chore: add triggers for external workflows

[collins-w]

Summary

Testing Process

Checklist

• Add a reference to related issues in the PR description.
• Add unit tests if applicable.

Note

If you are using Relayer in your stack, consider adding your team or organization to our list of Relayer Users in the Wild!

Summary by CodeRabbit

• Chores
  • Enhanced automated CI/CD pipeline with improved Docker image building and deployment configurations to ensure consistency and reliability across all release cycles.
  • Introduced cross-system deployment coordination mechanisms to streamline and optimize the application release workflow.
  • Strengthened build monitoring and notification capabilities for better operational visibility and faster issue detection during releases.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

Walkthrough

Two GitHub Actions workflows are introduced and enhanced to automate external workflow triggering with improved notifications. The new external.yml workflow dispatches the stg.yml workflow in an external repository, while release-docker.yml is expanded with Slack notifications, Docker metadata enhancements, and external workflow dispatch capabilities for testnet and mainnet environments.

Changes

Cohort / File(s)	Summary
New External Workflow Trigger ​.github/workflows/external.yml	Introduces new workflow that triggers on main branch pushes. Includes hardening, repository checkout, GitHub App token generation, and dispatch of external stg.yml workflow in OpenZeppelin/openzeppelin-relayer-infra repository.
Enhanced Release Workflow ​.github/workflows/release-docker.yml	Expands existing workflow with Slack notifications (start/end), enhanced Docker metadata with tags and labels, Docker Buildx setup, GitHub App token generation, and external workflow dispatch steps for testnet and mainnet workflows in OpenZeppelin repository.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• External workflow dispatch permissions and security: Verify proper GitHub App token scoping and workflow_id references in both external.yml and release-docker.yml
• Slack notification payloads: Ensure status details and formatting are correct for both success and failure states
• Docker metadata expansion: Review new tags/labels generation logic and platform configurations
• Cross-repository workflow triggering: Validate repository references and branch specifications for external workflows

Poem

🐰✨ Workflows now dance in harmony bright,
External dispatches take flight!
With tokens and Slack alerts aglow,
Docker builds and pipelines flow—
CI/CD magic, what a sight! 🚀

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description follows the required template structure but lacks substantive content in all sections: the Summary section is empty, Testing Process is not documented, and neither checklist item is addressed.	Add a descriptive summary of the workflow changes, document the testing process used, and address the checklist items, particularly linking any related issues.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding workflow triggers for external workflows, which directly corresponds to the changes in both modified GitHub Actions workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch trigger-ext-wfs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/external.yml (1)

26-36: Consider adding error handling for workflow dispatch.

The workflow dispatch call lacks error handling. If the external workflow trigger fails, the job will succeed without indication of the failure.

Apply this diff to add error handling:

           script: |
-            await github.rest.actions.createWorkflowDispatch({
+            try {
+              await github.rest.actions.createWorkflowDispatch({
+                owner: 'OpenZeppelin',
+                repo: 'openzeppelin-relayer-infra',
+                workflow_id: 'stg.yml',
+                ref: 'main'
+              })
+              console.log('Successfully triggered stg.yml workflow')
+            } catch (error) {
+              core.setFailed(`Failed to trigger external workflow: ${error.message}`)
+            }

.github/workflows/release-docker.yml (1)

90-107: Add error handling for external workflow dispatches.

Both workflow dispatch calls lack error handling. If either dispatch fails, the job continues without indicating the failure, which could lead to incomplete deployments.

Apply this diff to add error handling:

           script: |
-            await github.rest.actions.createWorkflowDispatch({
-              owner: 'OpenZeppelin',
-              repo: 'openzeppelin-relayer-infra',
-              workflow_id: 'testnet.yml',
-              ref: 'main'
-            })
-
-            await github.rest.actions.createWorkflowDispatch({
-              owner: 'OpenZeppelin',
-              repo: 'openzeppelin-relayer-infra',
-              workflow_id: 'mainnet.yml',
-              ref: 'main'
-            })
+            const workflows = ['testnet.yml', 'mainnet.yml'];
+            const results = [];
+            
+            for (const workflow_id of workflows) {
+              try {
+                await github.rest.actions.createWorkflowDispatch({
+                  owner: 'OpenZeppelin',
+                  repo: 'openzeppelin-relayer-infra',
+                  workflow_id,
+                  ref: 'main'
+                })
+                console.log(`Successfully triggered ${workflow_id}`)
+                results.push({ workflow_id, success: true })
+              } catch (error) {
+                console.error(`Failed to trigger ${workflow_id}: ${error.message}`)
+                results.push({ workflow_id, success: false, error: error.message })
+              }
+            }
+            
+            const failures = results.filter(r => !r.success);
+            if (failures.length > 0) {
+              core.setFailed(`Failed to trigger ${failures.length} workflow(s): ${failures.map(f => f.workflow_id).join(', ')}`)
+            }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 276ea86 and 9a89950.

