Automate upstream release docs PRs via Renovate

[rdimitrov]

Closes #749

Summary

• Adds a Renovate custom manager that watches the four tracked upstream ToolHive projects via .github/upstream-projects.yaml and opens a version-bump PR whenever any of them releases.
• Adds .github/workflows/upstream-release-docs.yml that reacts to Renovate's PRs to produce source-verified content edits using the upstream-release-docs skill (run three times with docs-review), assigns reviewers from non-bot release contributors, and augments the PR body in a marker-delimited section.
• Replaces the @latest CDN reference for the Registry Server Swagger with a version pinned in the source-of-truth YAML.

See the full design in /Users/dimitrovr/.claude/plans/i-want-to-make-synchronous-axolotl.md (local plan file).

What's tracked

Four projects in .github/upstream-projects.yaml:

id	repo	pinned at
toolhive	stacklok/toolhive	v0.22.0
toolhive-registry-server	stacklok/toolhive-registry-server	v1.2.1
toolhive-studio	stacklok/toolhive-studio	v0.30.0
toolhive-cloud-ui	stacklok/toolhive-cloud-ui	v0.5.1

Architecture

There are two trigger paths, both producing a single PR per upstream release.

Path A: stacklok/toolhive releases (unified via update-toolhive-reference.yml)

1. ToolHive's release CI dispatches repository_dispatch: published-release to this repo (or someone invokes workflow_dispatch manually with a version).
2. update-toolhive-reference.yml:
   • Regenerates reference assets (CLI help, Swagger, CRD schemas)
   • Bumps version: for toolhive in .github/upstream-projects.yaml
   • Applies pin_files substitutions
   • Opens one PR on branch docs/upstream-toolhive-<version> with labels autogen-docs + upstream-content
3. upstream-release-docs.yml fires on the opened PR (gated to bot authors + upstream-content label), shallow-clones the upstream, runs the multi-pass skill, assigns reviewers, pushes content commits, and augments the PR body between <!-- upstream-release-docs:start --> markers.
4. Renovate is explicitly disabled for stacklok/toolhive in renovate.json so it doesn't race.

Path B: the other three projects

1. Renovate detects version: drift for toolhive-registry-server, toolhive-studio, or toolhive-cloud-ui and opens a PR with the upstream-content label.
2. upstream-release-docs.yml fires on that PR and does the same augmentation as Path A step 3.

**Path C: workflow_dispatch (manual)**accepts a pr_number input for manual retry if any step fails.

Security posture

• Double gate: Renovate-bot user identity (GitHub App, can't be impersonated) + required label
• No use of pull_request_target
• detect-change.mjs refuses to proceed if a PR tries to change repo: alongside version:
• All step-outputs and PR-derived values passed through env: vars in run: blocks (no direct \${{ }} shell interpolation); actionlint clean
• prev_tag existence is verified upstream before the skill runs
• Failure path labels the PR upstream-docs-failed and comments a retry pointer

Trade-offs intentionally chosen

• Unsigned commits: the workflow pushes with plain git push as github-actions[bot]. If branch protection rejects unsigned bot commits on Renovate branches, will fix-forward with a GitHub App token rather than migrate to peter-evans speculatively.
• External-contributor reviewers: added without filtering against repo collaborators. If that causes notification etiquette issues, will add a filter step.
• No groupName: each upstream release gets its own PR even when two release in the same Renovate cycle.

Upstream dependencies

This PR's code is written assuming stacklok/toolhive#4982 is merged. That PR:

• Adds thv-crds.tar.gz as a release asset (13 CRD YAMLs)
• Adds four re-exported toolhive-core schema JSONs as release assets
• Deletes the repository_dispatch: published-release chain that previously triggered reference-doc regeneration on this repo

All three are purely additive on toolhive's side except the dispatch retirement, which is safe in either merge order (this repo already deleted the receiver workflow earlier in this PR).

Impact of #4982 being merged, reflected in the latest commit here

• .github/upstream-projects.yaml — toolhive gains five new release_asset: entries; no more source: reliance on a clone for its reference artifacts
• .github/workflows/upstream-release-docs.yml — the toolhive-specific step downloads thv-crds.tar.gz, extracts to a temp dir, and runs extract-crd-schemas.mjs + generate-crd-pages.mjs + bundle-upstream-schema.mjs inline. No shell-script wrapper.
• scripts/update-toolhive-reference.sh — deleted entirely

A new "Commit regenerated reference assets" step commits the regen output as a distinct commit before the skill runs, so the autogen-touch detection below only sees skill-introduced changes (fixes a false-positive that would have fired on every toolhive run).

Merge ordering

Either order is safe:

• #4982 merges first → this PR's workflow works on next toolhive release immediately, pulling the new assets
• Automate upstream release docs PRs via Renovate #748 merges first → the workflow exists on main but the first toolhive release after merge would fail the CRD-tarball download until #4982 lands. workflow_dispatch retry covers the gap.

Recommend: merge #4982 first if it's ready; otherwise merge #748 and coordinate the #4982 merge before the next toolhive release.

Asks dropped

Two upstream asks were explored and dropped:

• Pre-generated CRD JSON schemas upstream (would have eliminated extract-crd-schemas.mjs) — rejected because it would add a Node toolchain to an otherwise-pure-Go repo
• Pre-bundled upstream-registry.schema.json in toolhive-core (would have eliminated bundle-upstream-schema.mjs) — rejected because it introduces a URL reference to maintain upstream; bundling stays colocated with the docs renderer that needs it

Test plan

• Merge this PR
• Wait for Renovate's next scan (could take a few hours; the repo's global schedule is Mondays 0-7 NY but this packageRule overrides to at any time)
• First validation option (fast): after merge, manually backdate one version: in .github/upstream-projects.yaml on a throwaway PR (e.g., bump toolhive-registry-server from v1.2.1 back to v1.2.0). On next Renovate scan it should open a bump PR; confirm the workflow fires and produces expected output.
• First validation option (organic): wait for any upstream repo to ship a real release; confirm Renovate opens the PR and the workflow augments it end-to-end
• For the first real run, watch for:
  • Workflow completes within the 60-minute action timeout (skill is multi-pass)
  • The anthropics/claude-code-action@v1 honors the "do not ask questions" directive
  • PR body has the marker-delimited content section inserted (not appended infinitely)
  • Reviewers are assigned (check gh pr view --json reviewRequests)
  • pin_files substitution in docusaurus.config.ts rewrites the Swagger @v1.2.1 to the new tag
  • Content commits pushed by github-actions[bot] are accepted by branch protection (signed-commits check)
  • GAPS.md / NO_CHANGES.md are captured into the PR body and not committed
• Failure-path smoke: if a real run fails, confirm the upstream-docs-failed label + retry comment appear and workflow_dispatch with pr_number=<n> reruns augmentation idempotently
• No collision with update-toolhive-reference.yml: for the next ToolHive release, both workflows fire; confirm branches and labels are disjoint and both PRs open cleanly

Manual validation via workflow_dispatch bootstrap

After this PR merges, you can exercise the full end-to-end flow without waiting for Renovate:

Actions → Upstream Release Docs → Run workflow, then either:

• Bootstrap a new PR: leave pr_number blank, fill project_id (e.g. toolhive-registry-server) and new_tag (e.g. v1.3.0). The workflow creates manual/upstream-<id>-<new_tag>, bumps the YAML, opens a PR with the right labels, and runs the full augmentation in the same run.
• Retry an existing Renovate PR: fill pr_number, leave the others blank.

Bootstrap mode is gated the same way as Renovate PRs (must supply both project_id and new_tag; collisions with an existing branch fail fast).

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs-website	Ready	Preview, Comment	Apr 21, 2026 7:09pm

[Copilot]

Pull request overview

Automates creation and augmentation of upstream-release documentation PRs by having Renovate bump pinned upstream versions and a workflow generate source-verified doc updates and PR metadata.

Changes:

• Add Renovate custom manager + rules to monitor .github/upstream-projects.yaml and open version-bump PRs for tracked upstream repos.
• Add Upstream Release Docs workflow to detect the changed project, run the multi-pass upstream-release-docs + docs-review process, push commits, and update PR body/reviewers.
• Pin the Registry Server Swagger CDN URL to a specific tag and add tooling (pin_files) to keep it updated.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
scripts/upstream-release/detect-change.mjs	Detects which upstream project version changed vs origin/main and emits outputs for the workflow.
scripts/upstream-release/apply-pin-files.mjs	Applies per-project pin_files substitutions after version bumps (e.g., replacing @latest/old tags).
renovate.json	Adds a custom regex manager and packageRule to open/label upstream-content PRs on releases.
docusaurus.config.ts	Pins Swagger spec URL from @latest to a concrete upstream tag.
.gitignore	Ignores workflow signal files GAPS.md and NO_CHANGES.md.
.github/workflows/upstream-release-docs.yml	Implements the automation workflow that augments Renovate PRs with generated docs updates and PR body edits.
.github/upstream-projects.yaml	Adds the source-of-truth config for tracked upstream repos, pinned versions, docs hints, and pin substitutions.

[rdimitrov]

Both of Dan's points addressed in ef49684:

1. Terminology

You were right — "regenerate" was overloaded. The language now distinguishes:

• sync — for release-asset downloads / file copies (swagger, CLI docs tarball, 4 core schemas). Nothing is recreated; we're just placing files.
• regenerate — reserved for the toolhive CRD MDX step which truly transforms upstream manifests into our opinionated docs layout via extract-crd-schemas.mjs + generate-crd-pages.mjs.
• refresh — for the combined commit that may do both.

Concretely, the auto-commit message is now Refresh reference assets for <project> <tag> and the step/body text reads "synced or regenerated from release assets" where both apply.

2. Gap attribution to PR authors

Good catch. The prompt to the skill now requires each gap bullet in GAPS.md to reference the PR number and @-mention the PR author (bots filtered out). Format:

- Feature X (PR #123 by @alice): needs a user story explaining who this is for and the expected consumer workflow.

So when a gap lands in the PR body, the engineer who built Feature X gets directly tagged rather than "someone from the reviewer pool." The skill already deep-dives PRs in Phase 2, so it has the attribution info at hand — no additional lookups needed.

Thanks for the review!

[danbarr]

One remaining instance of "regenerates" (others were addressed), but non-blocking.

[danbarr]

Just noticed this...introducing a +24-hour drift off the bat seems undesirable. Can we drop to 0, or a few hours at most, 1-4 would still allow for a smoke-test window?

A delay is sensible for third-party libraries but these are first-party Stacklok releases. The cost of "docs PR opens for a release we later yanked" is just closing the PR, or a single revert PR if already merged.