ci: package and app versioning and release cycles#426
Conversation
Entire-Checkpoint: b8a772658cb8
Entire-Checkpoint: 158b42ca6104
Entire-Checkpoint: a573c4d54aab
…dated concerns Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Entire-Checkpoint: c49b84391852
…t-flag management
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Release PreviewNo version bumps detected. All changes are in unversioned paths or use exempt commit types. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #426 +/- ##
==========================================
+ Coverage 62.31% 71.80% +9.48%
==========================================
Files 134 113 -21
Lines 10081 7164 -2917
Branches 1052 1050 -2
==========================================
- Hits 6282 5144 -1138
+ Misses 3583 1804 -1779
Partials 216 216
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
… STATE.md Root package.json has "type": "module" so .js files are treated as ESM. Rename to .cjs to ensure require() works on GitHub Actions runners. Also fix STATE.md: normalize metrics table, add missing plan entries, update progress counts, prune outdated open concerns. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When commits change via force-push and the computed bump level increases for a component, replace the existing label instead of treating it as a manual override. Only preserve existing labels when they represent a higher or equal bump level. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
228749b to
78e84f1
Compare
|
@coderabbitai please review |
|
🧠 Learnings used✅ Actions performedReview triggered.
|
Add missing entries for phases 18, 21-P02, 24, 25, 28-32, 34-P04, 35-P01/P04/P06, 36, 37-P01, 38, 39. Sort all entries by phase/plan order. Mark missing data with - where older GSD versions didn't capture metrics in summaries. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Filter non-numeric tag suffixes in tag-staging.yml before sorting - Guard post-merge commit with staged-diff check to avoid no-op failures - Update desktop OTP debug doc with PR #425 resolution details Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR overhauls CipherBox’s CI/CD release automation to support independent versioning across monorepo components, with PR-time impact analysis + labeling and post-merge release-as injection to drive Release Please. It also updates staging deployments to date-based tags and adds a dedicated multi-platform desktop release workflow compatible with the Tauri updater.
Changes:
- Reworked Release Please configuration/manifest for per-component versioning (including new app entries) and batched releases.
- Added PR-time release preview + labeling and post-merge
release-asinjection automation (scripts + workflows). - Updated staging tag/deploy flows and introduced a tag-triggered desktop release workflow that publishes updater JSON and manages the GitHub “latest” flag.
Reviewed changes
Copilot reviewed 31 out of 33 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
release-please-config.json |
Enables batched releases and adds per-app entries with component tags and desktop extra-files sync. |
.release-please-manifest.json |
Adds versions for new app package paths to match RP config. |
apps/desktop/src-tauri/Cargo.toml |
Aligns desktop Rust crate version with desktop app versioning strategy. |
.github/scripts/release-constants.js |
Centralizes shared label/path/versioning constants used by release automation scripts. |
.github/scripts/pr-release-preview.js |
Implements PR commit analysis, package mapping, cascade detection, and label/comment automation. |
.github/scripts/post-merge-release.js |
Implements post-merge release-as injection based on merged PR labels. |
.github/workflows/pr-release-preview.yml |
Runs PR-time analysis and applies release labels/comments. |
.github/workflows/post-merge-release.yml |
Serializes and commits release-as targets to main after merges. |
.github/workflows/release-please.yml |
Adds release summary output and “latest” flag management for desktop updater behavior. |
.github/workflows/tag-staging.yml |
Switches to date-based staging tags and deploy trigger wiring. |
.github/workflows/deploy-staging.yml |
Broadens staging tag trigger and adds triple-tag Docker image strategy + version recording. |
.github/workflows/desktop-release.yml |
Adds 3-platform desktop build/release pipeline for cipherbox-desktop-v* tags + mark-latest job. |
Planning/docs files under .planning/ |
Captures Phase 41 decisions, plans, verification, and roadmap/state updates. |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/tag-staging.yml:
- Around line 63-65: The workflow is interpolating ${{ inputs.description }}
directly into the inline shell, which can break the script if the description
contains quotes or newlines; update the job/step to pass the input through an
environment variable (e.g. set env: DESCRIPTION: ${{ inputs.description }} on
the step that runs the shell) and then reference that variable inside the script
using a safely quoted expansion ("$DESCRIPTION") when appending to
GITHUB_STEP_SUMMARY so the runner receives the raw value instead of embedded
shell syntax.
