chore: add CI preflight gate to release workflow#69
Conversation
9523bf1 to
23a3941
Compare
23a3941 to
bfb315b
Compare
em-redhat
left a comment
There was a problem hiding this comment.
PR Review: #69 — chore: add CI preflight gate to release workflow
CI Status
| Check | Status | Classification |
|---|---|---|
| build-and-test | PASS | N/A |
| MegaLinter | PASS | N/A |
Walkthrough
| File | Change | Focus |
|---|---|---|
.github/workflows/release.yml |
Replace push-tag trigger with workflow_dispatch + preflight job (7 validation steps), per-job permissions, concurrency control, RELEASE_TAG env var | ci-cd |
AGENTS.md |
Update CI/CD section to reflect new release trigger and preflight gate | documentation |
openspec/changes/release-ci-gate/.openspec.yaml |
Add OpenSpec metadata | documentation |
openspec/changes/release-ci-gate/proposal.md |
Add change proposal | documentation |
openspec/changes/release-ci-gate/design.md |
Add design document with decisions and risk analysis | documentation |
openspec/changes/release-ci-gate/specs/release-preflight.md |
Add detailed spec with Given/When/Then scenarios | documentation |
openspec/changes/release-ci-gate/tasks.md |
Add task breakdown (all completed) | documentation |
Summary
Well-structured PR that replaces the fire-and-forget push.tags release trigger with a gated workflow_dispatch flow. The preflight job adds 7 validation steps (branch, tag format, uniqueness, semver ordering, CI status, unreleased commits, tag creation) before GoReleaser runs. The implementation follows the proven pattern from unbound-force/unbound-force and properly handles idempotent re-runs. OpenSpec artifacts are thorough with clear design decisions and risk analysis. All GITHUB_REF_NAME references have been correctly replaced with the RELEASE_TAG env var.
Alignment
- No issues found. The implementation precisely matches the spec requirements, the linked issue #65, and the stated design decisions.
Security
- [LOW]
RELEASE_TAGis derived from${{ inputs.tag }}and used in shell contexts, but the tag format validation step (^v[0-9]+\.[0-9]+\.[0-9]+$) effectively sanitizes the input before downstream steps. No action needed. - Actions are pinned to full commit SHAs with version comments. Secrets accessed via
${{ secrets.* }}only. No hardcoded credentials.
Constitution Compliance
- I. Composability First: PASS
- II. Autonomous Collaboration: N/A
- III. Observable Quality: PASS — preflight produces auditable output at each step
- IV. Testability: N/A — CI-only change, no new Go packages
- Spec-First Development: PASS — OpenSpec artifacts present and thorough
- Documentation Gate: PASS — AGENTS.md updated
Verdict
COMMENT — No blocking findings. This PR is ready to be approved once the branch is updated with the base branch (main). Rebase or merge main into the PR branch so CI runs against the latest base, then this can be approved.
This review was generated by /review-pr (AI-assisted).
- Replace push.tags trigger with workflow_dispatch for manual release - Add preflight job: branch validation, tag format, uniqueness, semver ordering, CI status via Checks API, unreleased commits check - Use per-job permissions (least privilege) instead of workflow-level - Support idempotent re-runs for partial failure recovery - Update AGENTS.md CI/CD section to reflect new release process - Add OpenSpec artifacts (proposal, design, specs, tasks) Closes unbound-force#65
bfb315b to
4ef534b
Compare
Summary
Adds a CI preflight gate to the release workflow, preventing publication of release binaries from commits that haven't passed CI checks.
Closes #65
Changes
push.tags: v*withworkflow_dispatch(manual trigger withtaginput)vMAJOR.MINOR.PATCH)build-and-test+MegaLinter)permissions(least privilege) instead of workflow-levelHow to Release (after merge)
Or use the GitHub Actions "Run workflow" UI button.
Reference
unbound-force/unbound-forceopenspec/changes/release-ci-gate/