ci: split release from build

[imnotjames]

Description

this moves the image build, notification, and the like to an on-release event rather
than as part of cutting the release via the release-main workflow

this allows us to more safely work on the cutting of the release while still allowing for a path
for creating releases manually -- via github's release flow.

this also makes the on-release-publish workflow more similar to the on-nightly workflow

Changes

• drop the skip-ci check - this is redundant with Github Actions features
• move the image build to a on-release workflow which runs when a stable release is published

Summary by CodeRabbit

• Chores
  • Switched CI to use native release events and streamlined release job flow for more consistent builds and deployments.
  • Removed conditional job skipping based on commit messages so key CI jobs run reliably.
  • Simplified backport control flow to depend only on successful semantic release.
• New Features
  • Added automated release-notification flow that prepares release comparisons and posts stable-release updates to Discord.

[coderabbitai]

📝 Walkthrough

Walkthrough

Switched publish workflow to trigger on GitHub release events; build now uses github.sha and github.event.release.tag_name. Added jobs to compute a previous v* base tag/compare URL and to notify Discord. The main release workflow removed downstream publish/notify jobs and related conditional gating.

Changes

Cohort / File(s)	Summary
Publish workflow & release notification .github/workflows/publish-release.yml	Replaced callable/manual inputs with release event trigger. Checkout uses github.sha; image tags and env vars use github.event.release.tag_name and github.sha. Removed step writing tag/commit to GITHUB_ENV. Added prepare-release-notification job (fetch tags, compute previous v* tag, output base_tag and compare_url) and notify-discord job (calls reusable workflow with release metadata).
Main release workflow adjustments .github/workflows/release-main.yml	Removed job-level [skip ci] gating from several jobs. Deleted publish/notify jobs and their dependencies/conditions. Updated backport-release to remove dependency on publish job and simplified condition to depend only on semantic-release.released == 'true'.

Sequence Diagram(s)

sequenceDiagram
    participant GH as "GitHub Actions"
    participant Repo as "Repository (git)"
    participant Discord as "Discord (reusable workflow)"

    GH->>Repo: Trigger on release event (released)
    GH->>Repo: Checkout using github.sha
    GH->>GH: Build & tag images (tag = github.event.release.tag_name)
    GH->>Repo: Fetch tags & compute previous v* tag (prepare-release-notification)
    GH->>GH: Emit base_tag and compare_url
    GH->>Discord: Invoke notify reusable workflow with tag, release URL, sha, base_tag, compare_url
    Discord-->>GH: Return notification result

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

chore

Poem

🐇 I hopped from inputs to release-born light,
Tags and SHAs snug in moonlit sight,
I fetched the past, found the base-tag line,
Pushed a compare link and rung the chime,
Sent Discord a bell — the release is fine! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows conventional commit format with type prefix 'ci:' and concise description 'split release from build' that accurately describes the main change.
Description check	✅ Passed	The description includes all required template sections with detailed explanations of what the PR does, linked issue field (empty as none exists), and specific changes listed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[imnotjames]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/release-main.yml (2)

37-40: ⚠️ Potential issue | 🔴 Critical

Stale semantic-release outputs — the producing step was removed but the outputs: block remains.

Lines 37-40 still map released / release_tag / release_sha from steps.release_state.outputs.*, but the Capture Release State step (id: release_state) was removed from this job. These outputs will therefore always evaluate to empty strings, which silently breaks every downstream consumer — in particular backport-release at lines 95 and 119-120.

See the consolidated comment on backport-release below for the full impact and a proposed direction.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-main.yml around lines 37 - 40, The outputs block
still maps released, release_tag, and release_sha from
steps.release_state.outputs.*, but the producing step (id: release_state) was
removed so these will be empty and break consumers like the backport-release
step; fix by either restoring the Capture Release State step with id
release_state that sets those outputs or by removing the
released/release_tag/release_sha entries from the job outputs and updating
downstream references (e.g., the backport-release step) to use an alternative
source; ensure references to steps.release_state and the three output names
(released, release_tag, release_sha) are reconciled across the workflow.

