ci: clean up all dev releases and tags on stable release#737
Merged
Conversation
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Contributor
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request enhances the continuous integration pipeline by implementing an automated cleanup mechanism for development releases. Upon the successful publication of a stable release, all associated development pre-releases and their corresponding tags are now automatically removed. This change aims to maintain a cleaner release history and reduce clutter from outdated development artifacts, ensuring a more streamlined and organized release management process. Highlights
Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
|
Caution Review failedPull request was closed or merged during review No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
🧰 Additional context used📓 Path-based instructions (1).github/workflows/**/*.yml📄 CodeRabbit inference engine (CLAUDE.md)
Files:
🧠 Learnings (11)📓 Common learnings📚 Learning: 2026-03-15T21:32:02.880ZApplied to files:
📚 Learning: 2026-03-15T21:32:02.880ZApplied to files:
📚 Learning: 2026-03-15T21:32:02.880ZApplied to files:
📚 Learning: 2026-03-19T11:19:40.044ZApplied to files:
📚 Learning: 2026-03-15T21:32:02.880ZApplied to files:
📚 Learning: 2026-03-15T12:00:18.113ZApplied to files:
📚 Learning: 2026-03-15T21:49:53.264ZApplied to files:
📚 Learning: 2026-03-22T14:41:20.060ZApplied to files:
📚 Learning: 2026-03-22T14:41:20.060ZApplied to files:
📚 Learning: 2026-03-22T14:41:20.060ZApplied to files:
🔇 Additional comments (4)
WalkthroughAdded a Suggested labels
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
Contributor
There was a problem hiding this comment.
Code Review
This pull request aims to add a cleanup step for development releases and document this change. However, the provided patch only contains the documentation update in CLAUDE.md. The implementation in finalize-release.yml, as described in the pull request summary, is missing. Please add the workflow changes to the pull request so a complete review can be performed. Without the implementation, it's impossible to verify if the documentation change is accurate.
| - **`Release-As` trailer**: add `Release-As: 0.4.0` as the **final paragraph** of the PR body (separated by blank line). Mid-body placement is silently ignored. | ||
| - **Release flow**: merge release PR -> draft Release + tag -> Docker + CLI workflows attach assets -> finalize-release publishes | ||
| - **Dev channel**: every push to `main` (except Release Please bumps) creates a dev pre-release (e.g. `v0.4.7-dev.3`) via `dev-release.yml`. Users opt in with `synthorg config set channel dev`. Dev releases flow through the same Docker + CLI pipelines as stable releases. | ||
| - **Dev channel**: every push to `main` (except Release Please bumps) creates a dev pre-release (e.g. `v0.4.7-dev.3`) via `dev-release.yml`. Users opt in with `synthorg config set channel dev`. Dev releases flow through the same Docker + CLI pipelines as stable releases. All dev releases and tags are deleted when a stable release is published. |
Contributor
There was a problem hiding this comment.
The statement 'All dev releases and tags are deleted when a stable release is published' appears to conflict with the information on line 245 which says 'Old dev pre-releases auto-cleaned (keeps 5 most recent)'. Please clarify the documentation to resolve this ambiguity and explain how these two cleanup mechanisms interact.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/finalize-release.yml:
- Line 292: The cleanup command currently swallows all errors with "|| true" on
the gh release delete invocation (gh release delete "$dev_tag"), which hides
auth/rate-limit/API failures; replace the blanket suppression with logic that
runs gh release delete and only ignores the specific "not found" exit condition
while allowing any other non-zero exit to fail the job. Update the steps that
use gh release delete "$dev_tag" (and the similar invocation later) to capture
the command exit code and stderr, check for a "release not found" / "Not Found"
/ "already deleted" message or a 404-like condition, and only treat that case as
OK—otherwise rethrow or exit non-zero so auth/rate-limit/API errors surface and
the orphan-tag cleanup cannot proceed if the release delete failed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 72cc1b9c-6a81-4544-b6c8-ed4c7eafc94a
📒 Files selected for processing (2)
.github/workflows/finalize-release.ymlCLAUDE.md
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Analyze (python)
🧰 Additional context used
📓 Path-based instructions (1)
.github/workflows/**/*.yml
📄 CodeRabbit inference engine (CLAUDE.md)
In GitHub CI, use
dorny/paths-filterfor path filtering; jobs only run when their domain is affected
Files:
.github/workflows/finalize-release.yml
🧠 Learnings (15)
📓 Common learnings
