From 0bf868ed84408b41e8214e53f8f1bfb7b29b244c Mon Sep 17 00:00:00 2001 From: maryliag Date: Tue, 7 Jul 2026 13:25:48 -0400 Subject: [PATCH 1/4] internal release workflow --- .github/workflows/release.yml | 82 +++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000000..cba91ac9c1 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,82 @@ +# Repo-internal: cuts a new release (annotated tag + GitHub Release with +# auto-generated notes) from main. Dispatch manually and pick the semver bump. +name: Release + +on: + workflow_dispatch: + inputs: + bump: + description: 'Which semver part to bump.' + required: true + default: patch + type: choice + options: + - patch + - minor + - major + +permissions: + contents: read + +concurrency: + group: release + cancel-in-progress: false + +jobs: + release: + name: Cut new release + runs-on: ubuntu-latest + permissions: + contents: write # to create the tag and the GitHub Release + steps: + - name: Enforce main branch + env: + REF: ${{ github.ref }} + run: | + if [[ "$REF" != "refs/heads/main" ]]; then + echo "::error::Release must be cut from main. Got: $REF" + exit 1 + fi + + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + fetch-tags: true + persist-credentials: false + + - name: Compute next version + id: compute + env: + BUMP: ${{ inputs.bump }} + run: | + set -euo pipefail + latest=$(git tag --list 'v[0-9]*.[0-9]*.[0-9]*' --sort=-v:refname | head -n 1) + if [[ -z "$latest" ]]; then + latest="v0.0.0" + fi + echo "Latest tag: $latest" + ver="${latest#v}" + IFS='.' read -r major minor patch <<< "$ver" + case "$BUMP" in + major) major=$((major + 1)); minor=0; patch=0 ;; + minor) minor=$((minor + 1)); patch=0 ;; + patch) patch=$((patch + 1)) ;; + *) echo "::error::unknown bump: $BUMP"; exit 1 ;; + esac + new="v${major}.${minor}.${patch}" + echo "New version: $new" + echo "new_version=$new" >> "$GITHUB_OUTPUT" + + - name: Create release + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + NEW_VERSION: ${{ steps.compute.outputs.new_version }} + TARGET_SHA: ${{ github.sha }} + run: | + set -euo pipefail + gh release create "$NEW_VERSION" \ + --title "$NEW_VERSION" \ + --generate-notes \ + --latest \ + --target "$TARGET_SHA" + echo "Created release $NEW_VERSION at $TARGET_SHA" From 594eb0813c1969a0623786ee181e1de11f821705 Mon Sep 17 00:00:00 2001 From: maryliag Date: Tue, 7 Jul 2026 13:53:42 -0400 Subject: [PATCH 2/4] use annotate tag --- .github/workflows/release.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cba91ac9c1..fca6cf5183 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,7 +41,8 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-tags: true - persist-credentials: false + # zizmor: ignore[artipacked] — we need the token persisted to push the annotated tag below. + persist-credentials: true - name: Compute next version id: compute @@ -66,6 +67,17 @@ jobs: echo "New version: $new" echo "new_version=$new" >> "$GITHUB_OUTPUT" + - name: Create annotated tag + env: + NEW_VERSION: ${{ steps.compute.outputs.new_version }} + TARGET_SHA: ${{ github.sha }} + run: | + set -euo pipefail + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git tag -a "$NEW_VERSION" -m "Release $NEW_VERSION" "$TARGET_SHA" + git push origin "$NEW_VERSION" + - name: Create release env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -74,9 +86,13 @@ jobs: TARGET_SHA: ${{ github.sha }} run: | set -euo pipefail + # The annotated tag was pushed in the previous step; --verify-tag + # tells gh to attach the Release to it rather than creating a new + # (lightweight) tag. gh release create "$NEW_VERSION" \ --title "$NEW_VERSION" \ --generate-notes \ --latest \ + --verify-tag \ --target "$TARGET_SHA" echo "Created release $NEW_VERSION at $TARGET_SHA" From e93fa7ed09e89ce7a5973d52dafde3d9532634b0 Mon Sep 17 00:00:00 2001 From: maryliag Date: Tue, 7 Jul 2026 15:46:53 -0400 Subject: [PATCH 3/4] exclude bot from releases --- .github/release.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/release.yml diff --git a/.github/release.yml b/.github/release.yml new file mode 100644 index 0000000000..21b4572834 --- /dev/null +++ b/.github/release.yml @@ -0,0 +1,12 @@ +# Configuration for auto-generated release notes. +# See: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes#configuration-options +# +# This file is consumed by both the Releases UI and by `gh release create +# --generate-notes` (used by .github/workflows/release.yml). +changelog: + exclude: + authors: + - dependabot[bot] + - github-actions[bot] + - renovate[bot] + - renovate-sh-app[bot] From 3ca7b615d0d13545bd3b3ccd6746f9242cc12ade Mon Sep 17 00:00:00 2001 From: Marylia Gutierrez Date: Tue, 7 Jul 2026 20:36:43 -0400 Subject: [PATCH 4/4] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fca6cf5183..70a84b4a5c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,6 +40,7 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: + fetch-depth: 0 fetch-tags: true # zizmor: ignore[artipacked] — we need the token persisted to push the annotated tag below. persist-credentials: true