---

93-134: ⚠️ Potential issue | 🔴 Critical

backport-release is broken: stale if:, missing outputs, and reference to a removed job.

After this PR, three compounding issues prevent this job from ever running successfully:

1. if: on line 95 references two things that no longer exist:

   • needs.semantic-release.outputs.released — always empty (see comment on lines 37-40; the release_state step was removed).
   • needs.publish-release.result — publish-release is not in needs (line 96) and has been moved to publish-release.yml (a different workflow, triggered by the release event). Cross-workflow job results are not accessible via needs.*.result. This sub-expression will never be 'success'.

   Net effect: the condition is permanently false, so backport-to-develop is silently disabled on every release.

2. RELEASE_SHA / RELEASE_TAG on lines 119-120 would be empty strings even if the if were fixed, so git cherry-pick -x "" fails and ${RELEASE_TAG#v} is empty.

3. Even with outputs restored, gating on publish-release success is no longer possible from this workflow. You likely need to either (a) move backport-release into publish-release.yml so it can depend on build-and-release, or (b) keep it here but drop the cross-workflow gating and derive tag/sha from git describe / the latest v* tag created by semantic-release.

🛠 Suggested direction (option A: move backport to the on-release workflow)

In publish-release.yml, add a job that needs build-and-release and uses github.event.release.tag_name / github.sha directly — no outputs required. Then delete backport-release from release-main.yml.

Option B (keep here) would look roughly like:

   backport-release:
     name: Backport Release Commit to Develop
-    if: ${{ needs.semantic-release.outputs.released == 'true' && needs.publish-release.result == 'success' }}
+    if: ${{ needs.semantic-release.outputs.released == 'true' }}
     needs: [semantic-release]

and restoring the Capture Release State step (or equivalent) in semantic-release so the three outputs are populated again. Note this loses the prior guarantee that the image was published before backporting.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-main.yml around lines 93 - 134, The
backport-release job is disabled by a stale if condition and missing outputs;
fix by either moving the backport-release job into the publish-release.yml
workflow (so it can need build-and-release and read
github.event.release.tag_name and github.sha directly) or, if you keep
backport-release in this file, remove the broken if (the expression referencing
needs.semantic-release.outputs.released and needs.publish-release.result) and
instead derive RELEASE_TAG/RELEASE_SHA inside the job (e.g., use git fetch
--tags && RELEASE_TAG="$(git describe --tags --abbrev=0 --match 'v*')" and
RELEASE_SHA="$(git rev-list -n1 ${RELEASE_TAG})") before running git cherry-pick
-x; ensure the job uses the backport-release name and that the environment vars
RELEASE_TAG and RELEASE_SHA are set from these commands (or restore the
release_state step to populate outputs if you prefer to gate on semantic-release
outputs).

🧹 Nitpick comments (1)

.github/workflows/publish-release.yml (1)

92-105: Consider filtering pre-release tags and simplifying the fetch.

Two minor points:

1. git fetch origin main --tags --force — the main refspec and --force aren't needed here; only tags are consumed. git fetch origin --tags would suffice and avoids clobbering tags.
2. git tag --sort=-version:refname 'v*' will also match pre-release tags such as v1.2.3-rc1 / v2.0.0-beta.1. If you ever cut a stable release while a more recent RC tag exists, the "base" would be that RC and compare_url would diff against the pre-release rather than the prior stable. If your release process can produce v* pre-release tags, consider filtering them out (e.g., grep -Ev '-(rc|alpha|beta)').

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-release.yml around lines 92 - 105, Replace the
fetch and tag-selection steps so we only fetch tags (remove the unnecessary
"main" refspec and "--force") and filter out prerelease tags when computing
BASE_TAG; specifically, change the "git fetch origin main --tags --force" usage
to a simple "git fetch origin --tags" call and update the BASE_TAG pipeline that
currently uses "git tag --sort=-version:refname 'v*' | grep -Fxv
\"$RELEASE_TAG\" | head -n 1" to exclude prerelease patterns (e.g., pipe through
a grep -Ev '-(rc|alpha|beta)' before removing $RELEASE_TAG) so the computed
BASE_TAG is the latest stable release tag rather than a prerelease.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/publish-release.yml:
- Around line 52-56: The tags list in the publish-release workflow concatenates
the release tag without a colon (the entry "grimmory/grimmory${{
github.event.release.tag_name }}"), causing Docker to treat it as part of the
repository name; update that entry to include the tag separator so it reads
"grimmory/grimmory:${{ github.event.release.tag_name }}" to match the GHCR
format and ensure the image is published under the proper vX.Y.Z tag.

---

Outside diff comments:
In @.github/workflows/release-main.yml:
- Around line 37-40: The outputs block still maps released, release_tag, and
release_sha from steps.release_state.outputs.*, but the producing step (id:
release_state) was removed so these will be empty and break consumers like the
backport-release step; fix by either restoring the Capture Release State step
with id release_state that sets those outputs or by removing the
released/release_tag/release_sha entries from the job outputs and updating
downstream references (e.g., the backport-release step) to use an alternative
source; ensure references to steps.release_state and the three output names
(released, release_tag, release_sha) are reconciled across the workflow.
- Around line 93-134: The backport-release job is disabled by a stale if
condition and missing outputs; fix by either moving the backport-release job
into the publish-release.yml workflow (so it can need build-and-release and read
github.event.release.tag_name and github.sha directly) or, if you keep
backport-release in this file, remove the broken if (the expression referencing
needs.semantic-release.outputs.released and needs.publish-release.result) and
instead derive RELEASE_TAG/RELEASE_SHA inside the job (e.g., use git fetch
--tags && RELEASE_TAG="$(git describe --tags --abbrev=0 --match 'v*')" and
RELEASE_SHA="$(git rev-list -n1 ${RELEASE_TAG})") before running git cherry-pick
-x; ensure the job uses the backport-release name and that the environment vars
RELEASE_TAG and RELEASE_SHA are set from these commands (or restore the
release_state step to populate outputs if you prefer to gate on semantic-release
outputs).

---

Nitpick comments:
In @.github/workflows/publish-release.yml:
- Around line 92-105: Replace the fetch and tag-selection steps so we only fetch
tags (remove the unnecessary "main" refspec and "--force") and filter out
prerelease tags when computing BASE_TAG; specifically, change the "git fetch
origin main --tags --force" usage to a simple "git fetch origin --tags" call and
update the BASE_TAG pipeline that currently uses "git tag
--sort=-version:refname 'v*' | grep -Fxv \"$RELEASE_TAG\" | head -n 1" to
exclude prerelease patterns (e.g., pipe through a grep -Ev '-(rc|alpha|beta)'
before removing $RELEASE_TAG) so the computed BASE_TAG is the latest stable
release tag rather than a prerelease.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 86332db8-ea58-4a9f-af22-adb56f98eab8

📥 Commits

Reviewing files that changed from the base of the PR and between f8cdcd5 and 1f1c445.

📒 Files selected for processing (2)

• .github/workflows/publish-release.yml
• .github/workflows/release-main.yml

📜 Review details

🔇 Additional comments (1)

.github/workflows/publish-release.yml (1)

107-123: Permissions are correctly set to empty. The reusable workflow notify-discord-release-notes.yml does not perform any GitHub-authenticated actions. Its two steps only compose a message and send it to Discord via webhook—neither requires GitHub API scopes. The permissions: {} in both the caller and callee is appropriate and intentional.

			> Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release-main.yml:
- Around line 120-121: The if condition for the backport-release job references
a non-existent needs.publish-release.result, which always evaluates false
because publish-release was removed from the needs list; fix by updating the
backport-release job's condition (the `if:` that reads
needs.semantic-release.outputs.released == 'true' &&
needs.publish-release.result == 'success') to remove the stale
`needs.publish-release.result == 'success'` clause (or alternatively re-add
`publish-release` to the job's `needs:` list if that dependency is required),
ensuring the `backport-release` job only relies on the actual declared
dependencies (see the `if:` expression and the `needs:` array for the
backport-release job).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d3dfbcde-e32d-42fa-a3b2-29e88c89b11a

📥 Commits

Reviewing files that changed from the base of the PR and between 1f1c445 and 551f61a.

📒 Files selected for processing (2)

• .github/workflows/publish-release.yml
• .github/workflows/release-main.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/publish-release.yml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release-main.yml (1)

83-91: ⚠️ Potential issue | 🔴 Critical

Releases created via GITHUB_TOKEN will not trigger publish-release.yml.

With publish/notify jobs moved to .github/workflows/publish-release.yml (which triggers on release: types: [released]), the entire stable build and Discord notification chain now depends on the GitHub release event firing downstream.

When RELEASE_BOT_TOKEN is unset, the fallback github.token is used. Per GitHub Actions docs, events triggered by the default GITHUB_TOKEN (other than workflow_dispatch/repository_dispatch) do not start new workflow runs. Result: semantic-release publishes the GitHub release, but publish-release.yml never runs — no image is built, no Discord notification sent, and this failure is silent.

Required safeguards:

• Fail fast in this workflow if secrets.RELEASE_BOT_TOKEN is empty. This is now a hard dependency, not a soft fallback, since the cross-workflow trigger is load-bearing.
• Alternatively, add workflow_dispatch trigger to publish-release.yml so a missing PAT doesn't silently skip the build/notify chain.

Manual release creation via the GitHub UI is unaffected — that path is a user event and will trigger publish-release.yml correctly. The risk is strictly for semantic-release-driven releases on main.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-main.yml around lines 83 - 91, The workflow
currently falls back to GITHUB_TOKEN which cannot trigger downstream workflows;
update the "Run semantic-release" step to fail fast when
secrets.RELEASE_BOT_TOKEN is empty by adding a pre-check that exits non-zero if
the secret is unset (i.e., verify secrets.RELEASE_BOT_TOKEN and stop the job
instead of assigning GH_TOKEN/GITHUB_TOKEN fallback), and ensure the env for the
step uses only RELEASE_BOT_TOKEN (GH_TOKEN/GITHUB_TOKEN should not be used as a
fallback); alternatively, add a workflow_dispatch trigger to publish-release.yml
so releases can be retriggered manually if the PAT is missing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/release-main.yml:
- Around line 83-91: The workflow currently falls back to GITHUB_TOKEN which
cannot trigger downstream workflows; update the "Run semantic-release" step to
fail fast when secrets.RELEASE_BOT_TOKEN is empty by adding a pre-check that
exits non-zero if the secret is unset (i.e., verify secrets.RELEASE_BOT_TOKEN
and stop the job instead of assigning GH_TOKEN/GITHUB_TOKEN fallback), and
ensure the env for the step uses only RELEASE_BOT_TOKEN (GH_TOKEN/GITHUB_TOKEN
should not be used as a fallback); alternatively, add a workflow_dispatch
trigger to publish-release.yml so releases can be retriggered manually if the
PAT is missing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 348438d7-119a-4cb2-954c-8b7d314d14dd

📥 Commits

Reviewing files that changed from the base of the PR and between 551f61a and dd70333.

📒 Files selected for processing (1)

• .github/workflows/release-main.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Test Suite / Frontend Tests
• GitHub Check: Test Suite / Backend Tests
• GitHub Check: Frontend Lint Threshold Check
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (java-kotlin)
• GitHub Check: Analyze (actions)

🔇 Additional comments (1)

.github/workflows/release-main.yml (1)

120-121: Stale publish-release gate is now removed — matches prior suggestion.

if: condition and needs: are consistent; backport-release will now run on any successful release rather than being silently skipped.