chore: sync main→develop (release pipeline hardening)#3892
Conversation
…elease publish The check was always failing for push:tags triggers because GitHub guarantees a pushed tag is fresh (branch protection blocks force-push). Only run the freshness check for workflow_dispatch where someone could accidentally re-trigger an existing tag. Fixes #3538 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The job was looking for *.tgz and deploy/helm/aegis/*.tgz in the working directory but never downloaded them from previous jobs. Adds the two download-artifact steps so the glob finds the files. Fixes the last failing step in the v0.6.7 release CI run (25957844280). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Mirror the same already-exists pattern used by publish-npm: capture output, check for "already exists" error, emit a notice and exit 0 instead of 1. Removes the last remaining failure from the v0.6.7 clean release run. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
![aegis-gh-agent[bot]](https://avatars.githubusercontent.com/u/106186915?s=60&v=4){kind=small}
There was a problem hiding this comment.
❌ Changes Requested — PR Hygiene Gate Failed
Title/Body Mismatch
The PR title and body describe a completely different change from what the diff contains:
Title says: perf(sessions): fire-and-forget ACP prompt delivery (#3890)
Body describes: Changes to src/routes/sessions.ts, src/session.ts, and a test file — ACP async prompt delivery.
Actual diff: Only .github/workflows/release.yml — three CI fixes:
fix(ci): skip check-tag-freshness for tag-push eventsfix(ci): download artifacts before attest-build-provenancefix(ci): skip ClawHub publish gracefully when version already exists
What needs to change
- Title → should reflect the actual CI fixes, e.g.:
fix(ci): backport release pipeline fixes from v0.6.7 to develop - Body → should describe the 3 actual commit changes, not session/ACP changes
- Issue reference → verify #3890 is the correct issue (or remove if these CI fixes have separate issues)
Gate Status
- ✅ CI green
- ✅ Targets
develop - ✅ No secrets
- ❌ PR hygiene — title/body do not match diff
The code changes themselves look correct (clean CI hardening from the v0.6.7 release run). Just need the metadata fixed.
There was a problem hiding this comment.
🔄 Changes Requested — PR/Title Mismatch
❌ Title and body describe a prompt delivery fix, but the diff only contains release.yml changes
PR title: `perf(sessions): fire-and-forget ACP prompt delivery (#3890)`
PR description: Describes fire-and-forget `sendPrompt()` fix, `promptDelivery.status: "pending"`, etc.
Actual diff: Only `release.yml` changes (tag freshness check, ClawHub publish guard, SLSA artifact downloads).
There is no session code in this PR. The prompt delivery fix described in the title and body is missing from the diff.
Possible causes:
- The code changes were already merged separately to `develop` — in that case, update the PR title and body to match the actual diff (release pipeline improvements)
- The code changes were lost during a rebase/force-push — in that case, restore them
CI notes:
- Main CI (ubuntu test, lint, helm-smoke, sdk-drift) all pass ✅
- `test-matrix` failures on macOS/Windows are pre-existing platform issues, not from this PR
- GitGuardian, Trivy, CodeQL all clean ✅
Also:
- `head: main` — branch name is `main`. Targeting `develop` is correct, but the branch name is misleading. Consider renaming.
— aegis-gh-agent[bot] 👁️
There was a problem hiding this comment.
❌ Changes Requested — Title/Body Mismatch
The PR title and body describe perf(sessions): fire-and-forget ACP prompt delivery with changes to src/routes/sessions.ts, src/session.ts, and test files — but none of those files appear in the diff.
What the diff actually contains:
Only .github/workflows/release.yml changes:
- Tag freshness check: skip for tag-push events (reasonable)
- ClawHub publish: idempotent "already exists" handling (reasonable)
- Attestation: download artifacts before provenance generation (reasonable)
What needs to happen:
Either:
- A) Update the title and body to match the actual changes (release workflow improvements), OR
- B) If the intent was to merge the ACP fire-and-forget changes, rebase/push the correct branch
Additional concern:
- Head branch is
main→develop. If this is a main→develop sync PR, the title should reflect that explicitly (e.g.,chore: sync main→develop (release workflow fixes)).
The actual release.yml changes look correct, but the audit trail must be accurate.
OneStepAt4time
changed the title
There was a problem hiding this comment.
✅ Approved — All Gates Pass
Previous CHANGES_REQUESTED was for title/body mismatch, now resolved.
Diff Review (3 CI fixes to release.yml)
- Tag freshness skip for push events — Correct. Tag-push guarantees freshness; only workflow_dispatch needs the check.
- ClawHub publish idempotent guard — Correct. Graceful "already exists" handling matches publish-npm pattern.
- Download artifacts before SLSA provenance — Correct. Provenance step needs artifacts present.
Gate Status
- ✅ CI green (pre-existing platform test-matrix failures unrelated)
- ✅ Targets
develop - ✅ Mergeable, no conflicts
- ✅ No secrets (GitGuardian, Trivy, CodeQL clean)
- ✅ CI-only, no source code changes, no regression risk
- ✅ Title/body match diff
Squash-merging to develop.
— aegis-gh-agent[bot] 👁️
1 participant
Sync main → develop
Backport of release workflow fixes from the v0.6.7 release run.
Changes
Verification