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/finalize-release.yml : Finalize Release workflow: publishes draft releases created by Release Please. Triggers on workflow_run completion of Docker and CLI workflows. Verifies both workflows succeeded for the associated tag before publishing. Extracts CLI checksums, cosign verification, and container verification data from HTML comments, assembles into combined Verification section. Guards against PR-triggered runs. Handles TOCTOU races. Immutable releases enabled—once published, release assets and body cannot be modified.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/cli.yml : CLI workflow: Go lint (golangci-lint + go vet) + test (-race -coverprofile) + build (cross-compile: linux/darwin/windows × amd64/arm64) + govulncheck + fuzz testing (main-only, 30s/target, continue-on-error, matrix over 4 packages). cli-pass gate includes fuzz as informational. GoReleaser release on v* tags. Cosign keyless signing of checksums.txt. SLSA L3 provenance attestations. Sigstore bundle (.sigstore.json) attached. Post-release appends checksums/verification/provenance to draft release notes.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/*.yml : Dependabot: daily updates for uv + github-actions + npm + pre-commit + docker + gomod, grouped minor/patch, no auto-merge. Use `/review-dep-pr` to review Dependabot PRs before merging.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T11:19:40.044Z
Learning: CLI workflow (`.github/workflows/cli.yml`) runs Go lint (golangci-lint + go vet) + test (race, coverage) + build (cross-compile matrix) + vulnerability check (govulncheck) + fuzz testing. Cross-compiles for linux/darwin/windows × amd64/arm64. GoReleaser release on v* tags with cosign keyless signing and SLSA L3 attestations.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/docker.yml : Docker workflow: builds backend + web + sandbox images, pushes to GHCR, signs with cosign. SLSA L3 provenance attestations via actions/attest-build-provenance. Scans: Trivy (CRITICAL = hard fail, HIGH = warn) + Grype (critical cutoff) + CIS Docker Benchmark v1.6.0 compliance (informational). CVE triage via .github/.trivyignore.yaml and .github/.grype.yaml. Images only pushed after scans pass. Triggers on push to main and version tags (v*).
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: Applies to .github/CHANGELOG.md : Changelog auto-generated in `.github/CHANGELOG.md` (do not edit manually)
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: Use `Release-As: <version>` trailer as the final paragraph of PR body (separated by blank line) to override Release Please version bumping
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: Applies to .github/.release-please-{config,manifest}.json : Release Please config in `.github/release-please-config.json`, `.github/.release-please-manifest.json` (do not edit manually)
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: Applies to pyproject.toml|src/synthorg/__init__.py : Version locations: `pyproject.toml` (`[tool.commitizen].version`), `src/synthorg/__init__.py` (`__version__`)
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: Docker image tags: version from `pyproject.toml`, semver, SHA, plus dev tags (`v0.4.7-dev.3`, `dev` rolling) for dev channel builds
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-15T12:00:18.113Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T12:00:18.113Z
Learning: Commits: <type>: <description> — types: feat, fix, refactor, docs, test, chore, perf, ci. Enforced by commitizen (commit-msg hook). Signed commits: required on main via branch protection — all commits must be GPG/SSH signed.
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/finalize-release.yml : Finalize Release workflow: publishes draft releases created by Release Please. Triggers on workflow_run completion of Docker and CLI workflows. Verifies both workflows succeeded for the associated tag before publishing. Extracts CLI checksums, cosign verification, and container verification data from HTML comments, assembles into combined Verification section. Guards against PR-triggered runs. Handles TOCTOU races. Immutable releases enabled—once published, release assets and body cannot be modified.
Applied to files:
CLAUDE.md.github/workflows/finalize-release.yml
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: Use squash merge strategy for PRs -- PR body becomes the squash commit message on main; preserve trailers (e.g., `Release-As`, `Closes `#N``)
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-19T11:19:40.044Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T11:19:40.044Z
Learning: CLI workflow (`.github/workflows/cli.yml`) runs Go lint (golangci-lint + go vet) + test (race, coverage) + build (cross-compile matrix) + vulnerability check (govulncheck) + fuzz testing. Cross-compiles for linux/darwin/windows × amd64/arm64. GoReleaser release on v* tags with cosign keyless signing and SLSA L3 attestations.
