[codex] Link release workflow to compliance tests#5334
Draft
parithosh wants to merge 1 commit into
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This links the release workflow to the long-running compliance test workflow without merging the two workflows together.
release.ymlnow dispatchescomptests.ymlafter the release publish job succeeds.comptests.ymlaccepts an optionalrelease_taginput, uses it in the workflow run name, and renames final tarballs as<release-tag>-compliance-<config>.tar.gz.release_tagis not provided.Why this matters
Reference release artifacts and compliance test artifacts are currently produced independently, even though downstream consumers need to know which compliance tests correspond to which consensus-specs release. The compliance tests take long enough that they should remain in their own workflow, but the release process should still produce an explicit, discoverable link to the matching compliance tarballs.
With this change, a release can finish on its normal timeline while the compliance tests continue asynchronously. When the compliance workflow completes, its output is clearly tagged with the release version and attached to the same release page.
Security notes
The compliance workflow keeps a read-only default token and only grants write permissions to the packaging job that needs to delete intermediate artifacts and upload release assets.
For release-tagged runs, the workflow rejects configurations where:
repois not the current repositoryrefdoes not exactly matchrelease_tagThe generation checkout also disables persisted credentials, and release asset upload does not use
--clobber, so existing release assets are not silently overwritten.Validation
actionlint -shellcheck= .github/workflows/release.yml .github/workflows/comptests.ymlgit diff --check -- .github/workflows/release.yml .github/workflows/comptests.yml