Skip to content

Auto-publish releases at the end of the release workflow#61

Merged
jssblck merged 2 commits into
mainfrom
jssblck/magical-vaughan-dab391
Jul 1, 2026
Merged

Auto-publish releases at the end of the release workflow#61
jssblck merged 2 commits into
mainfrom
jssblck/magical-vaughan-dab391

Conversation

@jssblck

@jssblck jssblck commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Why

The release workflow built the platform matrix, created a draft GitHub Release, and then left publishing to a human. That manual step is the only thing standing between pushing a vX.Y.Z tag and a live release, so it may as well be automated.

What changed

  • Added a final Publish GitHub release step to .github/workflows/release.yml that runs gh release edit "$TAG" --draft=false, flipping the release live at the end of the workflow.
  • Kept the existing draft-creation step unchanged, so the release is still created as a draft first: GitHub generates the changelog notes and attaches every asset (the .tar.gz archives plus checksums.txt) to a fully-formed release before it is visible. Only then does the publish step flip it, so a consumer never catches a release with missing notes or half its assets.
  • The new step reuses the same if: ${{ !inputs.dry_run }} guard, so a workflow_dispatch dry run still builds and packages without publishing.
  • Rewrote the Write release summary step to report the release as published and link to the release tag, dropping the old "review the draft, publish when ready" next-steps list.
  • Updated the release runbooks in AGENTS.md and CONTRIBUTING.md to describe the release as auto-published rather than a draft awaiting a human.

The --prerelease/--latest selection is unchanged, so a pre-release tag (v0.2.0-rc.1) still publishes as a prerelease. The release job already carries permissions: contents: write and GH_TOKEN: ${{ github.token }}, which covers gh release edit, so no permissions change was needed.

Testing

  • nudge check (clean: 64 files, no Unicode dashes).
  • actionlint is not installed on this machine, so the workflow YAML was not machine-linted. The change is an added step plus a --draft to --draft=false edit mirroring the existing gh usage in the same job.

This only touches the release workflow and its docs, which are not a downstream user surface, so per AGENTS.md the blast radius is limited to Bastion's own CI.

Schema or governance impact

None. No changes to the reviewer schema, the verdict/event schema, local/GitHub surface parity, or the governance model.

The release workflow created a draft GitHub Release and left publishing
to a human. Add a final step that flips the draft to published so a
tagged release goes live without manual intervention.

The release is still created as a draft first, so GitHub generates its
notes and attaches every asset to a fully-formed release before it is
visible; the new `gh release edit --draft=false` step then publishes it.
A consumer never sees a release with missing notes or half its assets,
and a `workflow_dispatch` dry run still skips publishing.

Update the release summary and the AGENTS.md and CONTRIBUTING.md runbooks
to describe the release as auto-published rather than a draft awaiting a
human.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@jssblck jssblck enabled auto-merge (squash) July 1, 2026 16:47
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Bastion review

Passed. All 3 gate(s) passed. 4 reviewer(s) ran, 75s, 696065 in / 10240 out / 511360 cached tokens.

Reviewer Mode Verdict Summary
release-surface-robustness gate pass No robustness issues found in the release publishing change.
shell-script-footguns advisor advisory No shell or PowerShell portability issues found in the changed code.
contributor-docs-in-sync gate pass Release workflow changes and contributor docs agree; no stale release-runbook claims found.
prose-anti-slop gate pass Changed prose is clean.

Posted by Bastion. Full transcripts are attached to the workflow run as an artifact. These checks were posted under the shared GitHub Actions app, so with other workflows on the commit they can cluster under one of those; set up a dedicated app to give them their own group.

Address the Bastion review on the release-workflow change:

- prose-anti-slop (blocking): recast the literal `--` dashes in the edited
  header comment as a parenthetical aside, matching the repo's no-dash prose
  rule.
- shell-script-footguns (advisory): give the new Publish step and the
  rewritten release-summary step an explicit `shell: bash` with
  `set -euo pipefail`, so they fail closed rather than relying on the
  runner's implicit `-e`-only bash.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@jssblck jssblck merged commit e436771 into main Jul 1, 2026
12 checks passed
@jssblck jssblck deleted the jssblck/magical-vaughan-dab391 branch July 1, 2026 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant