Skip to content

ci: adopt consolidated ospo-reusable-workflows release.yaml#496

Merged
jmeridth merged 1 commit into
mainfrom
ci/consolidated-release-workflow
May 10, 2026
Merged

ci: adopt consolidated ospo-reusable-workflows release.yaml#496
jmeridth merged 1 commit into
mainfrom
ci/consolidated-release-workflow

Conversation

@jmeridth
Copy link
Copy Markdown
Collaborator

@jmeridth jmeridth commented May 10, 2026

Pull Request

Proposed Changes

Collapse the three legacy release / release_image / release_discussion job calls plus the bespoke update_major_tag job into a single call to the consolidated release.yaml reusable workflow at v1.0.0 (592067a6...). The new workflow handles GitHub release creation, container image build/push to GHCR, build provenance attestation, the announcement discussion, and pushing the major-version moving tag, in one draft-first pipeline.

Also add a "💥 Breaking Changes" category to release-drafter.yml, matching the upstream release-drafter template (github-community-projects/ospo-reusable-workflows#134). The breaking label was already wired up under version-resolver.major, so this just surfaces those PRs in their own changelog section.

Notes for reviewers

  • The reusable workflow's create_release tags both the full version (e.g. v1.2.3) and the short/major moving tag (e.g. v1) and force-pushes both. The deleted update_major_tag job did exactly that for the major tag, so behavior is preserved — but worth a careful look at the next release to confirm the major tag does move as expected.
  • image-name is preserved as ${{ github.repository_owner }}/stale_repos (underscore form) so the published image at ghcr.io/github-community-projects/stale_repos stays at the exact same path as before.
  • The job-level permission block now lists the union of what the called workflow's internal jobs need. A uses: caller can only grant — never expand — what the reusable workflow requests, so missing perms here silently disable features instead of erroring.
  • image-registry / image-registry-username moved from secrets: to inputs in v1.0.0 and default to ghcr.io / github.actor. Both defaults match the previous values, so the inputs are omitted.
  • image-registry-password stays a secret and continues using GITHUB_TOKEN for GHCR pushes.

Readiness Checklist

Author/Contributor

  • If documentation is needed for this change, has that been included in this pull request
  • run make lint and fix any issues that you have introduced
  • run make test and ensure you have test coverage for the lines you are introducing

Testing

  • make lint — clean (mypy 0 issues across 10 source files, black 10 files unchanged).
  • make test — 41 tests + 6 subtests pass, coverage 89.81%.
  • npx prettier --check .github/workflows/release.yml .github/release-drafter.yml — clean (super-linter runs prettier on YAML).
  • End-to-end release flow is not exercised locally; first real validation will be the next merged PR carrying a feature / fix / breaking / vuln / release label that fires pull_request_target: closed. Watch for: draft release created by release-drafter, full + short tags both pushed by create_release, container image published to ghcr.io/$OWNER/stale_repos, build provenance attestation succeeding, release announcement discussion created (if RELEASE_DISCUSSION_* secrets are set), then publish_release flipping the draft to published.

@jmeridth
ci: adopt consolidated ospo-reusable-workflows release.yaml
8b64e85 
## What

Collapse the three legacy `release` / `release_image` / `release_discussion` job calls plus the bespoke `update_major_tag` job into a single call to the consolidated `release.yaml` reusable workflow at v1.0.0 (`592067a6...`). Pass `image-name`, `create-attestation: true`, and `create-discussion: true` so the workflow handles GitHub release, container image build/push to GHCR (preserving the underscore form `stale_repos`), build provenance attestation, announcement discussion, and major-tag pushing in one draft-first pipeline. Also add a "💥 Breaking Changes" category to `release-drafter.yml`.

## Why

The legacy three-workflow setup forced callers to wire up the same job chain by hand in every repo and made it easy for permissions, secrets, and ordering to drift. v1.0.0 of ospo-reusable-workflows owns the chain internally (including pushing the major-version moving tag in `create_release`, so the standalone `update_major_tag` job is now redundant) and exposes a single entry point. The "Breaking Changes" category matches the upstream release-drafter template (github-community-projects/ospo-reusable-workflows#134); the `breaking` label already maps to a major bump in `version-resolver`, so this just surfaces those PRs in their own changelog section.

## Notes

- The reusable workflow's `create_release` job tags both the full version (e.g. `v1.2.3`) and the short/major moving tag (e.g. `v1`) and force-pushes both. The deleted `update_major_tag` job did exactly that for the major tag, so behavior is preserved.
- `image-name` keeps the existing underscore form `${{ github.repository_owner }}/stale_repos` so the published image at `ghcr.io/github-community-projects/stale_repos` stays at the same path.
- The job-level permission block now lists the union of what the called workflow's internal jobs need (contents/pull-requests/packages/id-token/attestations/discussions). A `uses:` caller can only grant — never expand — what the reusable workflow requests, so missing perms here silently disable features instead of erroring.
- `image-registry` and `image-registry-username` moved from `secrets:` to inputs in v1.0.0 (defaults to `ghcr.io` and `github.actor`). Both defaults match the previous explicit values, so they're omitted.
- Comment alignment uses single-space-before-`#` to satisfy prettier (the repo's super-linter runs prettier on YAML).

Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth jmeridth added the Mark Ready When Ready Automatically mark draft PR ready when checks pass label May 10, 2026
@jmeridth jmeridth self-assigned this May 10, 2026
@jmeridth jmeridth added the Mark Ready When Ready Automatically mark draft PR ready when checks pass label May 10, 2026
@github-actions github-actions Bot added the automation automation label May 10, 2026
@github-actions github-actions Bot marked this pull request as ready for review May 10, 2026 23:36
@github-actions github-actions Bot requested a review from zkoppert as a code owner May 10, 2026 23:36
@github-actions github-actions Bot removed the Mark Ready When Ready Automatically mark draft PR ready when checks pass label May 10, 2026
@jmeridth jmeridth merged commit c6216f6 into main May 10, 2026
37 of 38 checks passed
@jmeridth jmeridth deleted the ci/consolidated-release-workflow branch May 10, 2026 23:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zkoppert zkoppert Awaiting requested review from zkoppert zkoppert is a code owner

Assignees

@jmeridth jmeridth

Labels

automation automation release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jmeridth