Skip to content

ci(release): tighten release workflow hygiene#463

Merged
dc-tec merged 3 commits into
mainfrom
ci/release-workflow-hygiene
May 19, 2026
Merged

ci(release): tighten release workflow hygiene#463
dc-tec merged 3 commits into
mainfrom
ci/release-workflow-hygiene

Conversation

@dc-tec

@dc-tec dc-tec commented May 19, 2026

Copy link
Copy Markdown
Owner

Summary

  • switch release GitHub App token creation from deprecated app-id inputs to client-id secrets
  • add hack/ci/verify-post-release.sh for post-release tag, asset, signature, chart, and release-please cleanup checks
  • clarify patch release-note sources, release-please branch cleanup, and current release GitHub App secret names in release-management docs

Related Issues

None.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactor (code improvement/cleanup)
  • CI, release, or build tooling
  • Other maintenance

Risk and Compatibility

No API, CRD, Helm, RBAC, security, or upgrade compatibility impact. Release automation now requires OPENBAO_OPERATOR_RELEASE_PR_CLIENT_ID and OPENBAO_OPERATOR_RELEASE_TAG_CLIENT_ID; the matching secrets have been added before this PR.

Verification

  • bash -n hack/ci/verify-post-release.sh
  • hack/ci/verify-post-release.sh --help
  • go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.11 .github/workflows/release-please.yml .github/workflows/release-tag.yml .github/workflows/prepare-release-as-pr.yml
  • make docs-build
  • git diff --check
  • pre-push hook: make lint-ci

Reviewer Notes

The full post-release helper is intended to run after a release has published. I validated syntax/help locally; full execution would currently fail by design while #395 and release-please--branches--main are still active.

Checklist

  • My code follows the project style guide.
  • I have performed a self-review of my own code.
  • I have added or updated tests, or explained why tests are not needed.
  • I have updated documentation, or explained why docs are not needed.
  • I have updated generated artifacts, or confirmed none are affected.
  • I have checked that this change does not log or expose secrets, tokens, credentials, keys, or raw Secret data.
  • I have run the relevant local checks, or documented why they were not run.
  • Any dependent changes have been merged, published, or clearly called out.

dc-tec added 2 commits May 19, 2026 23:44
@dc-tec
ci(release): use github app client ids
70a6873 
Signed-off-by: Roel de Cort <roel.decort@adfinis.com>
@dc-tec
ci(release): add post-release verification helper
818df65 
Signed-off-by: Roel de Cort <roel.decort@adfinis.com>
@github-actions github-actions Bot added devops documentation Improvements or additions to documentation tests Improvements or additions to tests size/M labels May 19, 2026
@dc-tec dc-tec self-assigned this May 19, 2026
@dc-tec dc-tec merged commit 2996f1a into main May 19, 2026
45 checks passed
@dc-tec dc-tec deleted the ci/release-workflow-hygiene branch May 26, 2026 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@dc-tec dc-tec

Labels

devops documentation Improvements or additions to documentation size/M tests Improvements or additions to tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dc-tec