Applied to files:
CLAUDE.md.github/workflows/finalize-release.yml
📚 Learning: 2026-03-19T07:12:14.508Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T07:12:14.508Z
Learning: Applies to src/synthorg/**/*.py : Package structure: src/synthorg/ organized as: api/ (REST+WebSocket, Litestar), auth/ (auth subpackage), backup/ (scheduled/manual backups), budget/ (cost tracking, CFO), cli/ (superseded by Go CLI), communication/ (message bus, meetings), config/ (YAML loading), core/ (domain models, resilience config), engine/ (orchestration, task state, coordination, approval gates, stagnation detection, context budget, compaction), hr/ (hiring, performance, promotion), memory/ (pluggable backend, Mem0, retrieval, consolidation), persistence/ (operational data, SQLite, settings), observability/ (logging, correlation, sinks), providers/ (LLM abstraction, LiteLLM, auth types, presets, runtime CRUD), settings/ (runtime-editable, typed definitions, encryption, config bridge), security/ (SecOps, rule engine, output scanning, progressive trust, autonomy levels), templates/ (company templates, personalities), tools/ (registry, built-in tools, git, sandbox, code_runner, MCP...
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/*.yml : Dependabot: daily updates for uv + github-actions + npm + pre-commit + docker + gomod, grouped minor/patch, no auto-merge. Use `/review-dep-pr` to review Dependabot PRs before merging.
Applied to files:
CLAUDE.md.github/workflows/finalize-release.yml
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/cli.yml : CLI workflow: Go lint (golangci-lint + go vet) + test (-race -coverprofile) + build (cross-compile: linux/darwin/windows × amd64/arm64) + govulncheck + fuzz testing (main-only, 30s/target, continue-on-error, matrix over 4 packages). cli-pass gate includes fuzz as informational. GoReleaser release on v* tags. Cosign keyless signing of checksums.txt. SLSA L3 provenance attestations. Sigstore bundle (.sigstore.json) attached. Post-release appends checksums/verification/provenance to draft release notes.
Applied to files:
.github/workflows/finalize-release.yml
📚 Learning: 2026-03-15T12:00:18.113Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T12:00:18.113Z
Learning: Applies to .github/workflows/docker.yml : CI Docker: build → scan → push to GHCR + cosign sign + SLSA L3 provenance via attest-build-provenance (images only pushed after Trivy/Grype scans pass).
Applied to files:
.github/workflows/finalize-release.yml
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/docker.yml : Docker workflow: builds backend + web + sandbox images, pushes to GHCR, signs with cosign. SLSA L3 provenance attestations via actions/attest-build-provenance. Scans: Trivy (CRITICAL = hard fail, HIGH = warn) + Grype (critical cutoff) + CIS Docker Benchmark v1.6.0 compliance (informational). CVE triage via .github/.trivyignore.yaml and .github/.grype.yaml. Images only pushed after scans pass. Triggers on push to main and version tags (v*).
Applied to files:
.github/workflows/finalize-release.yml
| --jq '.[] | select(.tag_name | test("^v[0-9]+\\.[0-9]+\\.[0-9]+-dev\\.[0-9]+$")) | .tag_name' \ | ||
| | while read -r dev_tag; do | ||
| echo "Deleting dev release + tag: $dev_tag" | ||
| gh release delete "$dev_tag" --repo "$GITHUB_REPOSITORY" --yes --cleanup-tag 2>/dev/null || true |
There was a problem hiding this comment.
Don’t treat cleanup deletes as best-effort.
|| true on Line 292 and Line 301 hides auth, rate-limit, and API failures, so this job can go green with stale dev artifacts still present. It also lets the orphan-tag pass delete the tag after a release-delete failure, leaving an orphan release object behind. Suppress only the expected “already gone” race and fail on anything else.
