed
@mledour mledour deleted the ci/release-robustness branch June 22, 2026 12:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant