fix: use PAT in dev-release workflow to trigger downstream pipelines#716
Merged
fix: use PAT in dev-release workflow to trigger downstream pipelines#716
Conversation
Tags created with the default GITHUB_TOKEN do not fire push events for other workflows (GitHub Actions anti-recursion safeguard). Switch to RELEASE_PLEASE_TOKEN (PAT) for the tag+release creation step so the Docker and CLI workflows trigger on dev tags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
🧰 Additional context used🧠 Learnings (8)📓 Common learnings📚 Learning: 2026-03-15T21:32:02.880ZApplied to files:
📚 Learning: 2026-03-15T21:32:02.880ZApplied to files:
📚 Learning: 2026-03-15T21:32:02.880ZApplied to files:
📚 Learning: 2026-03-22T13:16:27.243ZApplied to files:
📚 Learning: 2026-03-19T11:19:40.044ZApplied to files:
📚 Learning: 2026-03-15T12:00:18.113ZApplied to files:
📚 Learning: 2026-03-15T21:32:02.880ZApplied to files:
🔇 Additional comments (3)
WalkthroughThe GitHub Actions workflow Suggested labels
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/dev-release.yml:
- Around line 111-115: The dev-release job is using the PAT secret
RELEASE_PLEASE_TOKEN directly (GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }})
without binding the job to a protected Actions environment; update the
dev-release job configuration to run under a protected environment (e.g., add
environment: release or environment: release-automation) and move the PAT into
that environment's secrets so GH_TOKEN references the environment secret instead
of a repository secret, ensuring the job still sets GH_TOKEN: ${{
secrets.RELEASE_PLEASE_TOKEN }} (or the environment-secret name) but is executed
within the protected environment context.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 05500fc3-95ff-4ccc-adbb-044e2ff987fc
📒 Files selected for processing (1)
.github/workflows/dev-release.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Analyze (python)
🧰 Additional context used
🧠 Learnings (8)
📓 Common learnings
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/*.yml : Dependabot: daily updates for uv + github-actions + npm + pre-commit + docker + gomod, grouped minor/patch, no auto-merge. Use `/review-dep-pr` to review Dependabot PRs before merging.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T13:16:27.243Z
Learning: Dev releases: every push to main (except Release Please bumps) creates a dev pre-release (e.g. v0.4.7.dev3) via dev-release.yml. Users opt in with synthorg config set channel dev.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/finalize-release.yml : Finalize Release workflow: publishes draft releases created by Release Please. Triggers on workflow_run completion of Docker and CLI workflows. Verifies both workflows succeeded for the associated tag before publishing. Extracts CLI checksums, cosign verification, and container verification data from HTML comments, assembles into combined Verification section. Guards against PR-triggered runs. Handles TOCTOU races. Immutable releases enabled—once published, release assets and body cannot be modified.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/docker.yml : Docker workflow: builds backend + web + sandbox images, pushes to GHCR, signs with cosign. SLSA L3 provenance attestations via actions/attest-build-provenance. Scans: Trivy (CRITICAL = hard fail, HIGH = warn) + Grype (critical cutoff) + CIS Docker Benchmark v1.6.0 compliance (informational). CVE triage via .github/.trivyignore.yaml and .github/.grype.yaml. Images only pushed after scans pass. Triggers on push to main and version tags (v*).
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T13:16:27.243Z
Learning: Version bumping: fix:/feat: = patch, feat!:/BREAKING CHANGE = minor (pre-1.0). Use Release-As trailer as final paragraph of PR body for explicit version override.
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T12:00:18.113Z
Learning: Applies to .github/workflows/docker.yml : CI Docker: build → scan → push to GHCR + cosign sign + SLSA L3 provenance via attest-build-provenance (images only pushed after Trivy/Grype scans pass).
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/finalize-release.yml : Finalize Release workflow: publishes draft releases created by Release Please. Triggers on workflow_run completion of Docker and CLI workflows. Verifies both workflows succeeded for the associated tag before publishing. Extracts CLI checksums, cosign verification, and container verification data from HTML comments, assembles into combined Verification section. Guards against PR-triggered runs. Handles TOCTOU races. Immutable releases enabled—once published, release assets and body cannot be modified.
Applied to files:
.github/workflows/dev-release.yml
📚 Learning: 2026-03-22T13:16:27.243Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-22T13:16:27.243Z
Learning: Dev releases: every push to main (except Release Please bumps) creates a dev pre-release (e.g. v0.4.7.dev3) via dev-release.yml. Users opt in with synthorg config set channel dev.
Applied to files:
.github/workflows/dev-release.yml
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/*.yml : Dependabot: daily updates for uv + github-actions + npm + pre-commit + docker + gomod, grouped minor/patch, no auto-merge. Use `/review-dep-pr` to review Dependabot PRs before merging.
Applied to files:
.github/workflows/dev-release.yml
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/cli.yml : CLI workflow: Go lint (golangci-lint + go vet) + test (-race -coverprofile) + build (cross-compile: linux/darwin/windows × amd64/arm64) + govulncheck + fuzz testing (main-only, 30s/target, continue-on-error, matrix over 4 packages). cli-pass gate includes fuzz as informational. GoReleaser release on v* tags. Cosign keyless signing of checksums.txt. SLSA L3 provenance attestations. Sigstore bundle (.sigstore.json) attached. Post-release appends checksums/verification/provenance to draft release notes.
Applied to files:
.github/workflows/dev-release.yml
📚 Learning: 2026-03-19T11:19:40.044Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T11:19:40.044Z
Learning: CLI workflow (`.github/workflows/cli.yml`) runs Go lint (golangci-lint + go vet) + test (race, coverage) + build (cross-compile matrix) + vulnerability check (govulncheck) + fuzz testing. Cross-compiles for linux/darwin/windows × amd64/arm64. GoReleaser release on v* tags with cosign keyless signing and SLSA L3 attestations.
Applied to files:
.github/workflows/dev-release.yml
📚 Learning: 2026-03-15T12:00:18.113Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T12:00:18.113Z
Learning: Applies to .github/workflows/docker.yml : CI Docker: build → scan → push to GHCR + cosign sign + SLSA L3 provenance via attest-build-provenance (images only pushed after Trivy/Grype scans pass).
Applied to files:
.github/workflows/dev-release.yml
📚 Learning: 2026-03-15T21:32:02.880Z
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/docker.yml : Docker workflow: builds backend + web + sandbox images, pushes to GHCR, signs with cosign. SLSA L3 provenance attestations via actions/attest-build-provenance. Scans: Trivy (CRITICAL = hard fail, HIGH = warn) + Grype (critical cutoff) + CIS Docker Benchmark v1.6.0 compliance (informational). CVE triage via .github/.trivyignore.yaml and .github/.grype.yaml. Images only pushed after scans pass. Triggers on push to main and version tags (v*).
Applied to files:
.github/workflows/dev-release.yml
🪛 GitHub Actions: Workflow Security
.github/workflows/dev-release.yml
[warning] 115-115: zizmor warning[secrets-outside-env]: secrets referenced without a dedicated environment (GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }} is accessed outside of a dedicated environment).
Use the existing release GitHub environment for the dev-release job, matching release.yml's pattern. Resolves zizmor secrets-outside-env and CodeRabbit's environment protection finding. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This was referenced Mar 22, 2026
Aureliolo
added a commit
that referenced
this pull request
Mar 22, 2026
#729) ## Summary - Switch dev tag format from PEP 440 (`v0.4.7.dev3`) to semver (`v0.4.7-dev.3`) so GoReleaser can parse them - Create dev releases as **draft** pre-releases instead of published, so they flow through the exact same finalize-release pipeline as stable releases - Remove the dev exclusion guard from finalize-release -- both stable and dev releases now use the same lifecycle ## Why After merging #715 and #716, the dev-release workflow correctly created tags and triggered downstream pipelines, but both failed: 1. **CLI**: GoReleaser rejected `v0.4.7.dev4` as invalid semver (`failed to parse tag as semver`) 2. **Docker**: SBOM attachment failed because dev releases were created as published (immutable), blocking asset uploads ## How it works now Same pipeline, zero special-casing: 1. `dev-release.yml` creates **draft** pre-release + tag (via PAT) 2. Docker workflow triggers on tag -- builds, scans, pushes, attaches SBOMs to draft 3. CLI workflow triggers on tag -- GoReleaser builds binaries, attaches to draft 4. `finalize-release.yml` publishes the draft once both succeed This is identical to the stable release flow. ## Changes - `dev-release.yml`: semver tag format (`-dev.N`), `--draft --prerelease`, updated grep/jq filters - `docker.yml`: `.dev` -> `-dev.` in all contains() checks - `finalize-release.yml`: removed `!contains(.dev)` guard -- handles both stable and dev - `cli/internal/selfupdate/updater.go`: `splitDev` and `selectBestRelease` parse `-dev.` format - `cli/internal/selfupdate/updater_version_test.go`: all test cases updated - `cli/internal/selfupdate/updater_test.go`: integration test cases updated - `CLAUDE.md`: updated tag examples and descriptions - Cleaned up old `v0.4.7.dev3` and `v0.4.7.dev4` releases/tags ## Test plan - [ ] Push to main triggers `dev-release.yml`, creates `v0.4.7-dev.N` tag + **draft** pre-release - [ ] Docker workflow triggers, builds all 3 images, attaches SBOMs to draft - [ ] CLI workflow triggers, GoReleaser builds binaries, attaches to draft - [ ] `finalize-release` publishes the draft after both succeed - [ ] `go test ./...` passes (verified locally) - [ ] `synthorg update` on dev channel finds semver dev releases Closes #713 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Aureliolo
added a commit
that referenced
this pull request
Mar 22, 2026
🤖 I have created a release *beep* *boop* --- ## [0.4.7](v0.4.6...v0.4.7) (2026-03-22) ### Features * add system user for CLI-to-backend authentication ([#710](#710)) ([dc6bd3f](dc6bd3f)) * dev channel builds with incremental pre-releases between stable releases ([#715](#715)) ([0e8a714](0e8a714)) * replace hardcoded name pools with Faker multi-locale name generation ([#714](#714)) ([5edc6ec](5edc6ec)) ### Bug Fixes * dev-release tag creation, dependabot coverage, go -C cli convention ([#730](#730)) ([7634843](7634843)) * improve name generation step UX and fix sentinel expansion bug ([#739](#739)) ([f03fd05](f03fd05)) * settings page UX polish -- toggle bug, source badges, form improvements ([#712](#712)) ([d16a0ac](d16a0ac)) * switch dev tags to semver and use same release pipeline as stable ([#729](#729)) ([4df6b9b](4df6b9b)), closes [#713](#713) * unify CLI image discovery and standardize Go tooling ([#738](#738)) ([712a785](712a785)) * use PAT in dev-release workflow to trigger downstream pipelines ([#716](#716)) ([d767aa3](d767aa3)) ### CI/CD * bump astral-sh/setup-uv from 7.4.0 to 7.6.0 in /.github/actions/setup-python-uv in the minor-and-patch group ([#731](#731)) ([7887257](7887257)) * bump the minor-and-patch group with 3 updates ([#735](#735)) ([7cd253a](7cd253a)) * bump wrangler from 4.75.0 to 4.76.0 in /.github in the minor-and-patch group ([#732](#732)) ([a6cafc7](a6cafc7)) * clean up all dev releases and tags on stable release ([#737](#737)) ([8d90f5c](8d90f5c)) ### Maintenance * bump the minor-and-patch group across 2 directories with 2 updates ([#733](#733)) ([2b60069](2b60069)) * bump the minor-and-patch group with 3 updates ([#734](#734)) ([859bc25](859bc25)) * fix dependabot labels and add scope tags ([#736](#736)) ([677eb15](677eb15)) * remove redundant pytest.mark.timeout(30) markers ([#740](#740)) ([9ec2163](9ec2163)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GITHUB_TOKENdo not firepushevents for other workflows (GitHub Actions anti-recursion safeguard)v0.4.7.dev3dev pre-release was created successfully but Docker and CLI workflows never triggeredRELEASE_PLEASE_TOKEN(PAT) for thegh release create --targetstep so downstream workflows trigger on dev tagsgithub.tokensince it doesn't need to trigger anythingContext
After merging #715, the dev-release workflow ran and created
v0.4.7.dev3correctly, but the Docker and CLI pipelines never fired. This is the same pattern used byrelease.ymlwhich uses a PAT for Release Please to ensure tag-triggered workflows run.Test plan
dev-release.yml, creates dev tag + pre-release