Also applies to: 301-301
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/finalize-release.yml at line 292, The cleanup command
currently swallows all errors with "|| true" on the gh release delete invocation
(gh release delete "$dev_tag"), which hides auth/rate-limit/API failures;
replace the blanket suppression with logic that runs gh release delete and only
ignores the specific "not found" exit condition while allowing any other
non-zero exit to fail the job. Update the steps that use gh release delete
"$dev_tag" (and the similar invocation later) to capture the command exit code
and stderr, check for a "release not found" / "Not Found" / "already deleted"
message or a 404-like condition, and only treat that case as OK—otherwise
rethrow or exit non-zero so auth/rate-limit/API errors surface and the
orphan-tag cleanup cannot proceed if the release delete failed.
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (1)
.github/workflows/finalize-release.yml (1)
292-292:⚠️ Potential issue | 🟠 MajorStop swallowing delete failures.
Blanket
|| truestill turns auth/rate-limit/API failures into a green cleanup and can delete the orphan tag after the release delete failed. Only ignore the expected 404/already-gone race and let any other non-zero exit fail the job.Also applies to: 301-301
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/finalize-release.yml at line 292, The cleanup step currently swallows all failures by appending "|| true" to the gh release delete command; replace this with logic that runs gh release delete "$dev_tag" --repo "$GITHUB_REPOSITORY" --yes --cleanup-tag, captures its exit code and stderr, and only ignore (return success) when the failure is the expected 404/“not found” race (stderr contains "Not Found" / "404" / "release not found"); for any other non-zero exit code re‑exit with that code so the job fails. Apply the same change to the other identical gh release delete "$dev_tag" invocation as well.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/finalize-release.yml:
- Around line 258-268: The cleanup gate only checks
steps.publish.outputs.published which is only set on the fresh-publish path,
preventing reruns; update the publish logic so the publish step emits the same
output (echo "published=true" >> "$GITHUB_OUTPUT") also on the "already
published" path for stable releases (the branch where you detect an existing
non-draft release), ensuring the job named "Clean up dev pre-releases and tags"
can rerun; keep the runtime safety check (isDraft == false) in place so emitting
the gate doesn't enable unsafe cleanup for drafts.
- Around line 285-289: The current gh api call that deletes dev releases uses a
repo-wide jq test("^v[0-9]+\\.[0-9]+\\.[0-9]+-dev\\.[0-9]+$") and therefore
deletes any matching dev tag; change the cleanup to only target dev artifacts
that are older than the stable release they belong to (or not descendants of the
stable tag). Concretely, modify the gh api/jq step (the line with --jq '.[] |
select(.tag_name | test("^v[0-9]+\\.[0-9]+\\.[0-9]+-dev\\.[0-9]+$")) |
.tag_name') so it first finds the stable tag for the current release (or fetches
stable release.created_at), then filter dev releases by comparing .created_at
(or by checking commit ancestry of .target_commitish against the stable tag) and
only select those dev releases older/not descendant of the stable release; apply
the same change to the analogous block referenced at 295-298.
---
Duplicate comments:
In @.github/workflows/finalize-release.yml:
- Line 292: The cleanup step currently swallows all failures by appending "||
true" to the gh release delete command; replace this with logic that runs gh
release delete "$dev_tag" --repo "$GITHUB_REPOSITORY" --yes --cleanup-tag,
captures its exit code and stderr, and only ignore (return success) when the
failure is the expected 404/“not found” race (stderr contains "Not Found" /
"404" / "release not found"); for any other non-zero exit code re‑exit with that
code so the job fails. Apply the same change to the other identical gh release
delete "$dev_tag" invocation as well.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2a2538c7-de1f-4d1b-813c-89a2a6c66063
📒 Files selected for processing (2)
.github/workflows/finalize-release.ymlCLAUDE.md
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Analyze (python)
🧰 Additional context used
📓 Path-based instructions (1)
.github/workflows/**/*.yml
📄 CodeRabbit inference engine (CLAUDE.md)
In GitHub CI, use
dorny/paths-filterfor path filtering; jobs only run when their domain is affected
Files:
.github/workflows/finalize-release.yml
🧠 Learnings (20)
📓 Common learnings
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/finalize-release.yml : Finalize Release workflow: publishes draft releases created by Release Please. Triggers on workflow_run completion of Docker and CLI workflows. Verifies both workflows succeeded for the associated tag before publishing. Extracts CLI checksums, cosign verification, and container verification data from HTML comments, assembles into combined Verification section. Guards against PR-triggered runs. Handles TOCTOU races. Immutable releases enabled—once published, release assets and body cannot be modified.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/cli.yml : CLI workflow: Go lint (golangci-lint + go vet) + test (-race -coverprofile) + build (cross-compile: linux/darwin/windows × amd64/arm64) + govulncheck + fuzz testing (main-only, 30s/target, continue-on-error, matrix over 4 packages). cli-pass gate includes fuzz as informational. GoReleaser release on v* tags. Cosign keyless signing of checksums.txt. SLSA L3 provenance attestations. Sigstore bundle (.sigstore.json) attached. Post-release appends checksums/verification/provenance to draft release notes.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/*.yml : Dependabot: daily updates for uv + github-actions + npm + pre-commit + docker + gomod, grouped minor/patch, no auto-merge. Use `/review-dep-pr` to review Dependabot PRs before merging.
