Skip to content

refactor: consolidate release pipeline with draft-first pattern #124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jmeridth wants to merge 5 commits into
base: main
Choose a base branch
from
Open

refactor: consolidate release pipeline with draft-first pattern #124

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
07e4d4c
refactor: consolidate release pipeline into single reusable workflow
jmeridth Apr 6, 2026
76f2801
feat: add draft-first release pattern with GoReleaser and publish jobs
jmeridth Apr 6, 2026
828fa55
fix: address review findings for release workflow correctness
jmeridth Apr 6, 2026
8905ed5
docs: add deprecation stubs for release-image and release-discussion …
jmeridth Apr 6, 2026
70267ba
fix: force-tag full release and gate discussion on publish
jmeridth Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 10 additions & 30 deletions .github/workflows/release-discussion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
name: "Release Discussion"
name: "Release Discussion (Deprecated)"
on:
workflow_call:
inputs:
Expand All @@ -16,37 +16,17 @@ on:
required: true
discussion-category-id:
required: true
permissions:
contents: read

permissions: {}

jobs:
create_discussion:
deprecated:
runs-on: ubuntu-latest
permissions:
contents: read
discussions: write
env:
DISCUSSION_REPOSITORY_ID: ${{ secrets.discussion-repository-id }}
DISCUSSION_CATEGORY_ID: ${{ secrets.discussion-category-id }}
permissions: {}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- name: Check for Discussion Repository ID
if: ${{ env.DISCUSSION_REPOSITORY_ID == '' }}
- name: Deprecation notice
run: |
echo "discussion-repository-id secret is not set"
echo "::error::This workflow (release-discussion.yaml) has been deprecated and consolidated into release.yaml."
echo "::error::Migrate to the consolidated release workflow by setting the 'discussion-category-id' and 'discussion-repository-id' secrets on release.yaml instead."
echo "::error::See migration guide: https://github.com/github-community-projects/ospo-reusable-workflows/blob/main/docs/release-discussion.md"
exit 1
- name: Check for Discussion Category ID
if: ${{ env.DISCUSSION_CATEGORY_ID == '' }}
run: |
echo "discussion-category-id secret is not set"
exit 1
- name: Create an Announcement Discussion for Release
uses: abirismyname/create-discussion@c2b7c825241769dda523865ae444a879f6bbd0e0
with:
title: ${{ inputs.full-tag }}
body: ${{ inputs.body }}
repository-id: ${{ env.DISCUSSION_REPOSITORY_ID }}
category-id: ${{ env.DISCUSSION_CATEGORY_ID }}
github-token: ${{ secrets.github-token }}
63 changes: 12 additions & 51 deletions .github/workflows/release-image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
name: "Release Image"
name: "Release Image (Deprecated)"
on:
workflow_call:
inputs:
Expand All @@ -25,56 +25,17 @@ on:
required: true
image-registry-password:
required: true
permissions:
contents: read

permissions: {}

jobs:
create_action_images:
deprecated:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
attestations: write
env:
IMAGE_REGISTRY: ${{ secrets.image-registry }}
IMAGE_REGISTRY_USERNAME: ${{ secrets.image-registry-username }}
IMAGE_REGISTRY_PASSWORD: ${{ secrets.image-registry-password }}
permissions: {}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
with:
egress-policy: audit
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
- name: Log in to the Container registry
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
with:
registry: ${{ env.IMAGE_REGISTRY }}
username: ${{ env.IMAGE_REGISTRY_USERNAME }}
password: ${{ env.IMAGE_REGISTRY_PASSWORD}}
- name: Push Docker Image
if: ${{ success() }}
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
id: push
with:
context: .
file: ./Dockerfile
push: true
tags: |
${{ env.IMAGE_REGISTRY }}/${{ inputs.image-name }}:latest
${{ env.IMAGE_REGISTRY }}/${{ inputs.image-name }}:${{ inputs.full-tag }}
${{ env.IMAGE_REGISTRY }}/${{ inputs.image-name }}:${{ inputs.short-tag }}
platforms: linux/amd64,linux/arm64
provenance: false
sbom: false
- name: Generate artifact attestation
if: ${{ inputs.create-attestation }}
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: ${{ env.IMAGE_REGISTRY }}/${{ inputs.image-name}}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
github-token: ${{ secrets.github-token }}
- name: Deprecation notice
run: |
echo "::error::This workflow (release-image.yaml) has been deprecated and consolidated into release.yaml."
echo "::error::Migrate to the consolidated release workflow by setting the 'image-name' input on release.yaml instead."
echo "::error::See migration guide: https://github.com/github-community-projects/ospo-reusable-workflows/blob/main/docs/release-image.md"
exit 1
Loading
Loading