feat: add release announcement discussion to release-labeler

[CybotTM]

Summary

• Add announce-release job to release-labeler.yml.template that creates a GitHub Discussion in the Announcements category on each release publish
• Category ID resolved dynamically via GraphQL query by name (portable across repos without hardcoded IDs)
• Duplicate detection checks first 100 discussions by title before creating
• Discussion body passed via file (-F body=@file) to avoid shell expansion issues with release notes
• Top-level permissions reduced to contents: read only; each job declares its own permissions (discussions: write for announce-release, issues: write + pull-requests: write for label-release)
• Uses step-security/harden-runner@v2.14.2 for egress auditing
• Updated release-labeling.md reference docs with new "Release Announcements" section and setup instructions

Test plan

• Verify YAML syntax is valid
• Adopt template in a test repository with Discussions enabled and publish a release
• Confirm discussion is created in Announcements category
• Confirm duplicate detection skips on re-publish
• Confirm graceful skip when Announcements category does not exist

[gemini-code-assist]

Summary of Changes

Hello @CybotTM, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the release-labeler workflow by introducing automated release announcements. It streamlines the communication process for new software versions by publishing them directly to GitHub Discussions, thereby increasing visibility and engagement with the community without requiring manual intervention.

Highlights

• New Release Announcement Job: Added an announce-release job to the release-labeler.yml.template workflow to automate the creation of GitHub Discussions.
• Automated Discussion Creation: Implemented automatic creation of GitHub Discussions in the 'Announcements' category upon each release publication.
• Dynamic Category Resolution: Enabled dynamic resolution of the 'Announcements' category ID using GraphQL, ensuring the workflow is portable across repositories.
• Duplicate Discussion Detection: Incorporated logic to check for existing discussions by release tag, preventing the creation of duplicate announcements.
• Secure Discussion Body Handling: Ensured safe construction of discussion bodies by passing content via a temporary file, avoiding shell expansion issues with release notes.
• Refined Workflow Permissions: Refactored workflow permissions to use minimal top-level contents: read and job-specific permissions (discussions: write for announcements, issues: write and pull-requests: write for labeling).
• Security Hardening: Integrated step-security/harden-runner for enhanced security through egress auditing in the announcement job.
• Updated Documentation: Updated the release-labeling.md documentation with a new 'Release Announcements' section and detailed setup instructions.

Changelog

• skills/github-project/assets/release-labeler.yml.template
  • Introduced a new announce-release job responsible for creating GitHub Discussion announcements.
  • Updated workflow comments and usage instructions to reflect the new announcement feature and required permissions.
  • Adjusted top-level workflow permissions to contents: read and defined specific permissions for each job (discussions: write for announce-release, issues: write and pull-requests: write for label-release).
  • Added a step to dynamically resolve the 'Announcements' discussion category ID using a GraphQL query.
  • Implemented logic to check for existing discussions by release tag to prevent duplicates.
  • Ensured the discussion body is safely constructed and passed to the GraphQL mutation.
  • Integrated step-security/harden-runner for security hardening.
• skills/github-project/references/release-labeling.md
  • Revised the workflow overview to include the new discussion announcement step.
  • Added a dedicated 'Release Announcements' section detailing its functionality, implementation, and setup requirements.
  • Updated the 'Ensure permissions' section to include the discussions: write permission.
  • Modified the setup instructions to guide users on enabling GitHub Discussions.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new feature to automatically create release announcement discussions in the repository's 'Announcements' category. However, a high-severity command injection vulnerability was identified in the label-release job due to unquoted shell variables in a gh api call, which could lead to arbitrary command execution from malicious tag names. This should be addressed by properly quoting the variables. Additionally, a few improvements have been suggested to ensure security consistency across jobs and enhance the robustness of the shell scripts.