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: Applies to .github/CHANGELOG.md : Changelog auto-generated in `.github/CHANGELOG.md` (do not edit manually)
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: Use `Release-As: <version>` trailer as the final paragraph of PR body (separated by blank line) to override Release Please version bumping
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: Applies to .github/.release-please-{config,manifest}.json : Release Please config in `.github/release-please-config.json`, `.github/.release-please-manifest.json` (do not edit manually)
Applied to files:
CLAUDE.md.github/workflows/finalize-release.yml
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: Applies to pyproject.toml|src/synthorg/__init__.py : Version locations: `pyproject.toml` (`[tool.commitizen].version`), `src/synthorg/__init__.py` (`__version__`)
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: Docker image tags: version from `pyproject.toml`, semver, SHA, plus dev tags (`v0.4.7-dev.3`, `dev` rolling) for dev channel builds
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-15T12:00:18.113Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T12:00:18.113Z
Learning: Commits: <type>: <description> — types: feat, fix, refactor, docs, test, chore, perf, ci. Enforced by commitizen (commit-msg hook). Signed commits: required on main via branch protection — all commits must be GPG/SSH signed.
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/finalize-release.yml : Finalize Release workflow: publishes draft releases created by Release Please. Triggers on workflow_run completion of Docker and CLI workflows. Verifies both workflows succeeded for the associated tag before publishing. Extracts CLI checksums, cosign verification, and container verification data from HTML comments, assembles into combined Verification section. Guards against PR-triggered runs. Handles TOCTOU races. Immutable releases enabled—once published, release assets and body cannot be modified.
Applied to files:
CLAUDE.md.github/workflows/finalize-release.yml
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: Use squash merge strategy for PRs -- PR body becomes the squash commit message on main; preserve trailers (e.g., `Release-As`, `Closes `#N``)
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-19T11:19:40.044Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T11:19:40.044Z
Learning: CLI workflow (`.github/workflows/cli.yml`) runs Go lint (golangci-lint + go vet) + test (race, coverage) + build (cross-compile matrix) + vulnerability check (govulncheck) + fuzz testing. Cross-compiles for linux/darwin/windows × amd64/arm64. GoReleaser release on v* tags with cosign keyless signing and SLSA L3 attestations.
Applied to files:
CLAUDE.md.github/workflows/finalize-release.yml
📚 Learning: 2026-03-19T07:12:14.508Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T07:12:14.508Z
Learning: Applies to src/synthorg/**/*.py : Package structure: src/synthorg/ organized as: api/ (REST+WebSocket, Litestar), auth/ (auth subpackage), backup/ (scheduled/manual backups), budget/ (cost tracking, CFO), cli/ (superseded by Go CLI), communication/ (message bus, meetings), config/ (YAML loading), core/ (domain models, resilience config), engine/ (orchestration, task state, coordination, approval gates, stagnation detection, context budget, compaction), hr/ (hiring, performance, promotion), memory/ (pluggable backend, Mem0, retrieval, consolidation), persistence/ (operational data, SQLite, settings), observability/ (logging, correlation, sinks), providers/ (LLM abstraction, LiteLLM, auth types, presets, runtime CRUD), settings/ (runtime-editable, typed definitions, encryption, config bridge), security/ (SecOps, rule engine, output scanning, progressive trust, autonomy levels), templates/ (company templates, personalities), tools/ (registry, built-in tools, git, sandbox, code_runner, MCP...
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/*.yml : Dependabot: daily updates for uv + github-actions + npm + pre-commit + docker + gomod, grouped minor/patch, no auto-merge. Use `/review-dep-pr` to review Dependabot PRs before merging.
Applied to files:
CLAUDE.md.github/workflows/finalize-release.yml
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/cli.yml : CLI workflow: Go lint (golangci-lint + go vet) + test (-race -coverprofile) + build (cross-compile: linux/darwin/windows × amd64/arm64) + govulncheck + fuzz testing (main-only, 30s/target, continue-on-error, matrix over 4 packages). cli-pass gate includes fuzz as informational. GoReleaser release on v* tags. Cosign keyless signing of checksums.txt. SLSA L3 provenance attestations. Sigstore bundle (.sigstore.json) attached. Post-release appends checksums/verification/provenance to draft release notes.
Applied to files:
CLAUDE.md.github/workflows/finalize-release.yml
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/docker.yml : Docker workflow: builds backend + web + sandbox images, pushes to GHCR, signs with cosign. SLSA L3 provenance attestations via actions/attest-build-provenance. Scans: Trivy (CRITICAL = hard fail, HIGH = warn) + Grype (critical cutoff) + CIS Docker Benchmark v1.6.0 compliance (informational). CVE triage via .github/.trivyignore.yaml and .github/.grype.yaml. Images only pushed after scans pass. Triggers on push to main and version tags (v*).
Applied to files:
CLAUDE.md.github/workflows/finalize-release.yml
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: Pre-commit hooks: trailing-whitespace, end-of-file-fixer, check-yaml, check-toml, check-json, check-merge-conflict, check-added-large-files, no-commit-to-branch (main), ruff check+format, gitleaks, hadolint (Dockerfile linting)
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-15T12:00:18.113Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T12:00:18.113Z
Learning: Applies to .github/workflows/docker.yml : CI Docker: build → scan → push to GHCR + cosign sign + SLSA L3 provenance via attest-build-provenance (images only pushed after Trivy/Grype scans pass).
Applied to files:
CLAUDE.md.github/workflows/finalize-release.yml
📚 Learning: 2026-03-15T18:17:43.675Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:17:43.675Z
Learning: Pre-commit hooks: trailing-whitespace, end-of-file-fixer, check-yaml, check-toml, check-json, check-merge-conflict, check-added-large-files, no-commit-to-branch (main), ruff check+format, gitleaks, hadolint (Dockerfile linting).
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: Use `/review-dep-pr` before merging Dependabot PRs
Applied to files:
CLAUDE.md
📚 Learning: 2026-03-15T21:49:53.264Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:49:53.264Z
Learning: Fix everything valid — never skip when review agents find valid issues (including pre-existing issues in surrounding code, suggestions, and findings adjacent to the PR's changes). No deferring, no 'out of scope' skipping.
Applied to files:
.github/workflows/finalize-release.yml
📚 Learning: 2026-03-22T14:41:20.060Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T14:41:20.060Z
Learning: When review agents find valid issues (including pre-existing issues, suggestions, and adjacent findings), fix them all -- never skip or defer
Applied to files:
.github/workflows/finalize-release.yml
Comment on lines
+285
to
+289
| # 1. Delete all dev releases (draft, pre-release, or published) + their tags. | ||
| # Use the API directly to ensure drafts are included. | ||
| # Strict regex: only match vX.Y.Z-dev.N (never stable tags). | ||
| gh api "repos/$GITHUB_REPOSITORY/releases" --paginate \ | ||
| --jq '.[] | select(.tag_name | test("^v[0-9]+\\.[0-9]+\\.[0-9]+-dev\\.[0-9]+$")) | .tag_name' \ |
There was a problem hiding this comment.
Don't sweep dev builds from later main pushes.
This matches every vX.Y.Z-dev.N release/tag in the repo. If another commit lands on main while the stable tag is still waiting on Docker/CLI, its freshly created dev prerelease also matches here and gets deleted; if that build is still attaching assets, the dev pipeline fails. Limit cleanup to dev artifacts older than the stable release (for example by creation time or tag commit ancestry) instead of a repo-wide sweep.
