ci(release): PR-merge-only releases + client-id auth#46
Merged
Conversation
Per owner direction: release creation originates ONLY from a merge to main. Remove the manual workflow_dispatch trigger and the forced-increment / manual-major path from the release workflow; a breaking marker still stands the auto-release down, and the rare major is cut by a human engineer outside this repo's automation. audit_release_workflow now FORBIDS workflow_dispatch (it previously required it), with tests updated. Switch actions/create-github-app-token to client-id (RELEASE_APP_CLIENT_ID) to clear the app-id deprecation. Refresh the governance doc to the verified GitHub state: required status checks (Quality gates, Secret scanning, CodeQL, SonarCloud) and a v* tag ruleset are now enforced; only the Code Quality org preview remains. Scrub the predicted version number from continuity and record that continuous release is verified and PR-merge-only. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Code Coverage OverviewLanguages: Python Python / code-coverage/pytestThe overall coverage remains at 89%, unchanged from the branch. Code Coverage is in Public Preview. Learn more and provide us with your feedback. |
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s release governance to ensure releases can only be created automatically after a successful CI run on main (i.e., originating from merges to main), removes the manual workflow_dispatch release path, and switches GitHub App authentication from app-id to client-id (RELEASE_APP_CLIENT_ID) across code and documentation.
Changes:
- Enforce “no
workflow_dispatch” inaudit_release_workflow, and update the corresponding unit tests. - Remove
workflow_dispatch(and forced increment logic) from the Release workflow so release creation is strictly CI-on-maindriven. - Reconcile repository documentation and operational continuity notes to reflect the verified PR-merge-only continuous release model and the
client-idsecret naming.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| tools/repo_audit.py | Updates the audit rule to forbid workflow_dispatch for the release workflow. |
| tests/test_repo_audit.py | Updates test fixtures and assertions to match the new “dispatch forbidden” audit behavior. |
| README.md | Updates release documentation to reflect PR-merge-only releases and RELEASE_APP_CLIENT_ID. |
| docs/repository-governance.md | Updates governance checklist to match current enforced GitHub settings and release bot wiring. |
| docs/dev-tooling.md | Updates release tooling documentation to remove manual dispatch and reference client-id auth. |
| .github/workflows/release.yml | Removes manual dispatch trigger and forced increment path; switches token creation to client-id. |
| .agent/memory/operational/repo-continuity.md | Updates continuity notes to remove predicted versions and record PR-merge-only release verification. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Owner direction (point 7): release creation originates only from a merge to
main.workflow_dispatchtrigger and the forced-increment / manual-major path. A breaking marker still stands the auto-release down, and theprevent-accidental-majorcommit-msg hook still blocks markers; the rare major is cut by a human engineer outside this repo's automation.audit_release_workflownow forbidsworkflow_dispatch(it previously required it) — releases are structurally PR-merge-only. Tests updated.client-id(RELEASE_APP_CLIENT_ID) instead of the deprecatedapp-id.Governance doc reconciled to verified state
Checked against the live API: required status checks (
Quality gates,Secret scanning,CodeQL,SonarCloud) and av*tag ruleset are now enforced; the only outstanding owner action is the GitHub Code Quality org preview. The release-bot secrets + bypass actor are in place.Also
🤖 Generated with Claude Code