Skip to content

ci(release): gate stable releases behind esengine approval#3528

Merged
esengine merged 1 commit into
main-v2from
chore/release-approval-gates
Jun 8, 2026
Merged

ci(release): gate stable releases behind esengine approval#3528
esengine merged 1 commit into
main-v2from
chore/release-approval-gates

Conversation

@esengine

@esengine esengine commented Jun 8, 2026

Copy link
Copy Markdown
Owner

Locks down who can publish what, the way we agreed: maintainers can cut canary freely; only esengine can ship next/stable.

Mechanism (GitHub-native, free on public repos)

  • Two environments already created: release (esengine = required reviewer) and canary (open).
  • Stable publish jobs now run in the release environment, so a stable release — even one a maintainer starts by pushing a v*/npm-v*/desktop-v* tag — pauses in the Actions UI until esengine approves.
  • Canary dispatches run in the open canary environment → any maintainer (write access) self-serves a pre-release, no approval.

Gating per workflow

  • release.yml (CLI + Homebrew): environment: release (tag-triggered, always stable).
  • release-npm.yml: release on tag push, canary on dispatch.
  • release-desktop.yml: canary only when channel=canary dispatch, else release. Gated at the publish job so nothing is released/mirrored until approved.

Also

  • Adds docs/RELEASING.md — trunk+tags model, channels, the release loop, and who-can-ship-what.

Safety

  • No behavior change for canary (still free).
  • Stable path is unchanged except it now waits for esengine's approval before publishing — exactly the intent.

ci(release): gate stable releases behind the release environment
8c90132 
Stable publish jobs (CLI goreleaser, npm tag push, desktop tag/stable
dispatch) now run in the `release` environment, which requires esengine's
approval before anything goes public. Canary dispatches use the open
`canary` environment so any maintainer can self-serve a pre-release. Adds
docs/RELEASING.md documenting the trunk+tags model, channels, and who can
ship what.
@esengine esengine requested a review from SivanCola as a code owner June 8, 2026 06:17
@github-actions github-actions Bot added v2 Go rewrite (1.x) — main-v2 branch, active development updater Auto-update / installer / release packaging and removed v2 Go rewrite (1.x) — main-v2 branch, active development labels Jun 8, 2026
@esengine esengine merged commit d0ce765 into main-v2 Jun 8, 2026
10 checks passed
@esengine esengine deleted the chore/release-approval-gates branch June 8, 2026 06:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SivanCola SivanCola Awaiting requested review from SivanCola SivanCola is a code owner

Assignees

No one assigned

Labels

updater Auto-update / installer / release packaging

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@esengine