Also applies to: 295-298
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/finalize-release.yml around lines 285 - 289, The current
gh api call that deletes dev releases uses a repo-wide jq
test("^v[0-9]+\\.[0-9]+\\.[0-9]+-dev\\.[0-9]+$") and therefore deletes any
matching dev tag; change the cleanup to only target dev artifacts that are older
than the stable release they belong to (or not descendants of the stable tag).
Concretely, modify the gh api/jq step (the line with --jq '.[] |
select(.tag_name | test("^v[0-9]+\\.[0-9]+\\.[0-9]+-dev\\.[0-9]+$")) |
.tag_name') so it first finds the stable tag for the current release (or fetches
stable release.created_at), then filter dev releases by comparing .created_at
(or by checking commit ancestry of .target_commitish against the stable tag) and
only select those dev releases older/not descendant of the stable release; apply
the same change to the analogous block referenced at 295-298.
…shed Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove 2>/dev/null from cleanup delete commands so auth/rate-limit errors surface in CI logs (infra-reviewer + CodeRabbit) - Update finalize-release bullet in CI section to document dev cleanup behavior (docs-consistency agent) - Clarify interaction between incremental dev cleanup (keeps 5 most recent) and full cleanup on stable release (Gemini) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
f8b805b to
a588a52
Compare
When the publish step detects the release is already published, it now emits published=true so the cleanup step can run on job reruns. The cleanup step's own isDraft==false safety check prevents unsafe execution. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Aureliolo
added a commit
that referenced
this pull request
Mar 22, 2026
🤖 I have created a release *beep* *boop* --- ## [0.4.7](v0.4.6...v0.4.7) (2026-03-22) ### Features * add system user for CLI-to-backend authentication ([#710](#710)) ([dc6bd3f](dc6bd3f)) * dev channel builds with incremental pre-releases between stable releases ([#715](#715)) ([0e8a714](0e8a714)) * replace hardcoded name pools with Faker multi-locale name generation ([#714](#714)) ([5edc6ec](5edc6ec)) ### Bug Fixes * dev-release tag creation, dependabot coverage, go -C cli convention ([#730](#730)) ([7634843](7634843)) * improve name generation step UX and fix sentinel expansion bug ([#739](#739)) ([f03fd05](f03fd05)) * settings page UX polish -- toggle bug, source badges, form improvements ([#712](#712)) ([d16a0ac](d16a0ac)) * switch dev tags to semver and use same release pipeline as stable ([#729](#729)) ([4df6b9b](4df6b9b)), closes [#713](#713) * unify CLI image discovery and standardize Go tooling ([#738](#738)) ([712a785](712a785)) * use PAT in dev-release workflow to trigger downstream pipelines ([#716](#716)) ([d767aa3](d767aa3)) ### CI/CD * bump astral-sh/setup-uv from 7.4.0 to 7.6.0 in /.github/actions/setup-python-uv in the minor-and-patch group ([#731](#731)) ([7887257](7887257)) * bump the minor-and-patch group with 3 updates ([#735](#735)) ([7cd253a](7cd253a)) * bump wrangler from 4.75.0 to 4.76.0 in /.github in the minor-and-patch group ([#732](#732)) ([a6cafc7](a6cafc7)) * clean up all dev releases and tags on stable release ([#737](#737)) ([8d90f5c](8d90f5c)) ### Maintenance * bump the minor-and-patch group across 2 directories with 2 updates ([#733](#733)) ([2b60069](2b60069)) * bump the minor-and-patch group with 3 updates ([#734](#734)) ([859bc25](859bc25)) * fix dependabot labels and add scope tags ([#736](#736)) ([677eb15](677eb15)) * remove redundant pytest.mark.timeout(30) markers ([#740](#740)) ([9ec2163](9ec2163)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
finalize-release.ymlthat deletes all dev pre-releases and tags when a stable release is published!contains('-dev.')condition, and runtimeisDraftverification^v[0-9]+\.[0-9]+\.[0-9]+-dev\.[0-9]+$) ensures stable tags can never be matchedTest plan
🤖 Generated with Claude Code