Skip to content

ci: register release-alpha coordinator on main (dispatchable)#371

Closed
coderdan wants to merge 1 commit into
mainfrom
ci/dispatchable-release-alpha
Closed

ci: register release-alpha coordinator on main (dispatchable)#371
coderdan wants to merge 1 commit into
mainfrom
ci/dispatchable-release-alpha

Conversation

@coderdan

@coderdan coderdan commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Unblocks cutting a v3 alpha before #314 (eql_v3 → main) merges.

Problem

mise run release:eql dispatches the release-alpha.yml coordinator with --ref eql_v3, but it fails:

HTTP 404: workflow release-alpha.yml not found on the default branch

GitHub only lets you dispatch a workflow_dispatch workflow that is registered on the default branch. release-alpha.yml (and its reusable _build-sql.yml / _build-docs.yml) currently live only on eql_v3, so there's nothing to dispatch from main.

Fix

Add the three workflow files to main, verbatim from eql_v3:

  • .github/workflows/release-alpha.yml — the coordinator (registered so it's dispatchable)
  • .github/workflows/_build-sql.yml — reusable, workflow_call
  • .github/workflows/_build-docs.yml — reusable, workflow_call (runs docs:generate:json, so the docs tarball carries json/eql-manifest.json)

All three are workflow_dispatch / workflow_call only — inert on main until invoked.

Why this is safe / correct

When dispatched with --ref eql_v3, the run executes at that ref: the checkout, the .github/scripts/release-alpha-*.sh scripts, the mise tasks (types:check, codegen:parity, docs:generate:json), and the uses: ./_build-*.yml reusable workflows all resolve from eql_v3. main only needs the top-level workflow registered for the dispatch to be accepted. The two reusables are carried along so uses: ./ resolves regardless of how GitHub picks the ref for the run.

The reusable builds check out their ref input (the dispatch SHA / tag), so even their copy on main executes eql_v3 code — nothing v2-era on main is used.

Scope

  • No trigger runs on push/PR to main (dispatch/call only).
  • target=eql (what mise run release:eql uses) does not dispatch release-plz.yml, so it isn't needed here.
  • Temporary: superseded when EQL v3 #314 merges and promotes these files to main as part of the v3 line. If they've drifted on eql_v3 by then, the merge reconciles them.

After merge

mise run release:eql --ref eql_v3 --dry-run   # resolves eql-3.0.0-alpha.3, verifies drift gates
mise run release:eql --ref eql_v3             # cuts it; attaches eql-docs-* with json/eql-manifest.json

https://claude.ai/code/session_01CqDNqLSEEkCi7xAJFq7HJA

Summary by CodeRabbit

  • New Features
    • Added reusable workflows for building documentation and SQL artifacts, including support for attaching outputs to releases or publishing prereleases.
    • Added a new alpha release workflow with manual triggering, dry-run support, and selectable targets for SQL, bindings, or both.
    • Improved release coordination by generating a release plan, running validation checks, and publishing a consolidated summary of each run.

GitHub only lets you dispatch a workflow_dispatch workflow that exists on
the default branch. The v3 alpha coordinator (release-alpha.yml) and its
reusable build workflows currently live only on eql_v3, so
`mise run release:eql --ref eql_v3` fails with 'workflow not found on the
default branch'.

Add the three files to main, verbatim from eql_v3, so the coordinator is
dispatchable. They are workflow_dispatch / workflow_call only — inert on
main until invoked. When dispatched with --ref eql_v3, the run's scripts
(.github/scripts/release-alpha-*.sh), mise tasks, and reusable-workflow
(uses: ./) resolution all come from eql_v3, so the actual build uses v3
code; main just needs the top-level workflow registered. The two reusables
are carried too so `uses: ./_build-*.yml` resolves regardless of how the
dispatch resolves the ref.

Temporary: superseded when #314 (eql_v3 -> main) merges and brings these
files to main as part of the v3 promotion.

Claude-Session: https://claude.ai/code/session_01CqDNqLSEEkCi7xAJFq7HJA
@coderdan coderdan self-assigned this Jul 6, 2026
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds three new GitHub Actions workflow files implementing a CI-native alpha release pipeline: two reusable workflows for building SQL artifacts and documentation, and a coordinator workflow that resolves release identity, pins bindings versions, invokes the reusable build workflows, dispatches crate publishing, and reports a summary.

Changes

Alpha Release CI Workflows

Layer / File(s) Summary
Reusable SQL build workflow
.github/workflows/_build-sql.yml
New workflow_call workflow builds EQL SQL via mise, uploads artifacts, optionally attaches to an existing release or creates a prerelease, and notifies an external service on release events.
Reusable docs build workflow
.github/workflows/_build-docs.yml
New workflow_call workflow installs Doxygen, generates docs in multiple formats via mise, packages and uploads artifacts, and optionally publishes to a GitHub release.
Coordinator inputs and resolve job
.github/workflows/release-alpha.yml
New manually-dispatched workflow with target/version/channel/pre/dry_run inputs; resolve job checks out the repo, derives release identity/tags via script, and runs mise verification checks.
Bindings pin job
.github/workflows/release-alpha.yml
pin job imports a GPG key, pins the bindings crate version, pushes a signed commit, and verifies the commit signature.
Build-sql/build-docs job wiring
.github/workflows/release-alpha.yml
Conditional build-sql and build-docs jobs call the reusable workflows with derived tags, refs, and attach options.
Crate publish dispatch and summary
.github/workflows/release-alpha.yml
crate-publish job dispatches release-plz.yml via gh workflow run; summary job always runs and emits a consolidated report of job results.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

Suggested reviewers: freshtonic, auxesis

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding the dispatchable release-alpha coordinator workflow on main.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/dispatchable-release-alpha

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/_build-sql.yml (1)

57-104: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider pinning third-party actions to a commit SHA.

actions/checkout@v4, jdx/mise-action@v3, actions/upload-artifact@v4, and softprops/action-gh-release@v2 are all pinned to a mutable major-version tag rather than a full commit SHA. This is a supply-chain hardening best practice, especially relevant here since the workflow holds contents: write and a secret token.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/_build-sql.yml around lines 57 - 104, Pin the third-party
workflow actions in this job to full commit SHAs instead of mutable version
tags. Update the uses entries for actions/checkout, jdx/mise-action,
actions/upload-artifact, and softprops/action-gh-release to immutable revisions
so the build and release flow stays locked down, especially in the workflow that
runs with write access and token-based release permissions.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/_build-sql.yml:
- Around line 57-104: Pin the third-party workflow actions in this job to full
commit SHAs instead of mutable version tags. Update the uses entries for
actions/checkout, jdx/mise-action, actions/upload-artifact, and
softprops/action-gh-release to immutable revisions so the build and release flow
stays locked down, especially in the workflow that runs with write access and
token-based release permissions.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d386d995-bdaf-4432-9c9e-42ee238dabda

📥 Commits

Reviewing files that changed from the base of the PR and between 80a7a2b and b4c48af.

📒 Files selected for processing (3)
  • .github/workflows/_build-docs.yml
  • .github/workflows/_build-sql.yml
  • .github/workflows/release-alpha.yml

@coderdan coderdan closed this Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant