feat(release): add ship-release workflow to merge three release PRs in order (#712)

Closes #705.

## Summary

Adds a manually-triggered workflow (`ship-release.yml`) that
orchestrates merging the three sibling release PRs in strict order —
infra (`openemr-devops`) → conductor (`openemr/openemr`) → docs
(`website-openemr`) — with mergeability gates on each step. Replaces
three browser tabs and three required-checks waits with one button
press, and removes the partial-merge risk documented in
`openemr/openemr` `docs/RELEASE_PROCESS.md`.

## What's in the box

- **`.github/workflows/ship-release.yml`** — `workflow_dispatch` with
`version`, `rel_branch`, `dry_run`, `timeout_seconds` inputs. Mints one
App token scoped to all three repos; `permissions: {}`; `concurrency:
ship-release`.
- **`tools/release/src/ShipReleaseOrchestrator.php`** — strict-order
merge, skip-if-merged (so the same trigger handles partial-merge
recovery), blocked-stops-the-line (no partial merges originate here),
`release/ship-approved` commit status posted before each merge,
conductor→docs head-SHA polling with timeout, docs-first detection.
- **`tools/release/src/PullRequestApi.php`** +
**`GhPullRequestApi.php`** — narrow cross-repo PR interface (findByHead
/ getReadiness / postCommitStatus / squashMerge with
`--match-head-commit`) over the `gh` CLI; kept separate from
`GitHubApi.php` to stay testable and focused.
- **`tools/release/bin/ship-release.php`** — Symfony Console CLI
(matches existing `bin/` shape), wired through Taskfile as
`release:ship`.
- **Result/value objects + `Clock` test seam** — `PullRequestTarget`,
`PullRequestSnapshot`, `PullRequestReadiness`,
`ShipReleaseStepResult`/`Status`, `ShipReleaseResult`,
`ShipReleaseRenderer`.
- **Tests** — `FakePullRequestApi` + `FakeClock`; covers happy path,
infra-already-merged skip, conductor-blocked-stops-docs, docs-first
fatal (refuses to merge anything), dry-run, downstream-wait timeout. 12
new tests, 62 total.

## Recovery behavior

Re-running the workflow handles partial-merge recovery automatically
because every merged step is detected as `SKIPPED_ALREADY_MERGED` and
the run continues with whatever's left. The one case that can't be
recovered automatically — docs merged before conductor — is detected up
front and the workflow refuses to do anything, matching what issue #705
calls out as the manual reconciliation case.

## Test plan

- [x] `composer test` (62 tests, 171 assertions)
- [x] `composer phpstan` (level 10 + strict-rules, no errors)
- [x] `composer phpcs` (clean)
- [x] `composer rector-check` (clean)
- [x] `actionlint .github/workflows/ship-release.yml` (clean)
- [ ] First real use: dry-run against the next live release-prep PRs to
confirm readiness reporting matches reality before doing a real merge.

## Out of scope (per #705)

- Configuring branch protection on the three base branches to require
`release/ship-approved` (separate repo-admin step; this PR only emits
the status so admins *can* enable it).
- Docs-side reconciliation for the docs-first-merged case.
- Auto-rollback on partial failure.

Author: kojiromike

.github/workflows/ship-release.yml

@@ -0,0 +1,85 @@
+name: Ship Release
+
+# Manually-triggered orchestration for the three-PR release flow (#705):
+# merges infra → conductor → docs in strict order, skipping any already merged
+# (so the same trigger handles partial-merge recovery), and refusing to merge
+# anything if any unmerged PR is not ready. Mints one App token with PR-write
+# on all three repos and posts a release/ship-approved commit status on each
+# PR head before merging it (so branch protection can require it later).
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Release version (e.g. 8.1.0) — picks website-openemr branch release-docs/<version>'
+        required: true
+        type: string
+      rel_branch:
+        description: 'Release branch (e.g. rel-810) — picks openemr/openemr branch release-prep/<rel_branch>'
+        required: true
+        type: string
+      dry_run:
+        description: 'Check readiness only — do not merge or post statuses'
+        required: false
+        type: boolean
+        default: false
+      timeout_seconds:
+        description: 'Max seconds to wait for docs PR to update after conductor merge'
+        required: false
+        type: string
+        default: '600'
+
+permissions: {}
+
+concurrency:
+  group: ship-release
+  cancel-in-progress: false
+
+jobs:
+  ship:
+    name: Merge release PRs in order
+    runs-on: ubuntu-24.04
+    env:
+      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+    steps:
+      - name: Mint release App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+          owner: openemr
+          repositories: |
+            openemr
+            openemr-devops
+            website-openemr
+
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.5'
+
+      - name: Install Task
+        uses: arduino/setup-task@v2
+
+      - name: Ship release
+        working-directory: tools/release
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          VERSION: ${{ inputs.version }}
+          REL_BRANCH: ${{ inputs.rel_branch }}
+          TIMEOUT_SECONDS: ${{ inputs.timeout_seconds }}
+          DRY_RUN: ${{ inputs.dry_run && '1' || '0' }}
+          STATUS_TARGET_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: >-
+          task release:ship
+          VERSION="${VERSION}"
+          REL_BRANCH="${REL_BRANCH}"
+          TIMEOUT_SECONDS="${TIMEOUT_SECONDS}"
+          STATUS_TARGET_URL="${STATUS_TARGET_URL}"
+          DRY_RUN="${DRY_RUN}"

tools/release/README.md

@@ -0,0 +1,70 @@
+# `tools/release/`
+
+PHP foundation for OpenEMR's release tooling. Used by the workflows in
+`.github/workflows/release-*.yml` and `ship-release.yml`, plus called locally
+during release prep.
+
+## Layout
+
+```
+tools/release/
+├── bin/         CLI entrypoints (one Symfony Console SingleCommandApplication per file)
+├── src/         Service classes + value objects (PSR-4: OpenEMR\Release\)
+├── tests/       PHPUnit tests + in-memory fakes (PSR-4: OpenEMR\Release\Tests\)
+├── contracts/   JSON schemas vendored across consumer repos
+├── scripts/     Operational shell probes (App-token sanity checks etc.)
+├── templates/   PR body / changelog Twig templates
+├── Taskfile.yml Glue between workflows and the PHP CLIs (`task release:*`)
+└── versions.yml The 3-slot rotation registry (current/next/dev)
+```
+
+Workflow steps in `.github/workflows/` are deliberately thin: mint App token,
+checkout, run `task release:<name>`. All decision logic lives in PHP so it can
+be unit-tested.
+
+## Conventions
+
+- **PHP 8.5**, `declare(strict_types=1)`, **PHPStan level 10 + strict-rules**, PSR12, license-header docblock on every file.
+- **Service classes** are `final readonly class` with constructor-promoted DI. They shell out via `Symfony\Component\Process\Process::mustRun()` and throw `\RuntimeException` on failure.
+- **Result objects** are `final readonly class` value objects exposing public promoted properties + a small predicate (`isValid()`, `isReady()`, `wasSuccessful()`). Methods return result objects rather than associative arrays so the call site is type-safe and tests can assert on shape.
+- **gh as the network layer.** Network calls go through the `gh` CLI, which uses the ambient `GH_TOKEN` env var. Workflows mint a release App token via `actions/create-github-app-token@v1` and export it as `GH_TOKEN`. CLI authors don't handle auth themselves.
+- **Pure helpers stay static.** Methods that don't need shell or network (string builders, predicate logic, JSON shape interpretation) are kept `static` so unit tests can exercise them directly.
+- **Tests** live in `tests/` mirroring `src/` flat. HTTP-dependent classes are not unit-tested — pure helpers and orchestrators (with fake collaborators) are. See `tests/Fakes/` for the in-memory test doubles.
+
+## Why are some of these classes so verbose?
+
+A "wrap `gh` and merge a few PRs" service can read as ~600 lines of PHP before any meaningful logic shows up. That's not accidental:
+
+- Every file pays a ~13-line tax for the license-header docblock + `declare(strict_types=1)` + namespace + class declaration.
+- Each gh response gets a typed PHPDoc shape (`array{...}`) so PHPStan level 10 can verify field access. That's 5–15 lines per response shape, not per call.
+- We use one **value object per result** (`PullRequestSnapshot`, `PullRequestReadiness`, `ShipReleaseStepResult`, etc.) instead of returning arrays. Roughly 30 lines per object — the price of keeping the type system honest at every layer boundary.
+- Service classes that touch `gh` get an **interface + concrete impl + in-memory fake** (`PullRequestApi` / `GhPullRequestApi` / `FakePullRequestApi`). The interface seam roughly doubles the API-facing line count but is what makes the orchestrator unit-testable without a real GitHub.
+- Defensive logic (preflight, ordering enforcement, downstream-wait, status retraction, base validation, exception handling per step) accumulates over review iterations. Each piece is small and justified individually; together they dominate the orchestrator file.
+
+The smaller alternatives:
+- A bash script invoking `gh pr view --json … | jq` would be ~200 lines, ship the happy path, and be brittle on every edge case the orchestrator now defends against. No tests.
+- A single PHP file with no value objects, no interface, no fakes would land near 350 lines but cap at "trust live runs to verify."
+
+The current shape is the cost of **PHPStan level 10 + strict tests + structured failure reporting**. Worth knowing before adding the next CLI.
+
+## Adding a new CLI
+
+1. Add `src/<Service>.php` (`final readonly class`, ctor-promoted DI). If it touches the network, define an interface and a concrete `Gh*` impl so tests can substitute a fake.
+2. Add `src/<Service>Result.php` if it returns more than a primitive.
+3. Add `bin/<command>.php` (Symfony Console `SingleCommandApplication`). Keep all logic in the service class; the bin file is just option parsing + result rendering.
+4. Add a `release:<command>` entry in `Taskfile.yml` with `requires.vars` and `{{shellQuote .VAR}}` for every parameter.
+5. Add tests in `tests/` — pure helpers tested directly, services tested via fake collaborators.
+6. Add a workflow step that mints the App token and runs `task release:<command>`.
+7. After merge, append the corresponding `Bash(task -d ~/dev/oce/...)` permission to `~/.claude/settings.json` (alphabetical).
+
+## Running checks locally
+
+```sh
+composer test            # PHPUnit
+composer phpstan         # level 10 + strict-rules
+composer phpcs           # PSR12 + line-length
+composer rector-check    # dry-run modernization checks
+composer require-checker # composer.json declares every used symbol
+composer check           # all five
+composer fix             # phpcbf + rector-fix
+```

tools/release/Taskfile.yml

@@ -222,6 +222,20 @@ tasks:
       - git commit -m {{shellQuote .COMMIT_MESSAGE}}
       - git push --force-with-lease origin {{shellQuote .ROTATION_BRANCH}}
 
+  release:ship:
+    desc: Merge the three release PRs (infra → conductor → docs) in order (issue #705)
+    requires:
+      vars: [VERSION, REL_BRANCH]
+    deps: [setup]
+    cmds:
+      - >-
+        php bin/ship-release.php
+        --version={{shellQuote .VERSION}}
+        --rel-branch={{shellQuote .REL_BRANCH}}
+        {{if .TIMEOUT_SECONDS}}--timeout-seconds={{shellQuote .TIMEOUT_SECONDS}}{{end}}
+        {{if .STATUS_TARGET_URL}}--status-target-url={{shellQuote .STATUS_TARGET_URL}}{{end}}
+        {{if eq .DRY_RUN "1"}}--dry-run{{end}}
+
   release:probe-app-installation:
     desc: Verify the release App is installed on $OWNER/$REPO_NAME
     cmds:

tools/release/bin/ship-release.php

@@ -0,0 +1,70 @@
+#!/usr/bin/env php
+<?php
+
+/**
+ * Merge the three release PRs (infra → conductor → docs) in order.
+ *
+ * Authenticates via the ambient GH_TOKEN env var. The workflow mints a release
+ * App token with PR-write on all three repos and exports it before invoking.
+ *
+ * @package   openemr-devops
+ * @link      https://www.open-emr.org
+ * @author    Michael A. Smith <michael@opencoreemr.com>
+ * @copyright Copyright (c) 2026 OpenCoreEMR Inc.
+ * @license   https://github.com/openemr/openemr-devops/blob/master/LICENSE GNU General Public License 3
+ */
+
+declare(strict_types=1);
+
+require dirname(__DIR__) . '/vendor/autoload.php';
+
+use OpenEMR\Release\GhPullRequestApi;
+use OpenEMR\Release\PullRequestTarget;
+use OpenEMR\Release\ShipReleaseOptions;
+use OpenEMR\Release\ShipReleaseOrchestrator;
+use OpenEMR\Release\ShipReleaseRenderer;
+use OpenEMR\Release\SystemClock;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\SingleCommandApplication;
+
+(new SingleCommandApplication())
+    ->setName('ship-release')
+    ->setDescription('Merge the three release PRs in order (issue #705)')
+    ->addOption('version', null, InputOption::VALUE_REQUIRED, 'Release version (e.g. 8.1.0)')
+    ->addOption('rel-branch', null, InputOption::VALUE_REQUIRED, 'Release branch name (e.g. rel-810)')
+    ->addOption('dry-run', null, InputOption::VALUE_NONE, 'Check readiness without merging or posting status')
+    ->addOption(
+        'timeout-seconds',
+        null,
+        InputOption::VALUE_REQUIRED,
+        'Max seconds to wait for docs PR to update after conductor merges',
+        '600',
+    )
+    ->addOption('status-target-url', null, InputOption::VALUE_REQUIRED, 'target_url for the ship-approved status', '')
+    ->setCode(function (InputInterface $input, OutputInterface $output): int {
+        $version = ShipReleaseOptions::asString($input, 'version');
+        $relBranch = ShipReleaseOptions::asString($input, 'rel-branch');
+        if ($version === '' || $relBranch === '') {
+            $output->writeln('<error>--version and --rel-branch are required</error>');
+            return 1;
+        }
+        $timeoutRaw = ShipReleaseOptions::asString($input, 'timeout-seconds');
+        if (!ctype_digit($timeoutRaw) || (int) $timeoutRaw < 1) {
+            $output->writeln('<error>--timeout-seconds must be a positive integer</error>');
+            return 1;
+        }
+
+        $orchestrator = new ShipReleaseOrchestrator(
+            new GhPullRequestApi(),
+            new SystemClock(),
+            (int) $timeoutRaw,
+            (bool) $input->getOption('dry-run'),
+            ShipReleaseOptions::asString($input, 'status-target-url'),
+        );
+        $result = $orchestrator->ship(PullRequestTarget::forRelease($version, $relBranch));
+        ShipReleaseRenderer::render($output, $result);
+        return $result->wasSuccessful() ? 0 : 1;
+    })
+    ->run();

tools/release/composer.json

@@ -5,6 +5,7 @@
     "license": "GPL-2.0-or-later",
     "require": {
         "php": "^8.5",
+        "ext-mbstring": "*",
         "nikic/php-parser": "^5.0",
         "symfony/console": "^7.0",
         "symfony/process": "^7.0",
@@ -42,6 +43,7 @@
             "@phpcs",
             "@phpstan",
             "@rector-check",
+            "@require-checker",
             "@test"
         ],
         "fix": [

tools/release/composer.lock

@@ -0,0 +1,22 @@
+<?php
+
+/**
+ * Test seam for the orchestrator's downstream-effect polling loop.
+ *
+ * @package   openemr-devops
+ * @link      https://www.open-emr.org
+ * @author    Michael A. Smith <michael@opencoreemr.com>
+ * @copyright Copyright (c) 2026 OpenCoreEMR Inc.
+ * @license   https://github.com/openemr/openemr-devops/blob/master/LICENSE GNU General Public License 3
+ */
+
+declare(strict_types=1);
+
+namespace OpenEMR\Release;
+
+interface Clock
+{
+    public function now(): \DateTimeImmutable;
+
+    public function sleep(int $seconds): void;
+}

tools/release/src/Clock.php

@@ -0,0 +1,51 @@
+<?php
+
+/**
+ * Outcome of refreshing the docs PR snapshot + readiness right before merge.
+ *
+ * Replaces an earlier 4-tuple with overloaded null semantics. Only one of the
+ * three static factories produces a usable instance; the type system enforces
+ * which fields are populated.
+ *
+ * @package   openemr-devops
+ * @link      https://www.open-emr.org
+ * @author    Michael A. Smith <michael@opencoreemr.com>
+ * @copyright Copyright (c) 2026 OpenCoreEMR Inc.
+ * @license   https://github.com/openemr/openemr-devops/blob/master/LICENSE GNU General Public License 3
+ */
+
+declare(strict_types=1);
+
+namespace OpenEMR\Release;
+
+final readonly class DocsRefreshResult
+{
+    /**
+     * @param list<string> $blockingReasons
+     */
+    private function __construct(
+        public ?PullRequestSnapshot $snapshot,
+        public ?PullRequestReadiness $readiness,
+        public ?string $stopReason,
+        public array $blockingReasons,
+    ) {
+    }
+
+    public static function success(PullRequestSnapshot $snapshot, PullRequestReadiness $readiness): self
+    {
+        return new self($snapshot, $readiness, null, []);
+    }
+
+    /**
+     * @param list<string> $reasons
+     */
+    public static function blocked(?PullRequestSnapshot $snapshot, string $stopReason, array $reasons): self
+    {
+        return new self($snapshot, null, $stopReason, $reasons);
+    }
+
+    public function isSuccess(): bool
+    {
+        return $this->stopReason === null;
+    }
+}