Skip to content

feat(release): automate OSS release pipeline with just release#757

Merged
wpfleger96 merged 8 commits into
mainfrom
wpfleger/release-automation
May 27, 2026
Merged

feat(release): automate OSS release pipeline with just release#757
wpfleger96 merged 8 commits into
mainfrom
wpfleger/release-automation

Conversation

@wpfleger96
Copy link
Copy Markdown
Collaborator

@wpfleger96 wpfleger96 commented May 27, 2026
edited
Loading

Adds a one-command release flow -- just release -- and wires up GitHub Actions to fully automate the build trigger, replacing the previous manual workflow_dispatch-only approach. Also unifies the OSS and internal version at v0.3.0 (above both v0.0.21 OSS and v0.2.38 internal).

The previous release process required manually navigating to GitHub Actions and filling in version/ref inputs every time. This follows the goose/goose-releases pattern: a local command creates the version-bump PR, merging it auto-tags, and the auto-tag workflow dispatches the release build via workflow_dispatch (since GITHUB_TOKEN push events don't trigger downstream workflows, but workflow_dispatch is explicitly exempted from this restriction).

  • adds get-current-version, get-next-minor-version, get-next-patch-version, bump-version, and release recipes to justfile; bump-version updates all 4 manifests (desktop/package.json, tauri.conf.json, Cargo.toml, mobile/pubspec.yaml) and regenerates all 3 lockfiles
  • adds .github/workflows/auto-tag-on-release-pr-merge.yml -- detects version-bump/* PR merges to main, pushes the vX.Y.Z tag, then dispatches release.yml via gh workflow run; tag creation is idempotent so retries work correctly if the dispatch step fails after the tag push succeeds
  • updates release.yml to trigger on push.tags in addition to workflow_dispatch; version is derived from the tag name when tag-triggered, from the input when manual; adds outputs.version on the release job so release-linux can consume it; all ${{ }} expressions in run: blocks routed through env: blocks; release notes extracted from CHANGELOG.md; build/sign/notarize logic is untouched
  • bumps all version files to 0.3.0 and regenerates lockfiles for the baseline alignment
  • rewrites RELEASING.md to document the new flow, including Buildkite pipeline details for internal releases with -block suffix explanation
  • adds RELEASING.md reference and sprout ecosystem overview to AGENTS.md

Companion PR: sprout-releases#14 -- adds -block version suffix to internal desktop builds and fixes the publish-updater pipeline dependency.

github-advanced-security[bot]
github-advanced-security AI found potential problems May 27, 2026
View reviewed changes
Comment thread .github/workflows/auto-tag-on-release-pr-merge.yml Fixed
Comment thread .github/workflows/release.yml Fixed
@wpfleger96 wpfleger96 force-pushed the wpfleger/release-automation branch from 6339a4f to ea71fd2 Compare May 27, 2026 19:57
@wpfleger96 wpfleger96 marked this pull request as ready for review May 27, 2026 21:35
@wpfleger96 wpfleger96 requested a review from a team as a code owner May 27, 2026 21:35
wpfleger96 added 4 commits May 27, 2026 17:40
@wpfleger96
feat(release): automate OSS release pipeline with just release
bfe1b38 
Version files drifted between OSS (v0.0.21) and internal (v0.2.38).
Unify at v0.3.0 and add a one-command release flow: `just release`
creates a version-bump PR; merging it auto-tags and triggers the
existing build/sign/publish pipeline via release.yml.

Adds bump-version recipe covering all 4 manifests + 3 lockfiles,
auto-tag workflow for version-bump/* PR merges, and tag-push trigger
to release.yml (preserving workflow_dispatch as manual fallback).
@wpfleger96
fix: resolve Semgrep shell injection findings and correct RELEASING.md
9adf86a 
Move ${{ }} interpolations in workflow run blocks to env blocks to
prevent shell injection via GitHub context variables. Also fix the
Internal Releases section to reference the Buildkite pipeline (not
GitHub Actions) since sprout-releases uses Buildkite.
@wpfleger96
fix: move remaining step output interpolations to env blocks in relea…
2bc7d38 
…se.yml

Pre-existing Semgrep alert #5 flags ${{ steps.version.outputs.version }}
in run blocks. Move all 4 occurrences (validate, patch, generate
latest.json, create release) to env blocks for consistency with the
earlier fix for github.event_name and inputs.version.
@wpfleger96
fix: address crossfire code review findings
a7469ef 
Fixes 12 issues surfaced by parallel Claude, Codex, and Gemini review:

- auto-tag workflow: add workflow_dispatch to trigger release.yml
  (GITHUB_TOKEN push events don't trigger downstream workflows, but
  workflow_dispatch is explicitly exempted from this restriction)
- auto-tag workflow: add semver validation and route env.version
  through env: block to prevent shell injection
- release-linux: move ${{ needs.release.outputs.version }} from run:
  blocks to env: blocks (2 steps)
- release notes: extract changelog section instead of bare version
- justfile: replace broken BSD sed 0-address with node -e for
  Cargo.toml version bump
- justfile: use cargo update -p instead of generate-lockfile to avoid
  upgrading all transitive deps
- justfile: widen bump-version regex to accept pre-release suffixes
- justfile: add git fetch + origin/main divergence check
- justfile: filter git describe to v[0-9]* tags only
- justfile: replace git add -A with explicit file list
- justfile: prepend changelog entries (newest first)
- RELEASING.md: expand internal releases with pipeline URL, field
  table, -block suffix note, and publish_latest explanation
@wpfleger96 wpfleger96 force-pushed the wpfleger/release-automation branch from fe5e419 to a7469ef Compare May 27, 2026 21:40
wpfleger96 added 2 commits May 27, 2026 17:55
@wpfleger96
docs: add RELEASING.md to AGENTS.md See Also and fix Buildkite URL
b02e415 
Point agents to RELEASING.md for release process context. Fix the
sprout-releases Buildkite pipeline URL from cash to runway org.
@wpfleger96
docs(agents): add sprout ecosystem overview to AGENTS.md
5e48618 
Maps the five repos (block/sprout, sprout-releases, sprout-oss,
block-coder-tf-stacks, sprout-backend-blox) with a table and flow
diagram so agents understand the broader system context.
wesbillman
wesbillman reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@wesbillman wesbillman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 I left one release-flow safety comment. The core concern is retry/idempotency around tag creation and workflow dispatch.

Comment thread .github/workflows/auto-tag-on-release-pr-merge.yml
wpfleger96 and others added 2 commits May 27, 2026 19:05
@wpfleger96
fix: make auto-tag step idempotent for retry safety
05aff01 
If tag push succeeds but the subsequent workflow dispatch fails or
times out, re-running the workflow would error on the existing tag
and never dispatch the release build. Now checks for an existing tag
first: skips creation if it matches the merge commit, fails loudly
if it points elsewhere.
@wpfleger96
Merge branch 'main' into wpfleger/release-automation
104171d
@wpfleger96 wpfleger96 merged commit bcd903e into main May 27, 2026
16 checks passed
@wpfleger96 wpfleger96 deleted the wpfleger/release-automation branch May 27, 2026 23:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wesbillman wesbillman wesbillman approved these changes

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wpfleger96 @wesbillman @github-advanced-security