Skip to content

chore(ci): match bulletin-deploy's manual-release flow#123

Closed
UtkarshBhardwaj007 wants to merge 2 commits into
mainfrom
chore/release-via-changesets-action
Closed

chore(ci): match bulletin-deploy's manual-release flow#123
UtkarshBhardwaj007 wants to merge 2 commits into
mainfrom
chore/release-via-changesets-action

Conversation

@UtkarshBhardwaj007

@UtkarshBhardwaj007 UtkarshBhardwaj007 commented May 5, 2026

Copy link
Copy Markdown
Member

What & why

The release workflow has failed on the last three pushes to main (PRs #120, #121, #122). Branch protection on main requires:

  1. Verified signatures on every commit
  2. 6 of 6 status checks to pass
  3. No direct pushes (PR-only)

The old release.yml ignored all three — it committed locally as github-actions[bot] and ran git push origin main. Failed runs:

This PR mirrors the release flow that paritytech/bulletin-deploy already runs successfully under the same protection rules.

History note: an earlier commit on this branch tried changesets/action, which would also have worked — but only with the org-level setting "Allow GitHub Actions to create and approve pull requests" enabled, and we don't control that. The current commit is the version that works without any org-level toggle.

How the new flow works

[ PRs land on main with .changeset/*.md files — accumulate ]
                          │
                          ▼
[ Maintainer cuts a release: ]
  1. release branch: pnpm changeset version && pnpm format
  2. PR the bumped package.json + CHANGELOG (signed, reviewed, status-checked)
  3. After merge: gh release create vX.Y.Z --generate-notes  (or via UI)
                          │
                          ▼
[ release.yml fires on the `release: created` event ]
  4. Checks out the tagged commit
  5. Builds dot-{linux,darwin}-{x64,arm64} via `bun build --compile`
  6. `gh release upload` --clobber attaches them as Release assets

No automation pushes to main. Ever. The workflow only reads the tagged commit and writes to the Release object — both of which live entirely outside branch protection.

Files changed

  • .github/workflows/release.yml — replaced push: branches: [main] trigger with release: types: [created]. ~30 lines.
  • CLAUDE.md — updated "Repo conventions" → release section to document the new manual flow.

What happens after this PR merges

  1. This PR merges — nothing else fires automatically (the new workflow only triggers on release: created).
  2. Maintainer cuts the release manually:
    git checkout -b chore/version-packages
    pnpm changeset version && pnpm format
    git commit -am "chore: version packages"
    gh pr create --title "chore: version packages 0.16.18"
    # ...review & merge...
    git checkout main && git pull
    gh release create v0.16.18 --generate-notes
  3. The Release event fires release.yml. Binaries get built and attached.
  4. All accumulated changes from PRs ci: use parity-default runners in paritytech org #120, fix(mod): silence false origin warning and verify repo before download #121, feat: harden cli against github api rate limits #122 ship in v0.16.18.

Test plan

  • release.yml syntax valid
  • gh release upload is the same call bulletin-deploy effectively uses (via npm publish in their case — same idea: workflow writes to a Release/registry artefact, never to main)
  • After merge: cut a real release and confirm the four binaries land on the GH Release page

Trade-offs

  • Each release is a few manual maintainer steps instead of "merge a changeset PR and watch the release happen." Same trade-off bulletin-deploy accepts.
  • No bypass tokens, no GitHub App, no force-pushed bot commits, no org-level toggles. Works under the strictest branch protection.

The previous release workflow committed `chore: version packages`
locally as `github-actions[bot]` and pushed straight to main. That path
breaks under branch protection that requires (a) verified signatures,
(b) required status checks, and (c) PR review for any change to main —
so the workflow has been failing on every push for the last three
releases (PRs #120 / #121 / #122).

Switch to the canonical changesets/action two-mode flow:

  - On a push to main while pending changesets exist, the action opens
    or updates a "Version Packages" PR. The PR carries the version
    bump and the regenerated CHANGELOG, and goes through the normal
    protected-branch flow — same review, same checks, same signed
    commit policy as any human PR. No direct push to main.

  - Once that PR merges, the workflow re-runs and the action sees no
    pending changesets, so it invokes the new `scripts/release.sh`.
    The script tags the release, builds the four SEA binaries, and
    creates the GitHub Release via `gh release create`. Idempotent:
    every other push-to-main where no changesets exist is a fast no-op
    because the tag already exists.

Trade-off: each release now requires merging one auto-PR. That doubles
as a release approval gate — releases stop being a side-effect of any
arbitrary changeset PR landing.

Caveat for the org: this needs `Settings → Actions → General → Allow
GitHub Actions to create and approve pull requests` enabled. If the
paritytech org has it disabled, the action's PR open call will 403 and
we'll need a GitHub App token instead. Calling that out in the PR body
so we can flip the setting before merge if needed.
@github-actions

github-actions Bot commented May 5, 2026

Copy link
Copy Markdown
Contributor

Dev build ready — try this branch:

curl -fsSL https://raw.githubusercontent.com/paritytech/playground-cli/main/install.sh | VERSION=dev/chore/release-via-changesets-action bash

@github-actions

github-actions Bot commented May 5, 2026

Copy link
Copy Markdown
Contributor

E2E Test Pass · ✅ PASS

Tag: e2e-ci-pr · Branch: chore/release-via-changesets-action · Commit: 38906cc · Run logs

Cell Result Time
pr-preflight ✅ PASS 2m16s
pr-deploy-foundry ✅ PASS 1m38s
pr-mod ✅ PASS 1m28s
pr-init-session ✅ PASS 1m27s
pr-install ✅ PASS 0m53s
pr-deploy-frontend ✅ PASS 5m36s
${{ matrix.cell }} ⏭️ SKIP 0m00s
${{ matrix.cell }} ⏭️ SKIP 0m00s

Sentry traces: view spans for this run

Replaces the changesets/action approach from the previous commit on
this branch. The org-level setting "Allow GitHub Actions to create and
approve pull requests" is not under our control, and without it
changesets/action's PR-mode 403s when trying to open the Version
Packages PR.

Mirror `paritytech/bulletin-deploy` exactly: no automation pushes to
`main`. The maintainer drives the version bump as a normal PR and
creates the GitHub Release manually. The workflow only fires on
`release: created`, builds the four SEA binaries from the tagged
commit, and `gh release upload`s them as Release assets.

This bypasses every branch protection rule because the workflow no
longer touches `main` — only the tagged commit (read-only) and the
Release object (write via `gh`). No `--force` push, no signed-commit
workaround, no bypass token.

Trade-off vs the previous PR commit: each release is a few manual
steps for the maintainer instead of "merge a PR with a changeset and
watch it ship." Same trade-off bulletin-deploy already accepted — and
the only one that works without org-level settings access.

Updated CLAUDE.md "Repo conventions" so contributors know what to do
with their changesets and how releases happen.
@UtkarshBhardwaj007 UtkarshBhardwaj007 changed the title chore(ci): use changesets/action so release respects branch protection chore(ci): match bulletin-deploy's manual-release flow May 5, 2026
@UtkarshBhardwaj007

Copy link
Copy Markdown
Member Author

Closing — going with the simpler short-term path: temporarily relax the three blocking branch-protection rules (signed commits / status checks / push restriction), re-run the failed workflow on PR #122's run to ship the accumulated changesets, then re-enable the rules. No workflow change needed; the existing release.yml on main works once the rules don't block the bot's push.

1 similar comment
@UtkarshBhardwaj007

Copy link
Copy Markdown
Member Author

Closing — going with the simpler short-term path: temporarily relax the three blocking branch-protection rules (signed commits / status checks / push restriction), re-run the failed workflow on PR #122's run to ship the accumulated changesets, then re-enable the rules. No workflow change needed; the existing release.yml on main works once the rules don't block the bot's push.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant