fix(ci): order discussion after publish + auto-install syft for SBOMs#138
Merged
Conversation
## What Move the release_discussion job to run after publish_release succeeds instead of in parallel with the build jobs. The publish_release job no longer depends on release_discussion. ## Why Previously, the discussion was created before the draft release was published. If publish_release failed (or publish was disabled), subscribers were still notified about a release that did not actually exist as a published artifact. Gating discussion creation on a successful publish ensures announcements only fire for releases users can actually consume. ## Notes - The redundant inputs.publish check on release_discussion was removed; gating now flows through publish_release, which itself requires inputs.publish. - Total wall-clock time for a full release increases slightly because the discussion job no longer runs in parallel with goreleaser/image builds — it now runs after publish. - Behavior when create-discussion is false or discussion secrets are unset is unchanged. Signed-off-by: jmeridth <jmeridth@gmail.com>
## What In `release_goreleaser`, detect a `sboms:` block in the user's GoReleaser config (via yq, already installed for the existing release.disable check) and conditionally install `syft` before running GoReleaser. Generated `dist/*.spdx.json` files are now included in both the draft-release upload and the build provenance attestation subject paths. ## Why GoReleaser configs that declare `sboms.cmd: syft` previously failed inside the reusable workflow with `exec: "syft": executable file not found in $PATH`, because the `release_goreleaser` job did not install syft. Consumers had to either drop SBOM generation from their GoReleaser config or maintain a separate workflow job to install syft, which defeats the purpose of consolidating into this reusable workflow. ## Notes - The new `Install Syft for SBOM generation` step only runs when the config has a `sboms:` key, so consumers without SBOMs see no behavior change. - syft is pinned via `anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0`. If a newer release is preferred I am happy to bump it before merge. - SBOM `.spdx.json` files are included in `attest-build-provenance` subject paths so attestation covers the same set of artifacts the user sees in the published release. - The `Detect SBOM generation` step is intentionally placed after the existing `Validate GoReleaser config has release disabled` step, so the validate-first behavior is preserved. Signed-off-by: jmeridth <jmeridth@gmail.com>
## What Add `github` and `release` to the allowed PR-title scope list in test-pr-title.yaml. ## Why PRs that touch GitHub-platform-specific config (workflows, issue templates, labels) and the release pipeline previously had to use a less specific scope or no scope at all, since `fix(release): ...` and `chore(github): ...` would fail scope validation. This PR's own title uses `release` as its scope. ## Notes - `requireScope` remains `false`, so scope is still optional; this only widens the allowed set when one is used. Signed-off-by: jmeridth <jmeridth@gmail.com>
This was referenced May 11, 2026
Merged
Merged
Merged
jmeridth
added a commit
to revanite-io/pvtr-gcp-cloud-storage
that referenced
this pull request
May 11, 2026
## What Bump the pin on ospo-reusable-workflows/release.yaml from v1.0.0 to v1.0.1 (SHA e92cb6053ace495fe40a5f185988557afcdcecbc). ## Why v1.0.1 lands two fixes from upstream PR github-community-projects/ospo-reusable-workflows#138: 1. release_discussion runs only after publish_release succeeds. 2. release_goreleaser auto-installs syft when GoReleaser config declares an sboms: block — this repo's .goreleaser.yaml uses syft and a recent release under v1.0.0 failed with 'exec: syft: executable file not found in PATH'. v1.0.1 directly fixes that. ## Notes - No caller-side configuration changes are required; v1.0.1 is backward-compatible with v1.0.0 inputs and secrets. - There is a leftover draft release v0.1.2 from the prior failed run that should be cleaned up manually. ## Testing The next merged PR with a release-triggering label will exercise the syft auto-install path end-to-end. Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
added a commit
to revanite-io/pvtr-azure-blob-storage
that referenced
this pull request
May 11, 2026
## What Bump the pin on ospo-reusable-workflows/release.yaml from v1.0.0 to v1.0.1 (SHA e92cb6053ace495fe40a5f185988557afcdcecbc). ## Why v1.0.1 lands two fixes from upstream PR github-community-projects/ospo-reusable-workflows#138: 1. release_discussion runs only after publish_release succeeds. 2. release_goreleaser auto-installs syft when GoReleaser config declares an sboms: block — this repo's .goreleaser.yaml uses syft, so v1.0.1 directly unblocks the syft-not-found build failure observed under v1.0.0. ## Notes - No caller-side configuration changes are required; v1.0.1 is backward-compatible with v1.0.0 inputs and secrets. ## Testing The next merged PR with a release-triggering label will exercise the syft auto-install path end-to-end. Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
added a commit
to privateerproj/privateer
that referenced
this pull request
May 11, 2026
## What Bump the pin on ospo-reusable-workflows/release.yaml from v1.0.0 to v1.0.1 (SHA e92cb6053ace495fe40a5f185988557afcdcecbc). ## Why v1.0.1 lands two fixes from upstream PR github-community-projects/ospo-reusable-workflows#138: 1. release_discussion runs only after publish_release succeeds (no announcing releases that never published). 2. release_goreleaser auto-installs syft when GoReleaser config declares an sboms: block. ## Notes - No caller-side configuration changes are required; v1.0.1 is backward-compatible with v1.0.0 inputs and secrets. Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
added a commit
to privateerproj/privateer-sdk
that referenced
this pull request
May 11, 2026
## What Bump the pin on ospo-reusable-workflows/release.yaml from v1.0.0 to v1.0.1 (SHA e92cb6053ace495fe40a5f185988557afcdcecbc). ## Why v1.0.1 lands two fixes from upstream PR github-community-projects/ospo-reusable-workflows#138: 1. release_discussion runs only after publish_release succeeds (no announcing releases that never published). 2. release_goreleaser auto-installs syft when GoReleaser config declares an sboms: block. ## Notes - No caller-side configuration changes are required; v1.0.1 is backward-compatible with v1.0.0 inputs and secrets. Signed-off-by: jmeridth <jmeridth@gmail.com>
jmeridth
added a commit
to privateerproj/privateer-sdk
that referenced
this pull request
May 11, 2026
* ci: adopt consolidated ospo-reusable-workflows release.yaml ## What Bump the `release.yaml` reusable workflow pin to v1.0.0 (`592067a6...`), which collapses the previous three-workflow release/release-image/release-discussion pipeline into a single draft-first workflow. Also add a "Breaking Changes" category to release-drafter so PRs labeled `breaking` get their own section in the generated changelog. ## Why The pinned SHA was the pre-consolidation version. Moving to v1.0.0 puts this repo on the supported release flow and aligns it with the pvtr CLI's release workflow. Because pvtr-sdk ships no binaries or container images, only the `create_release` / `publish_release` portion of the consolidated workflow runs; the existing `contents: write` + `pull-requests: read` permissions are still all that's needed. The "Breaking Changes" category matches the upstream release-drafter template (github-community-projects/ospo-reusable-workflows#134); the `breaking` label was already wired up under `version-resolver.major`, so this just surfaces those PRs in their own changelog section. ## Notes - No `goreleaser-config-path` or `image-name` inputs are passed, so the optional `release_goreleaser` and `release_image` jobs in the reusable workflow are skipped at the job-level `if:` and never spin up runners. - Likewise, no `id-token: write` / `attestations: write` permissions are needed here since there are no artifacts to attest. - `create-discussion` is intentionally not enabled; flip on later with the input plus `discussion-repository-id` / `discussion-category-id` secrets if we want auto-announcements. Signed-off-by: jmeridth <jmeridth@gmail.com> * chore: bump ospo-reusable-workflows from v1.0.0 to v1.0.1 ## What Bump the pin on ospo-reusable-workflows/release.yaml from v1.0.0 to v1.0.1 (SHA e92cb6053ace495fe40a5f185988557afcdcecbc). ## Why v1.0.1 lands two fixes from upstream PR github-community-projects/ospo-reusable-workflows#138: 1. release_discussion runs only after publish_release succeeds (no announcing releases that never published). 2. release_goreleaser auto-installs syft when GoReleaser config declares an sboms: block. ## Notes - No caller-side configuration changes are required; v1.0.1 is backward-compatible with v1.0.0 inputs and secrets. Signed-off-by: jmeridth <jmeridth@gmail.com> --------- Signed-off-by: jmeridth <jmeridth@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed Changes
This PR bundles two release workflow fixes into a single change so consumers only need one SHA bump.
1. Move
release_discussionto afterpublish_releaseWhat
Move the
release_discussionjob to run afterpublish_releasesucceeds instead of in parallel with the build jobs.publish_releaseno longer depends onrelease_discussion.Why
Previously, the announcement discussion was created before the draft release was published. If
publish_releasefailed (orpublishwas disabled), subscribers were still notified about a release that did not actually exist as a published artifact. Gating discussion creation on a successful publish ensures announcements only fire for releases users can actually consume.Notes
inputs.publishcheck onrelease_discussionwas removed; gating now flows throughpublish_release, which itself requiresinputs.publish.create-discussionis false or discussion secrets are unset is unchanged.2. Auto-install syft when GoReleaser config declares
sboms:What
In
release_goreleaser, detect asboms:block in the consumer's GoReleaser config (via theyqalready installed for the existingrelease.disablecheck) and conditionally installsyftbefore running GoReleaser. Generateddist/*.spdx.jsonfiles are now included in both the draft-release upload and the build provenance attestation subject paths.Why
GoReleaser configs that declare
sboms.cmd: syftpreviously failed inside the reusable workflow withexec: "syft": executable file not found in $PATH, becauserelease_goreleaserdid not install syft. A real example of the failure surfaced today on https://github.com/revanite-io/pvtr-gcp-cloud-storage/actions/runs/25644057576/job/75269470505 — the build hit syft missing in PATH, the release was left as a permanently-draft v0.1.2, and the consumer had to either drop SBOMs or maintain a separate workflow job (defeating the purpose of consolidating into this reusable workflow).Notes
Install Syft for SBOM generationstep only runs when the config has ansboms:key, so consumers without SBOMs see no behavior change.anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0. Happy to bump if a newer pin is preferred before merge..spdx.jsonfiles are included inattest-build-provenancesubject paths so attestation covers the same set of artifacts the user sees in the published release.Testing
actionlint .github/workflows/release.yamlpassescreate_release→[release_goreleaser, release_image]→publish_release→release_discussiontest-release.yaml, and via the consumer repos that hit both bugsReadiness Checklist
Author/Contributor