chore(release): rewrite release pipeline with App auth and cosign signing by bmadcode · Pull Request #79 · bmad-code-org/bmad-builder

bmadcode · 2026-04-23T05:29:05Z

Summary

Replace manual-release.yaml with release.yaml, modeled on bmad-method's publish.yaml
Use BMAD Release Bot GitHub App for pushes to protected main
Sign released tag SHA with cosign keyless via GitHub OIDC
Extract release body from CHANGELOG.md using keep-a-changelog bracket format (## [VERSION])
Fix two broken steps in the old workflow (npm run validate referenced a nonexistent script; sed tools/installer/package.json targeted a nonexistent path)
Add v1.7.0 CHANGELOG entry for the first release under the new pipeline

Why

bmb's existing release workflow had not been exercised since v1.4.0 and contained two bugs that would cause it to fail on any run. Version drift accumulated: v1.5.0 and v1.6.0 were prepared (CHANGELOG entries + package.json bumps) but never tagged, because the manual workflow was never triggered. This rewrite adopts the proven publish.yaml pattern from bmad-method as the template for a consistent release process across all BMad external modules.

Retroactive v1.5.0 and v1.6.0 tags will be pushed separately after v1.7.0 validates the new pipeline end-to-end.

Test plan

Merge this PR to main
Trigger Release workflow via workflow_dispatch with bump=minor
Verify v1.7.0 tag is pushed, version commit lands on main, GitHub Release is created with CHANGELOG-extracted body
Verify v1.7.0.sig, v1.7.0.pem, and v1.7.0.sha are attached to the GitHub Release
Verify Discord notification fires (only if DISCORD_WEBHOOK secret is configured)
Run cosign verify-blob locally against the release artifacts to confirm signature chain back to GitHub OIDC identity

Summary by CodeRabbit

Documentation
- Updated guides to reference customization features and align author guidance with the workflow documentation; clarified continued support for TOML configuration.

…ning Replaces manual-release.yaml with release.yaml modeled on bmad-method's publish.yaml. Uses BMAD Release Bot App token for pushes to protected main, runs full `npm test` validation stack, signs tag SHA with cosign keyless via GitHub OIDC, and extracts release body from CHANGELOG.md using keep-a-changelog bracket format. Drops two broken steps from the old workflow: `npm run validate` (script does not exist) and `sed tools/installer/package.json` (path does not exist). Adds v1.7.0 CHANGELOG entry. First release under the new pipeline.

coderabbitai · 2026-04-23T05:29:18Z

Warning

Rate limit exceeded

@bmadcode has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 55 minutes and 41 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 55 minutes and 41 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d4361622-8c56-4655-ae03-55e1abf628ef

📥 Commits

Reviewing files that changed from the base of the PR and between 2633289 and 7fa1c6f.

📒 Files selected for processing (2)

.github/workflows/release.yaml
package.json

Walkthrough

The pull request removes the existing manual release workflow and replaces it with a new release workflow that adds cosign signing and Discord notification capabilities. The changelog is updated to document version 1.7.0 with documentation updates.

Changes

Cohort / File(s)	Summary
Release Workflow Refactoring `.github/workflows/manual-release.yaml`, `.github/workflows/release.yaml`	Removes the manual-release workflow and introduces a new release workflow with enhanced capabilities: keyless cosign signing of commits, changelog-based release notes extraction, and Discord notifications on successful releases.
Version Documentation `CHANGELOG.md`	Adds version 1.7.0 release notes documenting updates to guides for `bmad-customize` reference and author guidance alignment.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

chore: disable npm publishing #41: Overlaps on release workflow automation changes, including modifications to npm publish steps and release pipeline configuration.

Poem

🐰✨ A new release dance begins,
With cosign's cryptographic grins,
Discord bells ring out so true,
Version bumps in skies so blue,
Our workflows hop to heights anew! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: rewriting the release pipeline with App authentication and cosign signing. It is specific, concise, and reflects the primary objective of replacing the old manual-release.yaml with the new release.yaml that includes these security enhancements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch versioning-overhaul

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

augmentcode · 2026-04-23T05:32:40Z

🤖 Augment PR Summary

Summary: This PR rewrites the repository’s release automation to use a new GitHub Actions workflow with GitHub App authentication and cosign signing.

Changes:

Replaces the old manual-release.yaml workflow with a new release.yaml pipeline.
Uses a GitHub App token to push version commits and tags to protected main.
Runs the full project validation via npm test, then bumps version via npm version and pushes tags.
Signs the released tag SHA using cosign keyless signing via GitHub OIDC, producing .sig/.pem/.sha artifacts.
Creates the GitHub Release via gh release create, extracting the release notes from CHANGELOG.md based on ## [VERSION] sections.
Adds a 1.7.0 CHANGELOG entry and includes an optional Discord notification step.

Technical Notes: The workflow is workflow_dispatch-only, serialized via concurrency, and relies on keep-a-changelog bracket headings for release-note extraction.

_{🤖 Was this summary useful? React with 👍 or 👎}

augmentcode

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

augmentcode · 2026-04-23T05:32:41Z

+      - name: Sign tag SHA with cosign (keyless)
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          SHA=$(git rev-parse "${TAG}")


In .github/workflows/release.yaml:78, git rev-parse "${TAG}" will resolve to the tag object SHA if the tag ever becomes annotated, which can make the signed/printed “tag SHA” differ from the commit the tag points to. That mismatch would be confusing for downstream verification and the workflow summary.

Other locations where this applies: .github/workflows/release.yaml:123

Severity: medium

Other Locations

.github/workflows/release.yaml:123

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

augmentcode · 2026-04-23T05:32:41Z

+          [ -z "$WEBHOOK" ] && exit 0
+          TAG="${{ steps.version.outputs.tag }}"
+          RELEASE_URL="${{ github.server_url }}/${{ github.repository }}/releases/tag/${TAG}"
+          MSG=$(printf '🛠️ **[BMad Builder %s released](<%s>)**' "$TAG" "$RELEASE_URL" | esc)


In .github/workflows/release.yaml:115, piping the formatted Markdown message through esc escapes *, [, and ], so the Discord post likely won’t render as bold text / a clickable link. This seems unintended given the message uses Markdown formatting.

Severity: low

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

…with PR CI Removes five package.json scripts that reference files removed in earlier refactors (test/, src/ paths that no longer exist in bmb): - test - test:refs (node test/test-validate-file-refs.cjs) - test:schemas (node test/test-agent-schema.js) - validate:refs (scans src/ which bmb does not use) - validate:schemas (node test/validate-agent-schema.js) None of these have worked for some time. The old manual-release.yaml called `npm run validate` which also did not exist. Real test coverage can be added later when there is something meaningful to assert. Realigns release workflow validation step to run the same checks quality.yaml runs on PRs: format:check and lint:md. If a PR is green, the release workflow has nothing stricter to fail on. Also fixes prettier YAML syntax error on the Bump version step by converting the inline run to block scalar form.

coderabbitai

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yaml:
- Around line 69-102: Move the changelog validation from the "Create GitHub
Release" step to run before the "Push version commit and tag" step: extract
VERSION and TAG and run the BODY extraction logic (the awk block that sets BODY
from CHANGELOG.md using VERSION) and fail early if BODY is empty so the workflow
exits before executing the "Push version commit and tag" step; update references
to the TAG/VERSION variables so the same extraction is used for both validation
and later release creation, ensuring the git push and tagging only occur after
the check passes.
- Line 60: Replace the problematic run line that contains the unquoted colon in
the commit message (the line starting with "run: npm version ${{ inputs.bump }}
-m \"chore(release): v%s [skip ci]\"") with a YAML block scalar or a properly
quoted scalar so the colon doesn't break parsing; e.g., change the run value to
use a pipe-style block (run: | followed by the npm command on the next line) or
wrap the -m argument in single quotes (e.g., -m 'chore(release): v%s [skip ci]')
to ensure the commit message containing "chore(release): v%s [skip ci]" is
parsed correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6f09d29a-a345-45a1-b05b-d8c38646c567

📥 Commits

Reviewing files that changed from the base of the PR and between 7a48868 and 2633289.

📒 Files selected for processing (3)

.github/workflows/manual-release.yaml
.github/workflows/release.yaml
CHANGELOG.md

💤 Files with no reviewable changes (1)

.github/workflows/manual-release.yaml

coderabbitai · 2026-04-23T05:33:26Z

+      - name: Push version commit and tag
+        run: git push origin main --follow-tags
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign tag SHA with cosign (keyless)
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          SHA=$(git rev-parse "${TAG}")
+          printf '%s' "${SHA}" > "${TAG}.sha"
+          cosign sign-blob --yes \
+            --output-signature "${TAG}.sig" \
+            --output-certificate "${TAG}.pem" \
+            "${TAG}.sha"
+
+      - name: Create GitHub Release
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          VERSION="${{ steps.version.outputs.version }}"
+          BODY=$(awk -v ver="$VERSION" '
+            /^## \[/ { if (found) exit; if (index($0, "## [" ver "]")) found=1; next }
+            found { print }
+          ' CHANGELOG.md)
+          if [ -z "$BODY" ]; then
+            echo "::error::No CHANGELOG.md entry found for $TAG. Add a '## [${VERSION}] - YYYY-MM-DD' section before releasing."
+            exit 1
+          fi
+          gh release create "$TAG" \
+            --title "BMad Builder $TAG" \
+            --notes "$BODY" \
+            "${TAG}.sig" \
+            "${TAG}.pem" \
+            "${TAG}.sha"


⚠️ Potential issue | 🟠 Major

Validate release notes before pushing the version commit and tag.

Right now, if the changelog entry is missing or malformed, Lines 93-96 fail only after Line 70 has already pushed main and the tag. Move release-note extraction before the push so failed validation does not leave a partial release state.

🛠️ Proposed fix

- name: Capture new version id: version run: | VERSION=$(node -p "require('./package.json').version") echo "version=${VERSION}" >> $GITHUB_OUTPUT echo "tag=v${VERSION}" >> $GITHUB_OUTPUT + - name: Extract release notes + run: | + TAG="${{ steps.version.outputs.tag }}" + VERSION="${{ steps.version.outputs.version }}" + awk -v ver="$VERSION" ' + /^## \[/ { if (found) exit; if (index($0, "## [" ver "]")) found=1; next } + found { print } + ' CHANGELOG.md > release-notes.md + if ! grep -q '[^[:space:]]' release-notes.md; then + echo "::error::No CHANGELOG.md entry found for $TAG. Add a '## [${VERSION}] - YYYY-MM-DD' section before releasing." + exit 1 + fi + - name: Push version commit and tag run: git push origin main --follow-tags - name: Install cosign uses: sigstore/cosign-installer@v3 @@ - name: Create GitHub Release run: | TAG="${{ steps.version.outputs.tag }}" - VERSION="${{ steps.version.outputs.version }}" - BODY=$(awk -v ver="$VERSION" ' - /^## \[/ { if (found) exit; if (index($0, "## [" ver "]")) found=1; next } - found { print } - ' CHANGELOG.md) - if [ -z "$BODY" ]; then - echo "::error::No CHANGELOG.md entry found for $TAG. Add a '## [${VERSION}] - YYYY-MM-DD' section before releasing." - exit 1 - fi gh release create "$TAG" \ --title "BMad Builder $TAG" \ - --notes "$BODY" \ + --notes-file release-notes.md \ "${TAG}.sig" \ "${TAG}.pem" \ "${TAG}.sha"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In @.github/workflows/release.yaml around lines 69 - 102, Move the changelog validation from the "Create GitHub Release" step to run before the "Push version commit and tag" step: extract VERSION and TAG and run the BODY extraction logic (the awk block that sets BODY from CHANGELOG.md using VERSION) and fail early if BODY is empty so the workflow exits before executing the "Push version commit and tag" step; update references to the TAG/VERSION variables so the same extraction is used for both validation and later release creation, ensuring the git push and tagging only occur after the check passes.

augmentcode Bot reviewed Apr 23, 2026

View reviewed changes

coderabbitai Bot reviewed Apr 23, 2026

View reviewed changes

bmadcode merged commit 7a03614 into main Apr 23, 2026
4 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(release): rewrite release pipeline with App auth and cosign signing#79

chore(release): rewrite release pipeline with App auth and cosign signing#79
bmadcode merged 2 commits intomainfrom
versioning-overhaul

bmadcode commented Apr 23, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

coderabbitai Bot commented Apr 23, 2026 •

edited

Loading

Rate limit exceeded

Uh oh!

augmentcode Bot commented Apr 23, 2026

Uh oh!

augmentcode Bot left a comment

Uh oh!

augmentcode Bot Apr 23, 2026 •

edited

Loading

Uh oh!

augmentcode Bot Apr 23, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot left a comment

Uh oh!

Uh oh!

coderabbitai Bot Apr 23, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

bmadcode commented Apr 23, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Why

Test plan

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented Apr 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Rate limit exceeded

Walkthrough

Changes

Estimated code review effort

Possibly related PRs

Poem

Uh oh!

augmentcode Bot commented Apr 23, 2026

Uh oh!

augmentcode Bot left a comment

Choose a reason for hiding this comment

Uh oh!

augmentcode Bot Apr 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

augmentcode Bot Apr 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai Bot Apr 23, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

bmadcode commented Apr 23, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Apr 23, 2026 •

edited

Loading

augmentcode Bot Apr 23, 2026 •

edited

Loading

augmentcode Bot Apr 23, 2026 •

edited

Loading