ci: use draft releases to support immutable GitHub releases#516
Merged
Conversation
Contributor
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
kinyoklion
approved these changes
Apr 9, 2026
…table-releases # Conflicts: # .github/workflows/manual-sdk-release-artifacts.yml # .github/workflows/release-please.yml
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 79db44b. Configure here.
This reverts commit 79db44b.
## Summary Wires `libs/server-sdk-dynamodb-source` into the release-please draft + publish flow so its releases cut and un-draft automatically, same as client/server/redis. - `"draft": true` in `release-please-config.json` for dynamodb. - `release-server-dynamodb` (matrix) + `-mac-arm64` + `publish-release-server-dynamodb` jobs in `release-please.yml`. Mirrors the redis pattern. - `sdk-release` action passes `CURL_ROOT` and `CMAKE_PREFIX_PATH` to its Linux and macOS Boost.Beast build steps. aws-sdk-cpp calls `find_package(CURL)` on Linux/macOS regardless of `LD_CURL_NETWORKING`; on macOS the hint is needed because homebrew's curl isn't in cmake's default search path. Windows uses WinHTTP, so aws-sdk-cpp doesn't need libcurl there and the env isn't passed. The dynamodb release path has never been cut end-to-end. Per-package CI builds dynamodb daily, but the `sdk-release` composite action hasn't been run against it -- the first real release may surface latent issues.
beekld
approved these changes
Jun 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Summary
Migrates the release workflow to support GitHub's immutable releases feature. Once a release is published it can no longer be modified, so we now create releases in draft state, upload all artifacts, and only then publish.
Changes across three files:
release-please-config.json— Added top-level"draft": trueso release-please creates draft releases for all packages. Added"force-tag-creation": trueto every package (not yet supported by release-please, but included for forward compatibility).release-please.yml— Split release-please pattern — release-please is now invoked twice within the same job:skip-github-pull-request: true— only creates releases (no PRs).skip-github-release: true— only creates/updates PRs, and only runs if no releases were created. This ordering ensures tags exist before release-please checks whether a release PR is still needed.release-client,release-server, etc.) now depend only onrelease-please(the former separatecreate-tagsjob has been removed).googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38(v4.4.0).actions/attest@v4— Removed all 7 SLSA provenance jobs (release-{client,server,server-redis}-provenance,release-{client,server,server-redis}-mac-arm64-provenance, plus 2 in the manual workflow). Replaced with inlineactions/attest@v4steps in each build job that decode the base64 hashes into a checksums file and attest in-place.publish-release-*jobs — Three new jobs (publish-release-client,publish-release-server,publish-release-server-redis) that un-draft their respective release only after all artifact jobs complete.manual-sdk-release-artifacts.yml—publish_releaseinput — Added apublish_releaseboolean input (default:true) and apublish-releasejob gated on it, so operators can optionally keep the release in draft after manual artifact uploads.Review & Testing Checklist for Human
ifcondition on the second call correctly uses!= 'true'with&&across all 4 packages.needsarrays inpublish-release-*jobs: Verify each publish job waits on ALL artifact-uploading jobs for that package before un-drafting. A missing dependency means the release gets published before all artifacts are uploaded — the exact problem we're solving. For example,publish-release-clientneeds bothrelease-client(3-OS matrix) andrelease-client-mac-arm64.release-pleasecreates a tag for server-otel if released, and"draft": truemeans release-please creates a draft release, but there is nopublish-release-server-oteljob to un-draft it. If server-otel has no artifact uploads this is fine — but confirm the draft release won't stay stuck.actions/attest@v4(unpinned): The attest action is referenced by major version tag, not a pinned SHA. Verify this aligns with the repo's policy on action pinning (other actions like checkout are SHA-pinned).publish_release: falseto verify the release stays in draft.Notes
ld-relay(commit 1581de9). The key insight is that release-please depends on the tag existing when determining if a release PR is still needed — so tags must be created between the release step and the PR step.${{ github.repository }}expression appears inrun:blocks (tag creation and publish-release jobs). This value is GitHub-controlled (not user input) so script injection risk is negligible, but worth noting since tag names are deliberately routed through env vars.force-tag-creationhas no effect with the current release-please version — it is a forward-compatibility placeholder that will take effect once release-please supports it, at which point the inline tag creation steps can be removed.manual-sdk-release-artifacts.yml'spublish_releasedefaults totrueforworkflow_dispatch, matching the expectation that manual runs typically want to finalize the release.Link to Devin session: https://app.devin.ai/sessions/7d5bda4d9dbe4ae0b950b30a50485e60
Requested by: @keelerm84
Note
Medium Risk
Changes release publishing order and provenance model; mis-timed publish jobs could finalize releases before all artifacts upload, and otel publish runs without waiting on artifact jobs.
Overview
Supports immutable GitHub releases by having release-please create draft releases (
draft+force-tag-creationinrelease-please-config.json), uploading artifacts while still draft, thengh release edit --draft=falseonly after all build jobs finish (publish-release-*inrelease-please.yml, optionalpublish_releaseon the manual workflow).Provenance moves from separate SLSA jobs to per-platform
actions/atteststeps that decode base64 artifact hashes intochecksums.txt(with macOS vs GNUbase64handling). Build jobs gainattestations/id-tokenpermissions; matrix jobs no longer export hash outputs for downstream SLSA.release-please is bumped to v5.0.0 (single run; tags for drafts via
force-tag-creation). server-sdk-dynamodb is wired through automated release (outputs, matrix + arm64 jobs, publish job) and the manual artifact workflow target list.sdk-release sets
CURL_ROOT/CMAKE_PREFIX_PATHon Linux/macOS non-CURL builds so aws-sdk-cpp (dynamodb) can satisfyfind_package(CURL)during CMake configure.Reviewed by Cursor Bugbot for commit 722ee53. Bugbot is set up for automated code reviews on this repo. Configure here.