📒 Files selected for processing (2)

• .github/workflows/external.yml (1 hunks)
• .github/workflows/release-docker.yml (7 hunks)

🧰 Additional context used

🪛 actionlint (1.7.9)

.github/workflows/external.yml

9-9: label "ubuntu:latest" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🪛 GitHub Check: CodeQL

.github/workflows/external.yml

[warning] 8-36: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: boostsecurity - boostsecurityio/semgrep-pro
• GitHub Check: Redirect rules - openzeppelin-relayer
• GitHub Check: Header rules - openzeppelin-relayer
• GitHub Check: Pages changed - openzeppelin-relayer
• GitHub Check: Analyze (rust)
• GitHub Check: semgrep/ci

🔇 Additional comments (3)

.github/workflows/external.yml (1)

1-5: LGTM: Workflow trigger configuration is correct.

The workflow appropriately triggers on pushes to the main branch.

.github/workflows/release-docker.yml (2)

83-89: LGTM: GitHub App token retrieval is properly implemented.

The use of a GitHub App for cross-repository workflow dispatch is a best practice, and the implementation correctly stores credentials in secrets.

---

136-139: LGTM: Enhanced summary output improves observability.

Adding image labels to the summary alongside tags provides better visibility into the build output.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add explicit permissions block for security best practices.

The workflow lacks an explicit permissions block. Following the principle of least privilege, you should define the minimum required permissions.

Apply this diff to add permissions after the job name:

 jobs:
   build-push-image:
     name: Build and Push Docker Image
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
     steps:

🧰 Tools

🪛 actionlint (1.7.9)

9-9: label "ubuntu:latest" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🪛 GitHub Check: CodeQL

[warning] 8-36: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

🤖 Prompt for AI Agents

In .github/workflows/external.yml around lines 8–36, the job is missing an
explicit permissions block; add a permissions section immediately after the job
name that grants only the minimum scopes required (for this workflow: actions:
write and contents: read) so the GitHub App token and the workflow dispatch call
work under least privilege.

[tirumerla]

Same here, lets narrow down the permissions

[coderabbitai]

@tirumerla, I agree. Here's the minimal permissions block needed for this workflow:

jobs:
  build-push-image:
    name: Build and Push Docker Image
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:

Explanation:

• contents: read - Required for the actions/checkout step to clone the repository
• actions: write is not needed because the external workflow dispatch is performed using the GitHub App token (via steps.gh-app-token.outputs.token), not the default GITHUB_TOKEN

This follows the principle of least privilege by granting only the minimum permission required for this workflow to function.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix the invalid runner label syntax.

The runner label ubuntu:latest is invalid. The correct syntax uses a hyphen, not a colon.

Apply this diff:

-        runs-on: ubuntu:latest
+        runs-on: ubuntu-latest

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	runs-on: ubuntu:latest
	runs-on: ubuntu-latest

🧰 Tools

🪛 actionlint (1.7.9)

9-9: label "ubuntu:latest" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🤖 Prompt for AI Agents

.github/workflows/external.yml around line 9: the runner label uses an invalid
colon form "ubuntu:latest"; update that line to use the correct GitHub Actions
runner label "ubuntu-latest" (replace the colon with a hyphen) so the workflow's
runs-on value is valid.

[tirumerla]

Typo here to fix

[coderabbitai]

@tirumerla, thank you for confirming! Please update the runner label from ubuntu:latest to ubuntu-latest to resolve this issue.

[tirumerla]

lgtm, added comments to change couple things

[tirumerla]

Same here, lets narrow down the permissions

[LuisUrrutia]

LGTM

[LuisUrrutia]

There might be formatting issues, not sure. Did u run the pre-commit hook?