Add tag-based, per-action releases (closes #1007)#1032
Open
potiuk wants to merge 1 commit into
Open
Conversation
This repo serves several independently-consumed actions from one repo, but consumers could only track `@main`, which drifts from any pinned SHA and which Dependabot cannot bump. Introduce path-prefixed, per-action releases: each action is tagged under its leaf-directory prefix (allowlist-check/vX.Y.Z, pelican/vX.Y.Z, save/vX.Y.Z, restore/vX.Y.Z) with a moving major tag. This is the monorepo scheme Dependabot's github_actions ecosystem understands (dependabot/dependabot-core#11286, contributed for this repo), so downstream projects can pin a SHA with a '# <prefix>/vX.Y.Z' comment and get automatic bump PRs. - scripts/release_actions.py: pure version/bump/changed-action logic plus a thin git/gh layer; auto-detects affected actions (a stash/shared change releases both stash actions), seeds first release at v1.0.0. - scripts/test_release_actions.py: 25 unit tests for the pure logic. - .github/workflows/release-actions.yml: on push to main, cut releases for changed actions; bump defaults to patch, raised via release:minor / release:major labels (or [minor]/[major] tokens) and suppressed with release:skip. workflow_dispatch allows manual/seed releases. - README.md + RELEASING.md: pinning guidance and the release process. Generated-by: Claude Opus 4.8 (1M context) via Claude Code
Member
Author
|
Hey: @dfoulks1 @ppkarwasz @dave2wave @gopidesupavan -> proposed solution to the issue we had whether to host actions in separate repos - because of dependabot release handling. Since Pavan implemented feature in dependabot o handle prefixed version - it's now entirely doable to do the prefix/vX.Y.Z The solution proposed in this PR is largely self-maintainable:
I think it's pretty good solution for zizmor/dependabot combo. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Consumers of this repo's actions could previously only track
@main, which drifts from any pinned SHA and which Dependabot cannot bump (#1007). This adds path-prefixed, per-action releases.Since it's a monorepo of actions, each action is tagged under its leaf-directory prefix with a moving major tag:
allowlist-checkallowlist-check/vX.Y.Z.../allowlist-check@<sha> # allowlist-check/v1.2.3pelicanpelican/vX.Y.Z.../pelican@<sha> # pelican/v1.2.3stash/savesave/vX.Y.Z.../stash/save@<sha> # save/v1.2.3stash/restorerestore/vX.Y.Z.../stash/restore@<sha> # restore/v1.2.3This leaf-prefix scheme is exactly what Dependabot's
github_actionsecosystem learned to support in dependabot/dependabot-core#11286, contributed for this repo, so downstream projects pin a SHA with a# <prefix>/vX.Y.Zcomment and receive automatic bump PRs.How it works
.github/workflows/release-actions.ymlruns on push tomain;scripts/release_actions.pymaps changed files to the affected action(s), computes the next version from the newest<prefix>/vX.Y.Ztag (first release seedsv1.0.0), creates the tag, moves the major tag, and publishes a GitHub Release.release:minor/release:majorlabel (or[minor]/[major]in the PR) and suppress withrelease:skip. Astash/shared/change releases both stash actions.workflow_dispatchcuts a manual/seed release.scripts/test_release_actions.py, 25 tests); seeRELEASING.md.Merging this PR cuts no release (it touches no action directory); the first tags come from the next action change or a manual
workflow_dispatchseed.🤖 Generated with Claude Code