Skip to content

[codex] Trigger release builds from GitHub Releases#65

Merged
archae0pteryx merged 2 commits into
mainfrom
codex/release-event-flow
May 19, 2026
Merged

[codex] Trigger release builds from GitHub Releases#65
archae0pteryx merged 2 commits into
mainfrom
codex/release-event-flow

Conversation

@archae0pteryx

@archae0pteryx archae0pteryx commented May 19, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Documentation

    • Clarified release process documentation with separate instructions for standard releases and manual recovery workflow.
  • Chores

    • Enhanced release workflow configuration to improve release metadata handling and build triggering logic.

Review Change Stack

@coderabbitai

coderabbitai Bot commented May 19, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@archae0pteryx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 55 minutes and 33 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d98be4be-0467-4009-a521-2ac1605d1925

📥 Commits

Reviewing files that changed from the base of the PR and between 203e330 and b79da08.

📒 Files selected for processing (1)
  • .github/workflows/release.yml
📝 Walkthrough

Walkthrough

The release workflow is restructured to handle GitHub Release publication events directly instead of relying on tag pushes. Trigger conditions, permissions, concurrency configuration, and release metadata extraction are updated. Documentation clarifies two release paths for users: standard GitHub Release publishing or manual workflow dispatch.

Changes

Release workflow event handling and documentation

Layer / File(s) Summary
Workflow trigger and runtime configuration
.github/workflows/release.yml
Workflow triggers only on release (published) and workflow_dispatch events, removing the push tag trigger. Run-name is derived from the published release tag, manual version input (prefixed with v), or ref name. Workflow-level permissions are added for repository contents, OIDC token, attestations, and artifact metadata. Concurrency group keying is updated to prefer release tag, then manual version, then ref name.
Release event metadata extraction
.github/workflows/release.yml
The release event metadata resolution now sources tag, draft, and prerelease directly from github.event.release.* and derives version from the tag by stripping the leading v.
Release documentation
README.md
Release instructions are clarified into two explicit paths: a normal GitHub Release flow that creates and publishes a release with a v* tag (triggering cross-platform builds), and a manual repair path that runs the release workflow and provides a SemVer version without the leading v.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

  • killallgit/adhd-ranch#63: Both PRs modify release event handling in .github/workflows/release.yml, including how tag, version, draft, and prerelease are sourced, and how workflow permissions and concurrency are configured.

Poem

🐰 A workflow once triggered by tags in the night,
Now springs to life when releases shine bright—
Permissions granted, concurrency keyed,
Metadata flows from the event that's freed.
Two paths for release, both crystal and clear:
Publish with grace, or repair from here! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: the pull request modifies the release workflow to trigger from GitHub Releases instead of just manual triggers.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/release-event-flow

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 23-27: The workflow-level permissions block currently grants broad
write scopes; change it to least-privilege (e.g., set contents: read and only
keep id-token: write if OIDC is used globally) and remove other write
permissions from the global permissions block. Then grant the specific write
permissions (artifact-metadata: write, attestations: write, contents: write,
etc.) only on the jobs that actually need them by adding a permissions:
subsection to those job definitions (for example add the required write rights
to the publish/release job), and ensure the prepare job does not receive
unnecessary write permissions (leave prepare with read-only permissions or
none). Locate the global permissions block (permissions:) and the job named
prepare to apply these changes.
- Line 30: Normalize the concurrency group by computing a single normalized
version value and using it in the concurrency/group expression instead of mixing
raw sources; update the workflow to derive a normalized variable (e.g., strip a
leading "v" from github.event.release.tag_name, inputs.version, or
github.ref_name) and replace the existing group: release-${{
github.event.release.tag_name || inputs.version || github.ref_name }} with
group: release-${{ env.NORMALIZED_VERSION }} (or equivalent using
set-output/expression) so both release and manual runs resolve to the same key;
refer to the group line and the sources github.event.release.tag_name,
inputs.version, and github.ref_name to implement the normalization.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 5496066f-f5d4-4be7-88bf-50d8498edc8f

📥 Commits

Reviewing files that changed from the base of the PR and between 45f72e9 and 203e330.

📒 Files selected for processing (2)
  • .github/workflows/release.yml
  • README.md

Comment thread .github/workflows/release.yml Outdated
Comment thread .github/workflows/release.yml Outdated

concurrency:
group: release-${{ github.event_name == 'workflow_dispatch' && inputs.version || github.ref_name }}
group: release-${{ github.event.release.tag_name || inputs.version || github.ref_name }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Normalize concurrency key across release and manual paths.

Line 30 uses inputs.version directly for manual runs, while release runs use tag_name (typically vX.Y.Z). This can create different groups for the same release and allow concurrent runs to race while uploading assets.

Suggested fix
-concurrency:
-  group: release-${{ github.event.release.tag_name || inputs.version || github.ref_name }}
+concurrency:
+  group: release-${{ github.event.release.tag_name || (startsWith(inputs.version, 'v') && inputs.version || format('v{0}', inputs.version)) || github.ref_name }}
   cancel-in-progress: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
group: release-${{ github.event.release.tag_name || inputs.version || github.ref_name }}
concurrency:
group: release-${{ github.event.release.tag_name || (startsWith(inputs.version, 'v') && inputs.version || format('v{0}', inputs.version)) || github.ref_name }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 30, Normalize the concurrency group by
computing a single normalized version value and using it in the
concurrency/group expression instead of mixing raw sources; update the workflow
to derive a normalized variable (e.g., strip a leading "v" from
github.event.release.tag_name, inputs.version, or github.ref_name) and replace
the existing group: release-${{ github.event.release.tag_name || inputs.version
|| github.ref_name }} with group: release-${{ env.NORMALIZED_VERSION }} (or
equivalent using set-output/expression) so both release and manual runs resolve
to the same key; refer to the group line and the sources
github.event.release.tag_name, inputs.version, and github.ref_name to implement
the normalization.

@archae0pteryx archae0pteryx merged commit b8a67c2 into main May 19, 2026
1 check was pending
@archae0pteryx archae0pteryx deleted the codex/release-event-flow branch May 19, 2026 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant