chore: replace inline release job with reusable workflow reference

[konradmichalik]

Summary by CodeRabbit

• Chores
  • Updated internal release workflow infrastructure to streamline the release process.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The release workflow in .github/workflows/release.yml has been refactored to delegate the entire release job implementation to an external reusable workflow from the jackd248/reusable-github-actions repository, replacing all explicit job steps.

Changes

Cohort / File(s)	Summary
Workflow Simplification \\.github/workflows/release.yml	Replaced explicit release job implementation (tag validation, checkout, release creation via softprops/gh-release) with delegation to external reusable workflow: jackd248/reusable-github-actions/.github/workflows/release.yml@main

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Verify the external reusable workflow repository URL and reference are correct
• Ensure the reusable workflow provides equivalent or compatible functionality to the replaced steps
• Confirm no loss of existing release configuration or secrets handling during the delegation

Poem

🐰 One workflow calls another far away,
No more steps to write and maintain today,
A hop, a skip, the release flows clean,
Delegated magic behind the scenes! 🎉

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing an inline release job implementation with a reusable workflow reference in the GitHub Actions configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch reusable-release-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

1-10: Consider documenting the external workflow dependency.

The release workflow now depends on an external repository. For future maintainers, add a comment explaining:

• Why the external reusable workflow is used (DRY principle, shared release logic across projects).
• Where to find the workflow definition and how to troubleshoot release issues.
• What happens if the external repository becomes unavailable.

Example:

# This workflow delegates to a reusable GitHub Actions from the jackd248/reusable-github-actions
# repository. See: https://github.com/jackd248/reusable-github-actions

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 609e80f and e17d405.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/release.yml (1)

9-10: Reusable workflow is properly configured; concerns verified.

The external workflow (jackd248/reusable-github-actions/.github/workflows/release.yml@main) is a legitimate workflow_call reusable workflow that correctly:

• Requires no inputs, so the caller correctly omits the with: block
• Validates tags match semantic versioning pattern [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}
• Uses established, maintained actions (actions/checkout@v6, softprops/action-gh-release@v2)
• Generates release notes automatically

The delegation is properly implemented with no additional configuration required.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

⚠️ Pin the reusable workflow to a semantic version tag instead of @main.

Using @main to reference the reusable workflow creates reproducibility and security risks:

• The workflow behavior can change unexpectedly between release runs.
• There's no guarantee of consistency or predictability.
• If the external repository is compromised, your release process is vulnerable.

Replace @main with a semantic version tag (e.g., @v1.0.0) or a specific commit SHA.

---

🏁 Script executed:

#!/bin/bash
# Description: Verify available versions/tags in the external reusable-github-actions repository
# Expected: A list of semantic version tags or recent commit SHAs to pin to

# List available tags/releases (requires GitHub CLI)
gh api repos/jackd248/reusable-github-actions/tags --jq '.[].name' 2>/dev/null || \
  echo "Unable to fetch tags. Verify manually at: https://github.com/jackd248/reusable-github-actions/releases"

Length of output: 0

---

[/run_scripts]

[/web_search]

---

🏁 Script executed:

#!/bin/bash
# Alternative approach: Check if the workflow file exists and inspect it for inputs
# Also attempt to clone and inspect the external repository

# First, try to check if the repository is accessible via git
echo "=== Checking repository accessibility ==="
git ls-remote https://github.com/jackd248/reusable-github-actions.git refs/heads/main 2>&1 | head -5

echo ""
echo "=== Checking for tags ==="
git ls-remote --tags https://github.com/jackd248/reusable-github-actions.git 2>&1 | head -10

echo ""
echo "=== Checking current workflow for required inputs ==="
# Look for the workflow file in the current repo to see if it documents required inputs
fd --type f "release.yml" | head -5

Length of output: 180

---

🌐 Web query:

jackd248/reusable-github-actions GitHub repository

💡 Result:

I couldn't find a GitHub repository named jackd248/reusable-github-actions. I searched public sources for that exact repo and for the user jackd248; I did find several other jackd248 projects (examples below). (addons.ddev.com)

If you want, tell me whether:

• the repository name might be slightly different, or
• it could be private (I can't see private repos), or
• you want me to search GitHub again for similarly named reusable-workflow repos from that user.

Citations:

• 1: https://addons.ddev.com/addons/jackd248/ddev-openapi-mock?utm_source=openai

---

[/run_scripts]

---

🏁 Script executed:

#!/bin/bash
# More direct search for the workflow file and inspection

echo "=== Finding release.yml file ==="
find . -name "release.yml" -type f 2>/dev/null

echo ""
echo "=== Inspecting .github/workflows directory ==="
ls -la .github/workflows/ 2>/dev/null || echo "Directory not found"

echo ""
echo "=== Checking the release.yml content ==="
cat .github/workflows/release.yml 2>/dev/null || echo "File not found"

Length of output: 588

---

Pin the reusable workflow to a specific commit SHA instead of @main.

Using @main creates reproducibility and security risks—the workflow behavior can change unexpectedly between release runs. While the external repository jackd248/reusable-github-actions has no published semantic version tags, you can pin to a specific commit SHA for stability.

Replace @main with the current main branch commit: @98d076d54d37d46abaaaeeb4259ea96e0c0f4aa8, or another stable commit from the external repository.

    uses: jackd248/reusable-github-actions/.github/workflows/release.yml@98d076d54d37d46abaaaeeb4259ea96e0c0f4aa8

🤖 Prompt for AI Agents

.github/workflows/release.yml around line 10: the reusable workflow is
referenced with an immutable branch ref (@main) which risks unknown changes;
replace the branch ref with a specific commit SHA from the external repo (for
example @98d076d54d37d46abaaaeeb4259ea96e0c0f4aa8) so the workflow is pinned to
a stable commit and update the uses line accordingly.