Skip to content

feat: automate releases with Pipelines-as-Code#2795

Open
vdemeester wants to merge 3 commits into
tektoncd:mainfrom
vdemeester:pac-release-automation
Open

feat: automate releases with Pipelines-as-Code#2795
vdemeester wants to merge 3 commits into
tektoncd:mainfrom
vdemeester:pac-release-automation

Conversation

@vdemeester

Copy link
Copy Markdown
Member

Changes

Automate CLI releases using Pipelines-as-Code (PAC), following the same
pattern established for tektoncd/pipeline and tektoncd/operator.

What's added

.tekton/release.yaml

PAC PipelineRun triggered via incoming webhooks. References the existing
tekton/release-pipeline.yml and catalog tasks (git-clone, golangci-lint,
golang-test, golang-build, goreleaser). The version tag is passed as the
revision so goreleaser can detect it.

.github/workflows/patch-release.yaml

GitHub Actions workflow with two trigger modes:

  • Scheduled (weekly Thursday 10:00 UTC): scans all release-v* branches
    for unreleased commits since the last tag, creates version tags, and
    triggers PAC incoming webhooks
  • Manual (workflow_dispatch): release a specific version on a specific
    branch

The workflow creates the git tag and pushes it before triggering PAC, since
goreleaser requires a tag on HEAD.

Dependencies

/kind feature

Submitter Checklist

  • Includes tests (if functionality changed/added)
  • Run the code checkers with make check
  • Regenerate the manpages, docs and go formatting with make generated
  • Commit messages follow commit message best practices

Release Notes

NONE

@tekton-robot tekton-robot added kind/feature Categorizes issue or PR as related to a new feature. release-note-none Denotes a PR that doesnt merit a release note. labels Apr 7, 2026
@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Apr 7, 2026
PAC_CONTROLLER_URL: "https://pac.infra.tekton.dev"
PAC_REPOSITORY_NAME: "tektoncd-cli"
# Ignore release branches older than this (major.minor)
MIN_RELEASE_VERSION: "0.40"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vdemeester we may want to include v0.37.x as well?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah yeah initially I set this high enough to not be flooded by the pipelineruns.. but we can definitely lower this

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add that later.

Comment thread .tekton/release.yaml Outdated
@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 13, 2026
@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from vdemeester after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

vdemeester and others added 3 commits July 13, 2026 21:46
- Add PAC PipelineRun definition for incoming webhook-triggered releases
  using goreleaser to build binaries and create GitHub releases
- Add patch-release GHA workflow with weekly branch scanning and manual
  dispatch to create tags and trigger PAC releases

Signed-off-by: Vincent Demeester <vdemeest@redhat.com>
The wait-for-chains task needs to list/get TaskRuns to check Tekton
Chains signing status. The default SA lacks these RBAC permissions,
causing wait-for-chains to return signed='error' and skipping the
create-draft-release task.

Use the 'release' SA provisioned in tektoncd/plumbing#3335 with the
required RBAC permissions.
- Fix branch scan regex to match release-vX.Y.x branches (the
  canonical naming convention), skipping old-style release-vX.Y.Z
- Rename PipelineRun to release-patch and .tekton file to
  release-patch.yaml matching tektoncd/pipeline and tektoncd/operator
- Rename tekton/release-pipeline.yml to .yaml for consistency
- Bump actions/checkout from v6.0.2 to v7.0.0
- Update branch validation in manual trigger to expect release-vX.Y.x

Signed-off-by: divyansh42 <diagrawa@redhat.com>
Assisted-by: Claude Opus 4.6 (via Cursor)
@divyansh42 divyansh42 force-pushed the pac-release-automation branch from a731b34 to 2246012 Compare July 13, 2026 16:17
@tekton-robot tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kind/feature Categorizes issue or PR as related to a new feature. release-note-none Denotes a PR that doesnt merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants