Skip to content

release: publish version manifest + shockwave fan-out on tag#151

Closed
TeoSlayer wants to merge 2 commits into
mainfrom
actions-org-secrets-todo
Closed

release: publish version manifest + shockwave fan-out on tag#151
TeoSlayer wants to merge 2 commits into
mainfrom
actions-org-secrets-todo

Conversation

@TeoSlayer

@TeoSlayer TeoSlayer commented May 28, 2026

Copy link
Copy Markdown
Collaborator

Summary

Two new jobs run after the existing `release` job to make every install surface react to a new tag:

  • publish-manifest builds `public/.well-known/latest.json` from this release's `checksums.txt` and `repository_dispatch`es it to `pilot-protocol/website`. The website commits the merged manifest to main, which triggers the Cloudflare deploy. Result: `pilotprotocol.network/install.sh` and `pilotprotocol.network/.well-known/latest.json` reflect the new version within ~1 minute of the release going live.
  • shockwave fan-outs `repository_dispatch` (event_type=`upstream-release`) to `homebrew-pilot`, `sdk-node`, `sdk-python`, `sdk-swift`. Each consumer runs its own bump workflow on receipt.

Per-target dispatch is soft-fail — a missing token on one repo emits a `::warning::` and does not block the others. The job summary lists which targets succeeded so a missed dispatch is visible without grepping logs.

Required setup

  • `SHOCKWAVE_DISPATCH_TOKEN` secret with `repository_dispatch` scope on each downstream repo. Prefer a GitHub App token (`actions/create-github-app-token@v1`) over a PAT.
  • When the secret is unset, both jobs print a clear `::warning::` and exit 0 — existing release flow is preserved.

Receivers in flight

  • `pilot-protocol/website` PR — adds the `publish-manifest.yml` receiver
  • `TeoSlayer/homebrew-pilot` PR — adds the `bump-formula.yml` receiver
  • sdk-{node,python,swift}: receivers not yet written; dispatch is sent but ignored (no harm, just inert)

Test plan

  • Tag a test pre-release (`v1.10.6-rc1`) and verify:
    • publish-manifest job runs and the website commit lands
    • shockwave job runs and emits `::warning::` for the unwritten receivers
    • homebrew-pilot logs `::notice::skipping prerelease` (RC policy gate)
  • Tag a real release (`v1.10.6`) and verify the homebrew formula bumps to it.

🤖 Generated with Claude Code

teovl added 2 commits May 28, 2026 12:50
@teovl
ci: document pending org-move secret migration in release.yml header
4f68df7 
Drop a TODO at the top of release.yml enumerating which secrets need to
be re-created on `pilot-protocol/` before the repo transfer, since
GitHub secrets do not survive a repo transfer.

Currently the only expected secret is GITHUB_TOKEN (auto-issued).
HOMEBREW_TAP_TOKEN was removed in #122 when update-homebrew.yml was
dropped, and NPM_TOKEN / PYPI_TOKEN / COSIGN_KEY are placeholders for
the auto-publish (PILOT-203) and binary-signing (PILOT-114) work that
hasn't landed yet.

This is documentation only — no behavior change. The comment block is
load-bearing for the org migration; deleting it before the new org has
its secrets configured will silently break the next release.
@teovl
release: publish manifest + shockwave fan-out on tag
c755a07 
Two new jobs run after the existing release job:

publish-manifest builds public/.well-known/latest.json from the tag's
checksums.txt, then repository_dispatches it to pilot-protocol/website,
which commits the JSON to main and triggers the Cloudflare deploy. The
single canonical manifest at pilotprotocol.network/.well-known/latest.json
is consumed by install.sh, the Homebrew formula bump workflow, and the
SDK release helpers — one shockwave per release.

shockwave fans out repository_dispatch(event_type=upstream-release)
to homebrew-pilot, sdk-node, sdk-python, and sdk-swift so each consumer
can run its own bump workflow. Per-target dispatch is soft-fail with a
summary so a missing token on one repo does not block the others.

Both jobs require a new SHOCKWAVE_DISPATCH_TOKEN secret with
repository_dispatch scope on each downstream repo (prefer a GitHub App
token over a PAT). When the secret is absent the steps emit a clear
::warning:: and exit 0 so existing release flow is not broken.
@TeoSlayer TeoSlayer requested a review from Alexgodoroja as a code owner May 28, 2026 22:29
@TeoSlayer TeoSlayer mentioned this pull request May 28, 2026
Closed
3 tasks
@TeoSlayer

TeoSlayer commented May 28, 2026

Copy link
Copy Markdown
Collaborator Author

Superseded by #154 which replaces the hardcoded shockwave fan-out with the central orchestrator. The orchestrator subsumes everything #151 was trying to do, plus auto-generates the dependency graph from real go.mod files so it cannot silently drift.

@TeoSlayer TeoSlayer closed this May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Alexgodoroja Alexgodoroja Awaiting requested review from Alexgodoroja

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TeoSlayer @teovl