Skip to content

chore(release): adopt new release pipeline (App auth + CHANGELOG extract) #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bmadcode merged 1 commit into from
Apr 23, 2026
Merged

chore(release): adopt new release pipeline (App auth + CHANGELOG extract) #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
169 changes: 0 additions & 169 deletions .github/workflows/manual-release.yaml
View file
Open in desktop

This file was deleted.

112 changes: 112 additions & 0 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
name: Release

on:
workflow_dispatch:
inputs:
bump:
description: "Version bump type"
required: true
default: "patch"
type: choice
options:
- patch
Copy link
Copy Markdown

@augmentcode augmentcode Bot Apr 23, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In .github/workflows/release.yaml:11-14, the dispatch bump options only allow patch|minor|major, whereas the removed workflow (and package.json scripts) previously supported prerelease bumps. Confirm this restriction is intentional so you don’t lose the ability to cut alpha/beta-style releases if you still need them.

Severity: low

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

- minor
- major

concurrency:
group: release
cancel-in-progress: false

permissions:
id-token: write
contents: write

jobs:
release:
if: github.repository == 'bmad-code-org/bmad-module-creative-intelligence-suite' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ secrets.RELEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}

- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}

- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
cache: "npm"

- name: Configure git user
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"

- name: Install dependencies
run: npm ci

- name: Run validation
run: npm test

- name: Bump version
run: |
npm version ${{ inputs.bump }} -m "chore(release): v%s [skip ci]"

- name: Capture new version
id: version
run: |
VERSION=$(node -p "require('./package.json').version")
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "tag=v${VERSION}" >> $GITHUB_OUTPUT

- name: Push version commit and tag
run: git push origin main --follow-tags
Copy link
Copy Markdown

@augmentcode augmentcode Bot Apr 23, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In .github/workflows/release.yaml:71, git push origin main --follow-tags may fail to push the version tag created by npm version if it is lightweight, leaving the tag only local. That can make the subsequent gh release create "$TAG" operate on a missing/mismatched remote tag and potentially release the wrong commit.

Severity: medium

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.


- name: Create GitHub Release
run: |
TAG="${{ steps.version.outputs.tag }}"
VERSION="${{ steps.version.outputs.version }}"
BODY=$(awk -v ver="$VERSION" '
/^## v/ { if (found) exit; if (index($0, "## v" ver)) found=1; next }
Copy link
Copy Markdown

@augmentcode augmentcode Bot Apr 23, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In .github/workflows/release.yaml:78, the index($0, "## v" ver) check can match version prefixes (e.g., 1.2.3 would also match a ## v1.2.30 ... heading), which could extract the wrong CHANGELOG section. That would publish incorrect release notes for the tag.

Severity: low

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

found { print }
' CHANGELOG.md)
Comment on lines +77 to +80
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

index() match on the version header is a loose substring match.

index($0, "## v" ver) will match any header whose version starts with ver — e.g., with ver=0.2.0 it would also match ## v0.2.00 - ... or ## v0.2.0-rc1 - .... npm version <bump> produces exact semver so this is unlikely to bite today, but a trivial tighter anchor avoids future surprises:

🛠️ Suggested tighter match 
-          BODY=$(awk -v ver="$VERSION" '
-            /^## v/ { if (found) exit; if (index($0, "## v" ver)) found=1; next }
-            found { print }
-          ' CHANGELOG.md)
+          BODY=$(awk -v ver="$VERSION" '
+            /^## v/ { if (found) exit; if ($0 ~ "^## v" ver "([^0-9].*)?$") found=1; next }
+            found { print }
+          ' CHANGELOG.md)

This requires the character after the version to be non-numeric (space, dash, end-of-line), preventing v0.2.0 from matching v0.2.00.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yaml around lines 77 - 80, The awk index(...)
check is too loose and can match prefixes like "v0.2.00"; update the header
check to a strict anchored regex instead of index: build a pattern such as "^##
v" ver "([[:space:]]|-|$)" and replace the index($0, "## v" ver) condition with
a regex match ($0 ~ pattern or match($0, pattern)) so only exact semver headers
(followed by space, dash, or EOL) are accepted; adjust the awk snippet that
defines BODY accordingly.

if [ -z "$BODY" ]; then
echo "::error::No CHANGELOG.md entry found for $TAG. Add a '## v${VERSION} - DATE' section before releasing."
exit 1
fi
gh release create "$TAG" \
--title "Creative Intelligence Suite $TAG" \
--notes "$BODY"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Comment on lines +59 to +89
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

CHANGELOG validation runs after the tag is pushed — failure leaves an orphan tag on main.

The npm version commit + tag are pushed to origin main at line 71, but the CHANGELOG section check (lines 77–84) happens afterward. If ## v<version> - DATE is missing from CHANGELOG.md, the workflow exits 1 after the commit/tag are already on the remote, leaving a version bump commit and vX.Y.Z tag with no corresponding GitHub Release. Recovery requires a manual tag/commit revert.

Validate the CHANGELOG entry before mutating state — ideally before npm version, or at minimum before git push.

🛠️ Suggested reordering

Move the CHANGELOG extraction to run after Capture new version and before Push version commit and tag:

       - name: Capture new version
         id: version
         run: |
           VERSION=$(node -p "require('./package.json').version")
           echo "version=${VERSION}" >> $GITHUB_OUTPUT
           echo "tag=v${VERSION}" >> $GITHUB_OUTPUT

+      - name: Extract release notes from CHANGELOG
+        id: notes
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          TAG="${{ steps.version.outputs.tag }}"
+          BODY=$(awk -v ver="$VERSION" '
+            /^## v/ { if (found) exit; if (index($0, "## v" ver)) found=1; next }
+            found { print }
+          ' CHANGELOG.md)
+          if [ -z "$BODY" ]; then
+            echo "::error::No CHANGELOG.md entry found for $TAG. Add a '## v${VERSION} - DATE' section before releasing."
+            exit 1
+          fi
+          {
+            echo 'body<<EOF_NOTES'
+            printf '%s\n' "$BODY"
+            echo 'EOF_NOTES'
+          } >> $GITHUB_OUTPUT

       - name: Push version commit and tag
         run: git push origin main --follow-tags

Then consume ${{ steps.notes.outputs.body }} in the Create GitHub Release step.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yaml around lines 59 - 89, The workflow currently
pushes the npm version commit/tag in the "Push version commit and tag" step
before validating CHANGELOG.md, causing orphan tags if validation fails; move
the CHANGELOG extraction/validation (the awk logic that builds BODY and checks
for a v${VERSION} section) into a new step placed after "Capture new version"
(steps: "Capture new version" -> new "Generate release notes" step that sets an
output like notes.body) and before "Push version commit and tag", fail the
workflow there if the notes.body is empty, then update "Create GitHub Release"
to consume steps.notes.outputs.body (instead of re-running awk) and keep the
actual git push in "Push version commit and tag" so no commit/tag is pushed
unless CHANGELOG validation succeeded.


- name: Notify Discord
if: success()
continue-on-error: true
run: |
set -o pipefail
source .github/scripts/discord-helpers.sh
[ -z "$WEBHOOK" ] && exit 0
TAG="${{ steps.version.outputs.tag }}"
RELEASE_URL="${{ github.server_url }}/${{ github.repository }}/releases/tag/${TAG}"
MSG=$(printf '🎨 **[Creative Intelligence Suite %s released](<%s>)**' "$TAG" "$RELEASE_URL" | esc)
jq -n --arg content "$MSG" '{content: $content}' | curl -sf --retry 2 -X POST "$WEBHOOK" -H "Content-Type: application/json" -d @-
Comment on lines +95 to +101
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check the discord-helpers.sh file
cat -n .github/scripts/discord-helpers.sh | head -30

Repository: bmad-code-org/bmad-module-creative-intelligence-suite

Length of output: 1295

🏁 Script executed:

# Also look for bmad-builder reference
grep -r "bmad-builder" . --max-count=5

Repository: bmad-code-org/bmad-module-creative-intelligence-suite

Length of output: 528

🏁 Script executed:

# Get full context of the release workflow
sed -n '85,110p' .github/workflows/release.yaml

Repository: bmad-code-org/bmad-module-creative-intelligence-suite

Length of output: 1107

Discord message markdown is broken by piping the template through esc.

The esc function (line 14 of .github/scripts/discord-helpers.sh) escapes markdown syntax characters including *, [, ], (, ) to safe Discord display — but it skips content inside <URL> wrappers. The template **[Creative Intelligence Suite %s released](<%s>)** has all its markdown syntax outside the <URL> wrapper. After piping through esc, it becomes \*\*\[Creative Intelligence Suite vX.Y.Z released\](<URL>)\*\*, which Discord renders as plain text with visible backslashes instead of bold and a clickable link.

Since $TAG (semantic version) and $RELEASE_URL (GitHub-generated URL) contain no markdown-significant characters, remove the | esc pipe:

🛠️ Proposed fix 
-          MSG=$(printf '🎨 **[Creative Intelligence Suite %s released](<%s>)**' "$TAG" "$RELEASE_URL" | esc)
+          MSG=$(printf '🎨 **[Creative Intelligence Suite %s released](<%s>)**' "$TAG" "$RELEASE_URL")
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yaml around lines 95 - 101, The Discord message
string is being escaped by the esc function causing markdown (bold + link) to be
rendered as literal text; update the MSG construction so the printf template
'**[Creative Intelligence Suite %s released](<%s>)**' is not piped through esc —
remove the `| esc` usage when building MSG (the variable and pipeline that calls
esc) and leave the rest of the pipeline (jq ... | curl ...) intact so TAG and
RELEASE_URL are inserted raw and the message renders with bold and a clickable
link; reference the MSG assignment and the esc helper in discord-helpers.sh when
making this change.

env:
WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }}

- name: Summary
run: |
TAG="${{ steps.version.outputs.tag }}"
{
echo "## Released ${TAG}"
echo ""
echo "- **GitHub Release:** https://github.com/${{ github.repository }}/releases/tag/${TAG}"
} >> $GITHUB_STEP_SUMMARY
Loading