- Around line 20-27: Add a new upstream job (e.g., resolve-main) that checks out
main and exposes its commit SHA as an output, then change web-e2e, desktop-e2e
and tag-staging to consume that output instead of using ref: main or default
checkout; specifically create a resolve-main job that runs actions/checkout to
ref: main and sets an output like main_sha=$(git rev-parse HEAD), update web-e2e
and desktop-e2e to use with: ref: ${{ needs.resolve-main.outputs.main_sha }}
(instead of ref: main), and update tag-staging’s actions/checkout to use ref:
${{ needs.resolve-main.outputs.main_sha }} so all jobs use the identical
resolved SHA.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 4576e4e5-46e7-423d-9ab8-eb6afad25e9b
📒 Files selected for processing (3)
.github/workflows/post-merge-release.yml.github/workflows/tag-staging.yml.planning/debug/resolved/desktop-email-otp-verification-failed.md
✅ Files skipped from review due to trivial changes (1)
- .github/workflows/post-merge-release.yml
🚧 Files skipped from review as they are similar to previous changes (1)
- .planning/debug/resolved/desktop-email-otp-verification-failed.md
- Add resolve-main job to tag-staging workflow to pin SHA across all jobs, preventing drift between E2E tests and the tagged commit - Fix shell injection risk by passing inputs.description through env var - Pin @actions/core@1.11.1 and @actions/github@6.0.0 in CI scripts - Fix validation doc script filenames (.mjs → .js) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Entire-Checkpoint: 477a208a5d3e
Filter by author (github-actions[bot]) when searching for existing release preview comment to update, not just the HTML marker. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Entire-Checkpoint: 45e267fee322
Release PreviewNo version bumps detected. All changes are in unversioned paths or use exempt commit types. |
- Preserve manually-added release labels for non-computed components (D-18) - Clear --latest=false on ALL manifest releases, not just root tag - Update header comments to reflect runtime-installed deps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Entire-Checkpoint: d1d44edfbdda
Manual override labels (D-18) still work but must be reapplied after the last commit. Auto-tracking of label provenance is deferred. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Entire-Checkpoint: 449f63212296
|
@coderabbitai please review |
|
🧠 Learnings used✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/scripts/pr-release-preview.js:
- Around line 524-532: The loop that unconditionally keeps labels for components
missing from computedLabels should instead remove labels for components that no
longer have a computed bump unless they were explicitly marked as manual; update
the code in the block iterating existingByComponent.entries() to: check
computedLabels.has(component) and if false, test for an explicit manual-override
marker (e.g., a dedicated manual label or flag you already use) and only call
core.info and keep the label when that manual marker is present, otherwise
remove the stale label (and log that removal); adjust the conditional around
existingByComponent, computedLabels.has(component) and the core.info message
accordingly to reflect removal vs manual preservation.
- Around line 259-264: The code only reads commitDetail.data.files from the
single getCommit response, which misses commits with >300 files; update the
logic that calls octokit.rest.repos.getCommit (where commitDetail and
changedFiles are created) to follow Link header pagination: inspect
commitDetail.headers.link for a rel="next" URL, loop fetching each next page
(use octokit.request with the full next URL or perform GET on that URL) and
accumulate all files into changedFiles until no rel="next" remains, then
dedupe/flatten the filenames before using them to compute release labels.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: f4e9f37d-57c4-435f-b7b5-492c33750957
📒 Files selected for processing (7)
.github/scripts/post-merge-release.js.github/scripts/pr-release-preview.js.github/workflows/post-merge-release.yml.github/workflows/pr-release-preview.yml.github/workflows/release-please.yml.github/workflows/tag-staging.yml.planning/phases/41-package-and-app-versioning-and-release-cycles/41-VALIDATION.md
✅ Files skipped from review due to trivial changes (1)
- .github/scripts/post-merge-release.js
🚧 Files skipped from review as they are similar to previous changes (3)
- .github/workflows/pr-release-preview.yml
- .github/workflows/release-please.yml
- .github/workflows/post-merge-release.yml
Summary
release-asoverrides into Release Please configcipherbox-desktop-v*tags with Tauri auto-updater JSONKey files
.github/scripts/release-constants.cjs.github/scripts/pr-release-preview.js.github/scripts/post-merge-release.js.github/scripts/create-release-labels.sh.github/workflows/pr-release-preview.yml.github/workflows/post-merge-release.yml.github/workflows/desktop-release.yml.github/workflows/deploy-staging.yml.github/workflows/tag-staging.ymlrelease-please-config.jsonTest plan
apps/api/— verifyrelease:api:featlabel applied and preview comment postedrelease-aswritten to config and committedtag-stagingworkflow — verify date-based tag created and deploy succeedscipherbox-desktop-v*tag — verify 3-platform builds and updater JSON published.github/scripts/create-release-labels.sh --dry-run— verify 61 labels listed🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Chores
Documentation