ci: register release-alpha coordinator on main (dispatchable)#371
ci: register release-alpha coordinator on main (dispatchable)#371coderdan wants to merge 1 commit into
Conversation
GitHub only lets you dispatch a workflow_dispatch workflow that exists on the default branch. The v3 alpha coordinator (release-alpha.yml) and its reusable build workflows currently live only on eql_v3, so `mise run release:eql --ref eql_v3` fails with 'workflow not found on the default branch'. Add the three files to main, verbatim from eql_v3, so the coordinator is dispatchable. They are workflow_dispatch / workflow_call only — inert on main until invoked. When dispatched with --ref eql_v3, the run's scripts (.github/scripts/release-alpha-*.sh), mise tasks, and reusable-workflow (uses: ./) resolution all come from eql_v3, so the actual build uses v3 code; main just needs the top-level workflow registered. The two reusables are carried too so `uses: ./_build-*.yml` resolves regardless of how the dispatch resolves the ref. Temporary: superseded when #314 (eql_v3 -> main) merges and brings these files to main as part of the v3 promotion. Claude-Session: https://claude.ai/code/session_01CqDNqLSEEkCi7xAJFq7HJA
📝 WalkthroughWalkthroughAdds three new GitHub Actions workflow files implementing a CI-native alpha release pipeline: two reusable workflows for building SQL artifacts and documentation, and a coordinator workflow that resolves release identity, pins bindings versions, invokes the reusable build workflows, dispatches crate publishing, and reports a summary. ChangesAlpha Release CI Workflows
Estimated code review effort: 3 (Moderate) | ~25 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/_build-sql.yml (1)
57-104: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider pinning third-party actions to a commit SHA.
actions/checkout@v4,jdx/mise-action@v3,actions/upload-artifact@v4, andsoftprops/action-gh-release@v2are all pinned to a mutable major-version tag rather than a full commit SHA. This is a supply-chain hardening best practice, especially relevant here since the workflow holdscontents: writeand a secret token.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/_build-sql.yml around lines 57 - 104, Pin the third-party workflow actions in this job to full commit SHAs instead of mutable version tags. Update the uses entries for actions/checkout, jdx/mise-action, actions/upload-artifact, and softprops/action-gh-release to immutable revisions so the build and release flow stays locked down, especially in the workflow that runs with write access and token-based release permissions.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/_build-sql.yml:
- Around line 57-104: Pin the third-party workflow actions in this job to full
commit SHAs instead of mutable version tags. Update the uses entries for
actions/checkout, jdx/mise-action, actions/upload-artifact, and
softprops/action-gh-release to immutable revisions so the build and release flow
stays locked down, especially in the workflow that runs with write access and
token-based release permissions.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: d386d995-bdaf-4432-9c9e-42ee238dabda
📒 Files selected for processing (3)
.github/workflows/_build-docs.yml.github/workflows/_build-sql.yml.github/workflows/release-alpha.yml
Unblocks cutting a v3 alpha before #314 (
eql_v3 → main) merges.Problem
mise run release:eqldispatches therelease-alpha.ymlcoordinator with--ref eql_v3, but it fails:GitHub only lets you dispatch a
workflow_dispatchworkflow that is registered on the default branch.release-alpha.yml(and its reusable_build-sql.yml/_build-docs.yml) currently live only oneql_v3, so there's nothing to dispatch frommain.Fix
Add the three workflow files to
main, verbatim fromeql_v3:.github/workflows/release-alpha.yml— the coordinator (registered so it's dispatchable).github/workflows/_build-sql.yml— reusable,workflow_call.github/workflows/_build-docs.yml— reusable,workflow_call(runsdocs:generate:json, so the docs tarball carriesjson/eql-manifest.json)All three are
workflow_dispatch/workflow_callonly — inert onmainuntil invoked.Why this is safe / correct
When dispatched with
--ref eql_v3, the run executes at that ref: the checkout, the.github/scripts/release-alpha-*.shscripts, the mise tasks (types:check,codegen:parity,docs:generate:json), and theuses: ./_build-*.ymlreusable workflows all resolve fromeql_v3.mainonly needs the top-level workflow registered for the dispatch to be accepted. The two reusables are carried along souses: ./resolves regardless of how GitHub picks the ref for the run.The reusable builds check out their
refinput (the dispatch SHA / tag), so even their copy onmainexecuteseql_v3code — nothing v2-era onmainis used.Scope
main(dispatch/call only).target=eql(whatmise run release:eqluses) does not dispatchrelease-plz.yml, so it isn't needed here.mainas part of the v3 line. If they've drifted oneql_v3by then, the merge reconciles them.After merge
https://claude.ai/code/session_01CqDNqLSEEkCi7xAJFq7HJA
Summary by CodeRabbit