Skip to content

ci: adopt consolidated ospo-reusable-workflows release.yaml#171

Merged
jmeridth merged 2 commits into
mainfrom
ci/consolidated-release-workflow
May 10, 2026
Merged

ci: adopt consolidated ospo-reusable-workflows release.yaml#171
jmeridth merged 2 commits into
mainfrom
ci/consolidated-release-workflow

Conversation

@jmeridth

@jmeridth jmeridth commented May 10, 2026

Copy link
Copy Markdown
Collaborator

Pull Request

Proposed Changes

Collapse the three legacy release / release_image / release_discussion job calls into a single call to the consolidated release.yaml reusable workflow at v1.0.0 (592067a6...). The new workflow handles GitHub release creation, container image build/push to GHCR, build provenance attestation, and the announcement discussion in one draft-first pipeline.

Also add a "💥 Breaking Changes" category to release-drafter.yml, matching the upstream release-drafter template (github-community-projects/ospo-reusable-workflows#134). The breaking label was already wired up under version-resolver.major, so this just surfaces those PRs in their own changelog section.

Notes for reviewers

  • image-name is preserved as ${{ github.repository_owner }}/measure_innersource (underscore form) so the published image at ghcr.io/github-community-projects/measure_innersource stays at the exact same path as before.
  • The job-level permission block now lists the union of what the called workflow's internal jobs need. A uses: caller can only grant — never expand — what the reusable workflow requests, so missing perms here silently disable features instead of erroring.
  • image-registry / image-registry-username moved from secrets: to inputs in v1.0.0 and default to ghcr.io / github.actor. Both defaults match the previous values, so the inputs are omitted.
  • image-registry-password stays a secret and continues using GITHUB_TOKEN for GHCR pushes.

Readiness Checklist

Author/Contributor

  • If documentation is needed for this change, has that been included in this pull request
  • run make lint and fix any issues that you have introduced
  • run make test and ensure you have test coverage for the lines you are introducing

Testing

  • make lint — clean (mypy 0 issues across 24 source files, black 24 files unchanged).
  • make test — 83 tests pass, coverage 100%.
  • npx prettier --check .github/workflows/release.yml .github/release-drafter.yml — clean (super-linter runs prettier on YAML).
  • End-to-end release flow is not exercised locally; first real validation will be the next merged PR carrying a feature / fix / breaking / vuln / release label that fires pull_request_target: closed. Watch for: draft release created by release-drafter, container image published to ghcr.io/$OWNER/measure_innersource, build provenance attestation succeeding, release announcement discussion created (if RELEASE_DISCUSSION_* secrets are set), then publish_release flipping the draft to published.

jmeridth added 2 commits May 10, 2026 18:29
@jmeridth
ci: adopt consolidated ospo-reusable-workflows release.yaml
5c3e311 
## What

Collapse the three legacy `release` / `release_image` / `release_discussion` job calls into a single call to the consolidated `release.yaml` reusable workflow at v1.0.0 (`592067a6...`). Pass `image-name`, `create-attestation: true`, and `create-discussion: true` so the workflow handles GitHub release, container image build/push to GHCR (preserving the underscore form `measure_innersource`), build provenance attestation, and announcement discussion in one draft-first pipeline. Also add a "💥 Breaking Changes" category to `release-drafter.yml`.

## Why

The legacy three-workflow setup forced callers to wire up the same job chain by hand in every repo and made it easy for permissions, secrets, and ordering to drift. v1.0.0 of ospo-reusable-workflows owns the chain internally and exposes a single entry point. The "Breaking Changes" category matches the upstream release-drafter template (github-community-projects/ospo-reusable-workflows#134); the `breaking` label already maps to a major bump in `version-resolver`, so this just surfaces those PRs in their own changelog section.

## Notes

- `image-name` keeps the existing underscore form `${{ github.repository_owner }}/measure_innersource` so the published image at `ghcr.io/github-community-projects/measure_innersource` stays at the same path.
- The job-level permission block now lists the union of what the called workflow's internal jobs need (contents/pull-requests/packages/id-token/attestations/discussions). A `uses:` caller can only grant — never expand — what the reusable workflow requests, so missing perms here silently disable features instead of erroring.
- `image-registry` and `image-registry-username` moved from `secrets:` to inputs in v1.0.0 (defaults to `ghcr.io` and `github.actor`). Both defaults match the previous explicit values, so they're omitted.
- `image-registry-password` stays a secret and continues to use `GITHUB_TOKEN` for ghcr.io pushes.

Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth
style: align release.yml comments to prettier formatting
6e5b437 
Single-space before `#` so prettier (via super-linter) accepts the workflow file. No behavior change.

Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth jmeridth added the Mark Ready When Ready Automatically mark draft PR ready when checks pass label May 10, 2026
Copilot AI review requested due to automatic review settings May 10, 2026 23:30
@jmeridth jmeridth self-assigned this May 10, 2026
Copilot AI reviewed May 10, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository’s release automation to use the consolidated ospo-reusable-workflows release.yaml reusable workflow, simplifying the release pipeline while preserving existing GHCR image naming and release-drafter behavior.

Changes:

  • Replaced the three legacy reusable workflow calls (release, release_image, release_discussion) with a single call to consolidated release.yaml (pinned to v1.0.0 SHA).
  • Expanded job permissions to support release publishing, GHCR image push, provenance attestation, and discussion creation in the consolidated workflow.
  • Added a dedicated “💥 Breaking Changes” category to release-drafter.yml for PRs labeled breaking.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/release.yml Collapses multiple release-related jobs into one consolidated reusable workflow call and updates permissions/inputs accordingly.
.github/release-drafter.yml Adds a “Breaking Changes” changelog section keyed off the existing breaking label.

@github-actions github-actions Bot marked this pull request as ready for review May 10, 2026 23:33
@github-actions github-actions Bot requested a review from zkoppert as a code owner May 10, 2026 23:33
@github-actions github-actions Bot removed the Mark Ready When Ready Automatically mark draft PR ready when checks pass label May 10, 2026
@jmeridth jmeridth merged commit d4e82f8 into main May 10, 2026
42 of 43 checks passed
@jmeridth jmeridth deleted the ci/consolidated-release-workflow branch May 10, 2026 23:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zkoppert zkoppert Awaiting requested review from zkoppert zkoppert is a code owner

Assignees

@jmeridth jmeridth

Labels

automation release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jmeridth