Add auto-release-check workflow#546
Conversation
![hyperspace-insights[bot]](https://avatars.githubusercontent.com/u/2531208?s=60&v=4){kind=small}
There was a problem hiding this comment.
The new workflow has several substantive issues that need to be resolved before it can work correctly: the most critical is that release.yml is not a callable workflow, which will cause a hard runtime failure; additionally, the unused cron-schedule input, unquoted shell variables, overly broad permissions, and the summary job's skipping behaviour all need to be addressed.
PR Bot Information
Version: 1.20.33
- Correlation ID:
4feb0cbd-0c50-4461-9088-82f3db8081a4 - File Content Strategy: Full file content
- LLM:
anthropic--claude-4.6-sonnet - Event Trigger:
pull_request.opened
| cron-schedule: | ||
| description: Cron schedule for periodic checks (default is daily at 2 AM UTC) | ||
| required: false | ||
| type: string | ||
| default: '0 2 * * *' |
There was a problem hiding this comment.
Bug: workflow_call trigger's cron-schedule input is defined but never used
The cron-schedule input is declared under workflow_call inputs (line 8–12) but is never referenced anywhere in the workflow. The hardcoded schedule trigger (line 23–25) always runs at 0 2 * * * and ignores this input entirely. GitHub Actions does not support dynamically changing the schedule cron from a workflow_call input — schedules are static and cannot be parameterised at call time.
The cron-schedule input should be removed to avoid misleading callers who might believe they can override the schedule through it.
| cron-schedule: | |
| description: Cron schedule for periodic checks (default is daily at 2 AM UTC) | |
| required: false | |
| type: string | |
| default: '0 2 * * *' | |
| dry-run: | |
| description: Dry run mode for testing | |
| required: false | |
| type: boolean | |
| default: false |
Double-check suggestion before committing. Edit this comment for amendments.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
| echo "latest-tag=$latest_tag" >> $GITHUB_OUTPUT | ||
|
|
||
| # Count commits since the latest tag | ||
| commits_count=$(git rev-list ${latest_tag}..HEAD --count) |
There was a problem hiding this comment.
Bug: Unquoted variable ${latest_tag} in git rev-list is vulnerable to tag names with special characters
If latest_tag ever contains spaces or shell-special characters, the command will break or behave unexpectedly. The variable should be double-quoted.
Same issue also applies to line 84 (git log ${latest_tag}..HEAD --oneline).
| commits_count=$(git rev-list ${latest_tag}..HEAD --count) | |
| commits_count=$(git rev-list "${latest_tag}..HEAD" --count) |
Double-check suggestion before committing. Edit this comment for amendments.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
|
|
||
| # Show the commits for logging | ||
| echo "Unreleased commits:" | ||
| git log ${latest_tag}..HEAD --oneline |
There was a problem hiding this comment.
Bug: Unquoted variable ${latest_tag} in git log is vulnerable to word splitting / glob expansion
The variable should be double-quoted, consistent with the fix suggested for line 73.
| git log ${latest_tag}..HEAD --oneline | |
| git log "${latest_tag}..HEAD" --oneline |
Double-check suggestion before committing. Edit this comment for amendments.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
| trigger-release: | ||
| needs: check-unreleased-changes | ||
| if: ${{ needs.check-unreleased-changes.outputs.has-unreleased-changes == 'true' }} | ||
| uses: ./.github/workflows/release.yml |
There was a problem hiding this comment.
Logic Error: trigger-release job references release.yml via a relative path, but release.yml is not a reusable workflow
release.yml is triggered by push to main and workflow_dispatch; it does not declare an on: workflow_call trigger. Calling it with uses: ./.github/workflows/release.yml will therefore fail at runtime with an error like "workflow is not callable".
The referenced workflow must expose a workflow_call event before it can be used here. Either add workflow_call to release.yml, or call the underlying reusable workflow (cap-js/.github/.github/workflows/release.yml@main) directly from this job.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
| permissions: | ||
| contents: write | ||
| id-token: write |
There was a problem hiding this comment.
Security: Workflow-level contents: write and id-token: write permissions are broader than necessary
The check-unreleased-changes job only reads git history and requires no elevated permissions. Granting contents: write and id-token: write at the top level gives every job—including the read-only check-unreleased-changes and summary jobs—those permissions.
Consider scoping permissions per-job: give contents: read (and no id-token) to check-unreleased-changes and summary, and only grant the elevated permissions to trigger-release (or inherit them from the called workflow).
| permissions: | |
| contents: write | |
| id-token: write | |
| permissions: | |
| contents: read |
Double-check suggestion before committing. Edit this comment for amendments.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
|
|
||
| summary: | ||
| runs-on: ubuntu-latest | ||
| needs: [check-unreleased-changes, trigger-release] |
There was a problem hiding this comment.
Logic Error: summary job will be skipped whenever trigger-release is skipped
needs: [check-unreleased-changes, trigger-release] causes GitHub Actions to mark the summary job as skipped when trigger-release is skipped (i.e. when there are no unreleased changes), even though if: always() is set. The always() condition overrides failure/cancellation but not skipping induced by a skipped dependency.
To always run the summary regardless of whether trigger-release ran, remove trigger-release from the needs list and read its result via needs.trigger-release.result only when needed (it will be 'skipped' rather than causing the job itself to be skipped).
| needs: [check-unreleased-changes, trigger-release] | |
| needs: [check-unreleased-changes, trigger-release] | |
| if: ${{ always() }} |
Double-check suggestion before committing. Edit this comment for amendments.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
1 participant
Add Auto Release Check Workflow
New Feature
✨ Introduces a new reusable GitHub Actions workflow (
auto-release-check.yml) that periodically checks for unreleased changes and automatically triggers a release when needed.Changes
.github/workflows/auto-release-check.yml: New workflow file that:workflow_dispatchfor manual triggers, and can be called as a reusable workflow (workflow_call)cron-schedule,dry-run, andtag(latestornext)check-unreleased-changesjob: Fetches the full git history, finds the latestvX.Y.Ztag, counts commits since that tag, and outputs whether unreleased changes existtrigger-releasejob: Conditionally calls.github/workflows/release.ymlwhen unreleased commits are detected, passing throughdry-runandtaginputssummaryjob: Generates a GitHub Step Summary reporting the latest tag, unreleased commit count, and whether a release was triggeredPR Bot Information
Version:
1.20.334feb0cbd-0c50-4461-9088-82f3db8081a4anthropic--claude-4.6-sonnetpull_request.opened