Skip to content

ci(ci): add infra for maintenance branches#492

Merged
BenGSchulz merged 1 commit intomainfrom
ci/release-maintenance-branches
Apr 13, 2026
Merged

ci(ci): add infra for maintenance branches#492
BenGSchulz merged 1 commit intomainfrom
ci/release-maintenance-branches

Conversation

@BenGSchulz
Copy link
Copy Markdown
Contributor

@BenGSchulz BenGSchulz commented Apr 13, 2026

  • .releaserc.json (4 files) — Added --tag ${nextRelease.channel || 'latest'} to publishCmd. No-op on main, passes correct dist-tag on maintenance branches.

  • release.yml — Added release/** trigger, per-ref concurrency group, [skip ci] job guard.

  • pr-checks.yml — Added release/** target, replaced 2 hardcoded origin/main refs with origin/${{ github.event.pull_request.base.ref }}.

  • dev-publish.yml — Added release/** target, replaced hardcoded origin/main with dynamic base ref.

  • dev-cleanup.yml — Added release/** target, replaced hardcoded ref: main checkout with dynamic base ref.

  • scripts/create-maintenance-branch.sh (new) — Helper script to automate branch creation from a tag with .releaserc.json configuration.

  • CONTRIBUTING.md — Added "Maintenance Releases" section documenting the full workflow.

Copilot AI review requested due to automatic review settings April 13, 2026 03:45
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 13, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (PT)
apollo-canvas 🟢 Ready Preview, Logs Apr 13, 2026, 01:09:13 PM
apollo-landing 🟢 Ready Preview, Logs Apr 13, 2026, 01:06:40 PM
apollo-ui-react 🟢 Ready Preview, Logs Apr 13, 2026, 01:08:11 PM
apollo-vertex 🟢 Ready Preview, Logs Apr 13, 2026, 01:07:52 PM
apollo-wind 🟢 Ready Preview, Logs Apr 13, 2026, 01:07:26 PM

github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 13, 2026
View reviewed changes
Comment thread .github/workflows/dev-publish.yml Fixed
Comment thread .github/workflows/pr-checks.yml Fixed
Comment thread .github/workflows/pr-checks.yml Fixed
@github-actions github-actions bot added the size:L 100-499 changed lines. label Apr 13, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 13, 2026

Dependency License Review

  • 1948 package(s) scanned
  • ✅ No license issues found
  • ⚠️ 4 package(s) excluded (see details below)
License distribution
License Packages
MIT 1707
ISC 89
Apache-2.0 61
BSD-3-Clause 28
BSD-2-Clause 23
BlueOak-1.0.0 8
MPL-2.0 5
MIT OR Apache-2.0 3
MIT-0 3
CC0-1.0 3
LGPL-3.0-or-later 2
Unknown 2
(MIT OR Apache-2.0) 2
Unlicense 2
Python-2.0 1
CC-BY-4.0 1
(MPL-2.0 OR Apache-2.0) 1
Artistic-2.0 1
(WTFPL OR MIT) 1
(BSD-2-Clause OR MIT OR Apache-2.0) 1
CC-BY-3.0 1
0BSD 1
(MIT OR CC0-1.0) 1
MIT AND ISC 1
Excluded packages
Package Version License Reason
@img/sharp-libvips-linux-x64 1.2.4 LGPL-3.0-or-later LGPL pre-built binary, not linked
@img/sharp-libvips-linuxmusl-x64 1.2.4 LGPL-3.0-or-later LGPL pre-built binary, not linked
@uipath/proteus-client 0.1.10 Unknown UiPath internal package, Proprietary license
khroma 2.1.0 Unknown MIT per GitHub repo, missing license field in package.json

Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds CI/release support for package-scoped maintenance branches (release/**) so older major lines can receive backported fixes and publish under a dedicated npm dist-tag.

Changes:

  • Pass a channel-derived npm dist-tag into the publish script from semantic-release configs.
  • Extend GitHub Actions workflows to run on release/** and to diff against the PR’s actual base ref.
  • Add a helper script + contributing docs for creating and operating maintenance branches.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
web-packages/ap-chat/.releaserc.json Publish with a branch/channel-specific dist-tag for maintenance releases.
packages/apollo-wind/.releaserc.json Same dist-tag publishing change.
packages/apollo-react/.releaserc.json Same dist-tag publishing change.
packages/apollo-core/.releaserc.json Same dist-tag publishing change.
scripts/create-maintenance-branch.sh New automation script to create/configure maintenance branches from tags.
CONTRIBUTING.md Documents the maintenance release workflow (branching, backports, installs).
.github/workflows/release.yml Run releases on release/**, per-ref concurrency, skip-ci guard.
.github/workflows/pr-checks.yml Run PR checks for PRs targeting release/**; diff vs dynamic base ref.
.github/workflows/dev-publish.yml Enable dev publish for release/**; diff vs dynamic base ref.
.github/workflows/dev-cleanup.yml Enable cleanup for release/**; checkout dynamic base ref.

Comment thread scripts/create-maintenance-branch.sh Outdated
Comment thread scripts/create-maintenance-branch.sh
Comment thread scripts/create-maintenance-branch.sh Outdated
@BenGSchulz BenGSchulz force-pushed the ci/release-maintenance-branches branch from a08eea2 to a15c7c4 Compare April 13, 2026 05:31
@CalinaCristian
Copy link
Copy Markdown
Collaborator

CalinaCristian commented Apr 13, 2026

PR Review — Maintenance Branch Infrastructure

Reviewed the full CI/CD setup (all 14 workflows, all .releaserc.json files, and publish-to-registries.sh) against the changes in this PR. Overall this is well-implemented — consistent, minimal, and backward-compatible.

What looks good

  • Core workflow coverage is complete. All 4 workflows that matter for the release lifecycle (release.yml, pr-checks.yml, dev-publish.yml, dev-cleanup.yml) are updated with release/** triggers and dynamic base refs.
  • All hardcoded origin/main references replaced. The BASE_REF env var pattern is the right approach.
  • release.yml concurrency is now per-ref. Without ${{ github.ref }} in the group, a maintenance release and a main release would cancel each other. Critical fix.
  • [skip ci] guard prevents recursive triggers. Both the maintenance script commit and the release version-bump commit include [skip ci]. Both paths covered.
  • All 4 .releaserc.json files updated. apollo-core, apollo-react, apollo-wind, ap-chat — every publishable package. The ${nextRelease.channel || 'latest'} expression is a no-op on main, so no behavioral change for existing releases.
  • publish-to-registries.sh needs no changes — it already passes $@ through, so --tag flows to both npm and GitHub Package Registry.
  • Helper script is solid — input validation, jq check, branch existence check, idempotent jq transform, clear next-steps.

Items worth discussing

1. Workflows not updated — intentional?

These workflows still only trigger on branches: [main]:

Workflow Impact on maintenance branches
codeql.yml PRs targeting release/** won't get CodeQL analysis
security-scan.yml (zizmor) PRs targeting release/** won't get workflow security scanning
pr-size.yml No size labels on maintenance branch PRs
vercel-deploy.yml No preview deployments for maintenance branch PRs
apollo-vertex-*.yml No vertex lint/registry/auto-merge

Most of these seem intentionally scoped to main. But CodeQL and security-scan might be worth extending to release/** — if someone backports a fix that introduces a vulnerability, it wouldn't be caught. Low-effort addition (- 'release/**' in the branches array).

2. Branch protection for release/**

The CONTRIBUTING.md docs show both PR-based and direct-push workflows for maintenance branches. If release/** branches don't have branch protection rules, there's no safeguard against pushing broken code directly. Might be the intended model for quick backports, but worth a conscious decision.

3. No automated test for the helper script

create-maintenance-branch.sh is 120 lines with non-trivial jq logic (inserting before "main" in the branches array). Given it's a rarely-used manual script this is probably fine, but the jq transform could silently break if .releaserc.json structure changes.

Verdict

Looks good to me. The only thing I'd want confirmed before approving is item #1 — whether the CodeQL/security-scan omission is a conscious choice.

Copilot AI review requested due to automatic review settings April 13, 2026 20:05
@BenGSchulz BenGSchulz force-pushed the ci/release-maintenance-branches branch from a15c7c4 to 6de4ef3 Compare April 13, 2026 20:05
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.

Comment thread scripts/create-maintenance-branch.sh
@BenGSchulz BenGSchulz merged commit 15ef6b7 into main Apr 13, 2026
41 checks passed
@BenGSchulz BenGSchulz deleted the ci/release-maintenance-branches branch April 13, 2026 20:36
@CalinaCristian CalinaCristian mentioned this pull request Apr 15, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@CalinaCristian CalinaCristian CalinaCristian approved these changes

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size:L 100-499 changed lines.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@BenGSchulz @CalinaCristian @github-advanced-security