chore(release): rewrite release pipeline with App auth and cosign signing (#79)

bmadcode · web-flow · commit 7a0361499e86 · 2026-04-23T00:33:42.000-05:00
* chore(release): rewrite release workflow with App auth and cosign signing

Replaces manual-release.yaml with release.yaml modeled on bmad-method's
publish.yaml. Uses BMAD Release Bot App token for pushes to protected
main, runs full `npm test` validation stack, signs tag SHA with cosign
keyless via GitHub OIDC, and extracts release body from CHANGELOG.md
using keep-a-changelog bracket format.

Drops two broken steps from the old workflow: `npm run validate`
(script does not exist) and `sed tools/installer/package.json` (path
does not exist).

Adds v1.7.0 CHANGELOG entry. First release under the new pipeline.

* fix(release): remove broken legacy test scripts and align release CI with PR CI

Removes five package.json scripts that reference files removed in
earlier refactors (test/, src/ paths that no longer exist in bmb):
- test
- test:refs (node test/test-validate-file-refs.cjs)
- test:schemas (node test/test-agent-schema.js)
- validate:refs (scans src/ which bmb does not use)
- validate:schemas (node test/validate-agent-schema.js)

None of these have worked for some time. The old manual-release.yaml
called `npm run validate` which also did not exist. Real test coverage
can be added later when there is something meaningful to assert.

Realigns release workflow validation step to run the same checks
quality.yaml runs on PRs: format:check and lint:md. If a PR is green,
the release workflow has nothing stricter to fail on.

Also fixes prettier YAML syntax error on the Bump version step by
converting the inline run to block scalar form.
diff --git a/.github/workflows/manual-release.yaml b/.github/workflows/manual-release.yaml
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,133 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      bump:
+        description: "Version bump type"
+        required: true
+        default: "patch"
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+
+concurrency:
+  group: release
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  release:
+    if: github.repository == 'bmad-code-org/bmad-builder' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+          cache: "npm"
+
+      - name: Configure git user
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run validation
+        run: |
+          npm run format:check
+          npm run lint:md
+
+      - name: Bump version
+        run: |
+          npm version ${{ inputs.bump }} -m "chore(release): v%s [skip ci]"
+
+      - name: Capture new version
+        id: version
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "tag=v${VERSION}" >> $GITHUB_OUTPUT
+
+      - name: Push version commit and tag
+        run: git push origin main --follow-tags
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign tag SHA with cosign (keyless)
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          SHA=$(git rev-parse "${TAG}")
+          printf '%s' "${SHA}" > "${TAG}.sha"
+          cosign sign-blob --yes \
+            --output-signature "${TAG}.sig" \
+            --output-certificate "${TAG}.pem" \
+            "${TAG}.sha"
+
+      - name: Create GitHub Release
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          VERSION="${{ steps.version.outputs.version }}"
+          BODY=$(awk -v ver="$VERSION" '
+            /^## \[/ { if (found) exit; if (index($0, "## [" ver "]")) found=1; next }
+            found { print }
+          ' CHANGELOG.md)
+          if [ -z "$BODY" ]; then
+            echo "::error::No CHANGELOG.md entry found for $TAG. Add a '## [${VERSION}] - YYYY-MM-DD' section before releasing."
+            exit 1
+          fi
+          gh release create "$TAG" \
+            --title "BMad Builder $TAG" \
+            --notes "$BODY" \
+            "${TAG}.sig" \
+            "${TAG}.pem" \
+            "${TAG}.sha"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Notify Discord
+        if: success()
+        continue-on-error: true
+        run: |
+          set -o pipefail
+          source .github/scripts/discord-helpers.sh
+          [ -z "$WEBHOOK" ] && exit 0
+          TAG="${{ steps.version.outputs.tag }}"
+          RELEASE_URL="${{ github.server_url }}/${{ github.repository }}/releases/tag/${TAG}"
+          MSG=$(printf '🛠️ **[BMad Builder %s released](<%s>)**' "$TAG" "$RELEASE_URL" | esc)
+          jq -n --arg content "$MSG" '{content: $content}' | curl -sf --retry 2 -X POST "$WEBHOOK" -H "Content-Type: application/json" -d @-
+        env:
+          WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }}
+
+      - name: Summary
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          SHA=$(git rev-parse "${TAG}")
+          {
+            echo "## Released ${TAG}"
+            echo ""
+            echo "- **GitHub Release:** https://github.com/${{ github.repository }}/releases/tag/${TAG}"
+            echo "- **Tag SHA (cosign-signed):** \`${SHA}\`"
+            echo "- **Signature artifacts:** \`${TAG}.sig\`, \`${TAG}.pem\`, \`${TAG}.sha\` attached to the release"
+          } >> $GITHUB_STEP_SUMMARY
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## [1.7.0] - 2026-04-23
+
+### 📚 Documentation
+
+* **Customization authoring flow awareness** — `explanation/customization-for-authors.md` and `how-to/make-a-skill-customizable.md` now mention `bmad-customize`, the conversational authoring helper that walks users through scope selection, override writing, and merge verification. Guides authors to pick field names and defaults that read well in that flow, while preserving that hand-writing TOML still works for users who prefer it (#78)
+
 ## [1.6.0] - 2026-04-20
 
 ### 🎁 Features
diff --git a/package.json b/package.json
@@ -30,12 +30,7 @@
     "lint": "eslint . --ext .js,.cjs,.mjs,.yaml --max-warnings=0",
     "lint:fix": "eslint . --ext .js,.cjs,.mjs,.yaml --fix",
     "lint:md": "markdownlint-cli2 \"**/*.md\"",
-    "prepare": "husky || exit 0",
-    "test": "npm run test:schemas && npm run test:refs && npm run validate:schemas && npm run lint && npm run lint:md && npm run format:check",
-    "test:refs": "node test/test-validate-file-refs.cjs",
-    "test:schemas": "node test/test-agent-schema.js",
-    "validate:refs": "node tools/validate-file-refs.mjs",
-    "validate:schemas": "node test/validate-agent-schema.js"
+    "prepare": "husky || exit 0"
   },
   "lint-staged": {
     "*.{js,cjs,mjs}": [
