ci: add manual Tag Staging Release workflow#84
Conversation
Adds a workflow_dispatch action that creates staging tags from existing release tags (e.g. v0.3.0 → v0.3.0-staging-rc-1). Auto-increments RC number. Uses staging-approval environment for reviewer gate, keeping deploy-staging prompt-free. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
WalkthroughAdds a new manual GitHub Actions workflow that validates a provided release tag, computes the next staging RC number, creates and pushes a staging tag (e.g., v1.2.3-staging-rc-1), and emits a notice to trigger the deploy-staging workflow. (49 words) Changes
Sequence Diagram(s)sequenceDiagram
participant User as User
participant GHWF as Tagging Workflow
participant Git as Git Remote
participant Deploy as deploy-staging Workflow
User->>GHWF: workflow_dispatch(release_tag)
GHWF->>Git: verify tag exists
GHWF->>Git: list tags -> compute next RC N
GHWF->>Git: create & push `<tag>-staging-rc-N`
GHWF->>GHWF: set outputs & step summary
GHWF->>Deploy: emit notice / trigger deploy-staging
Deploy->>Git: (deploys using new staging tag)
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
No actionable comments were generated in the recent review. 🎉 Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @.github/workflows/tag-staging.yml:
- Around line 23-50: The run blocks currently interpolate ${{ inputs.release_tag
}} directly into shell code, enabling script injection; instead export the input
into a safe environment variable at the step level (e.g., env: RELEASE_TAG: ${{
inputs.release_tag }}) and reference it inside the scripts as "$RELEASE_TAG"
(properly quoted) in the "Validate release tag exists", "Calculate next RC
number" (id: rc, where you build STAGING_TAG and write to
GITHUB_OUTPUT/GITHUB_STEP_SUMMARY), and "Create and push staging tag" steps;
likewise set an env var for the produced staging tag (e.g., STAGING_TAG) before
using it in the git tag/git push commands to ensure the shell treats values as
data not code.
🧹 Nitpick comments (2)
.github/workflows/tag-staging.yml (2)
33-35: Minor: dots insedpattern are treated as regex wildcards.In
sed "s/${TAG}-staging-rc-//", the dots inTAG(e.g.,v0.3.0) match any character. Unlikely to cause a real problem given typical tag naming, but you can escape them for correctness usingsed "s/$(echo "$TAG" | sed 's/[.]/\\./g')-staging-rc-//"or simply use shell parameter expansion instead:- LAST_RC=$(git tag -l "${TAG}-staging-rc-*" | sed "s/${TAG}-staging-rc-//" | sort -n | tail -1) + LAST_RC=$(git tag -l "${TAG}-staging-rc-*" | while read -r t; do echo "${t#"${TAG}-staging-rc-"}"; done | sort -n | tail -1)
5-9: Consider adding input format validation.The tag existence check on line 25 is the primary guard, but adding a regex validation (e.g.,
^v[0-9]+\.[0-9]+\.[0-9]+$) early in the workflow would reject obviously malformed inputs before any git operations, providing defense-in-depth — especially relevant if the script injection fix hasn't been applied yet.
Pass workflow_dispatch inputs through env vars instead of interpolating directly into shell scripts. Prevents crafted tag names from executing arbitrary commands. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Summary
workflow_dispatchaction ("Tag Staging Release") that creates staging tags from existing release tags (e.g.v0.3.0→v0.3.0-staging-rc-1)staging-approvalenvironment for reviewer gate, removing the need for double-approval prompts on the deploy workflowChanges
.github/workflows/tag-staging.yml— manual trigger, validates tag exists, calculates next RC, creates and pushes staging tagstaging-approvalenvironment created with required reviewers;stagingenvironment reviewers removed (secrets/vars unchanged)Test plan
v0.3.0— verify approval prompt appearsv0.3.0-staging-rc-2tag is created and deploy-staging triggers without additional promptsv99.99.99) fails with clear error🤖 Generated with Claude Code
Summary by CodeRabbit