Skip to content

ci: automate library release with Release and Promote workflows#77

Open
g-carre wants to merge 2 commits into
mainfrom
feature/ARTESCA-17773-release-automation
Open

ci: automate library release with Release and Promote workflows#77
g-carre wants to merge 2 commits into
mainfrom
feature/ARTESCA-17773-release-automation

Conversation

@g-carre

@g-carre g-carre commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

What

Adds two GitHub Actions workflows to automate the release flow for this Go library, adapting the pattern from scality/nodeip-discovery#2:

  • release.yaml — manual workflow_dispatch from main. Computes the next semver (alpha/beta/GA × patch/minor/major) off the last GA tag and pushes an annotated v* tag.
  • promote.yaml — triggers on a v* tag push and creates a GitHub Release with generated notes, marking prereleases when the tag contains a hyphen.

Flow: click Release → tag is created → Promote fires → GitHub Release published.

Why it differs from the reference

nodeip-discovery is a deployable service (builds a Docker image). raidmgmt is a pure library — no Dockerfile, no cmd/, consumed via go get ...@vX.Y.Z, so the git tag is the artifact. The reference build.yaml/post-merge.yaml and the promote build job are therefore omitted.

generate-sbom was intentionally left out: it targets a Docker image and uploads to Dependency Track, which is redundant for a library whose deps are already captured in the consuming component's SBOM.

Prerequisite

release.yaml uses vars.ACTIONS_APP_ID + secrets.ACTIONS_APP_PRIVATE_KEY (already configured in this repo — referenced by review.yml).

Issue: ARTESCA-17773

🤖 Generated with Claude Code

Automate the library release flow, adapting the pattern from
scality/nodeip-discovery#2 for a pure Go library (no container/binary
artifact):

- release.yaml: manual dispatch to compute the next semver
  (alpha/beta/GA x patch/minor/major) and push an annotated v* tag.
- promote.yaml: on a v* tag push, create a GitHub Release with
  generated notes, marking prereleases when the tag has a hyphen.

The reference build.yaml/post-merge.yaml and the promote build job are
omitted since a library ships as a git tag consumed via `go get`, not a
Docker image.

Issue: ARTESCA-17773
@g-carre g-carre requested a review from a team as a code owner July 1, 2026 16:36
Comment thread .github/workflows/release.yaml Outdated
@claude

claude Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor
  • release.yaml:49,57 — --sort=taggerdate should be --sort=version:refname to sort by semver instead of creation date; a hotfix tag for an older release created later would be incorrectly picked as the base version

    Review by Claude Code

Compute the base tag with `git tag --merged HEAD --sort=version:refname`
instead of `--sort=taggerdate`:

- version:refname orders by semantic version, so an older-line hotfix
  tagged after a newer release no longer becomes the base.
- --merged HEAD scopes selection to the current branch's history,
  making it correct for future per-minor release branches (e.g.
  releasing v1.0.x from dev/1.0 while v2.0.0 lives on main).

grep -v '-' is retained: version sort would otherwise rank a prerelease
above its GA.

Issue: ARTESCA-17773
# NOTE: when release branches are added, also relax the `main`-only guard
# above and constrain non-`main` branches to patch-scope releases.
run: |
last_ga_tag=$(git tag --merged HEAD --sort=version:refname --list "v*" | grep -v '\-' | tail -n 1)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

grep -v '\-' returns exit code 1 when no lines match. With GitHub Actions' default set -e -o pipefail, this kills the pipeline before the fallback on line 58 (last_ga_tag="0.0.0") can fire. This breaks the first-ever release and any release when only pre-release tags exist.

Suggested change
last_ga_tag=$(git tag --merged HEAD --sort=version:refname --list "v*" | grep -v '\-' | tail -n 1)
last_ga_tag=$(git tag --merged HEAD --sort=version:refname --list "v*" | { grep -v '\-' || true; } | tail -n 1)

— Claude Code

- "v*"

jobs:
create-release:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No permissions block is declared. If the repo (or org) restricts the default GITHUB_TOKEN to read-only (GitHub's recommended default), softprops/action-gh-release will fail with a 403 because it needs write access to create releases.

Suggested change
create-release:
permissions:
contents: write
runs-on: ubuntu-24.04

— Claude Code

@claude

claude Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor
  • release.yaml:57 — grep -v '\-' fails with exit 1 when no GA tags exist; pipefail kills the step before the 0.0.0 fallback fires, breaking the first release
    - promote.yaml:10 — missing permissions: contents: write; will 403 if the org restricts default GITHUB_TOKEN to read-only

    Review by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant