Skip to content

chore: sync main→develop (release pipeline hardening) #3892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aegis-gh-agent merged 3 commits into from
May 20, 2026
Merged

chore: sync main→develop (release pipeline hardening) #3892

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5bde9c2
fix(ci): skip check-tag-freshness for tag-push events — unblocks CI r…
OneStepAt4time May 16, 2026
6fbfe02
fix(ci): download artifacts before attest-build-provenance
OneStepAt4time May 16, 2026
0f7ae4f
fix(ci): skip ClawHub publish gracefully when version already exists
OneStepAt4time May 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 26 additions & 3 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -394,8 +394,14 @@ jobs:
run: |
set -euo pipefail
TAG="${GITHUB_REF_NAME}"
# Recovery releases are always triggered by tag push — tag always exists.
# Skip freshness check for annotated tags containing 'recovery-release: true'.
# Tag-push events: GitHub already rejects pushes to existing tags (unless force-pushed,
# which branch protection blocks). The tag was just created — freshness is guaranteed.
if [ "${GITHUB_EVENT_NAME}" = "push" ]; then
echo "::notice::Tag ${TAG} was just pushed — skipping freshness check for tag-push event."
exit 0
fi
# For workflow_dispatch: guard against accidentally re-running for an existing tag.
# Recovery releases skip this check (they always retag).
if git cat-file -t "${TAG}" 2>/dev/null | grep -qx tag &&
git cat-file tag "${TAG}" 2>/dev/null | grep -Fxq "recovery-release: true"; then
echo "::notice::Tag ${TAG} is a recovery release — skipping freshness check."
Expand Down Expand Up @@ -957,7 +963,16 @@ jobs:
run: |
set -euo pipefail
VERSION=$(node -p "require('./package.json').version")
npx clawhub@latest publish skill/ --slug onestep-aegis --name "Aegis Bridge" --version "$VERSION" --changelog "Release v$VERSION - HTTP/MCP Claude Code orchestration"
set +e
OUTPUT=$(npx clawhub@latest publish skill/ --slug onestep-aegis --name "Aegis Bridge" --version "$VERSION" --changelog "Release v$VERSION - HTTP/MCP Claude Code orchestration" 2>&1)
STATUS=$?
set -e
echo "$OUTPUT"
if [ $STATUS -ne 0 ] && echo "$OUTPUT" | grep -qi "already exists"; then
echo "::notice::ClawHub version $VERSION already exists — skipping."
elif [ $STATUS -ne 0 ]; then
exit $STATUS
fi

# H1: SLSA build provenance attestation.
# Generates machine-readable provenance for every release artifact.
Expand All @@ -973,6 +988,14 @@ jobs:
attestations: write
steps:
- uses: actions/checkout@v6
- uses: actions/download-artifact@v8
with:
name: package
path: .
- uses: actions/download-artifact@v8
with:
name: helm-chart
path: deploy/helm/aegis
- name: Generate build provenance attestation
uses: actions/attest-build-provenance@v4
with:
Expand Down
Loading