Skip to content

ci: restore auto-bump release (revert tag-only #8)#12

Merged
akshaylive merged 1 commit into
mainfrom
akshaya/revert_tag_only_release
Jul 9, 2026
Merged

ci: restore auto-bump release (revert tag-only #8)#12
akshaylive merged 1 commit into
mainfrom
akshaya/revert_tag_only_release

Conversation

@akshaylive

Copy link
Copy Markdown
Collaborator

Summary

Restores the auto-bump release behavior (the model still live in coder_eval.bak), effectively reverting #8. The release GitHub App has been re-added with a ruleset bypass, which removes the reason #8 dropped auto-bump in the first place (GH013 — plain GITHUB_TOKEN can't push the bump commit to ruleset-protected main).

What changes

  • bump dispatch input is back (patch / minor / major, default patch).
  • App-token push: mint a GitHub App installation token (RELEASE_APP_ID / RELEASE_APP_PRIVATE_KEY), checkout + push as the app so the bump commit + tag land on protected main via the app's ruleset bypass.
  • semantic-release writes the new version to pyproject.toml + __init__.py, tags v<version>, regenerates the changelog; we then regenerate uv.lock, amend, and push commit + tag.
  • Removed the manual-bump re-release guard and the separate tag-release job — the tag now travels with the bump commit.

Kept

  • Public PyPI publishing via the dedicated OIDC Trusted-Publishing publish-pypi job.
  • Best-effort GHCR versioned agent image.

Release flow after this

Actions → Release → pick bump level → workflow bumps + tags + pushes to main, builds, publishes to PyPI, pushes the GHCR image. No more manual "bump version via PR first" step.

Requires the RELEASE_APP_ID / RELEASE_APP_PRIVATE_KEY secrets to be present and the app granted a bypass on the "Protect main" ruleset (confirmed re-added).

🤖 Generated with Claude Code

Effectively reverts #8 (tag-only, manual-bump release). The release app has
been re-added with a ruleset bypass, so the workflow can once again push the
version-bump commit + tag directly to protected main.

- Restore the `bump` dispatch input (patch/minor/major, default patch).
- Mint a GitHub App installation token and checkout/push as the app (bypasses
  the "Protect main" ruleset that GITHUB_TOKEN cannot).
- semantic-release writes the new version to pyproject.toml + __init__.py,
  tags v<version>, regenerates the changelog, then we regenerate uv.lock,
  amend, and push commit + tag to main.
- Drop the manual-bump re-release guard and the separate tag-release job
  (the tag now travels with the bump commit).

Public PyPI publishing (OIDC Trusted Publishing) and the best-effort GHCR
image are kept.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Claude finished @akshaylive's task in 1m 17s —— View job


Code Review in Progress

Todo List:

  • Read .github/code_review.md for review standards
  • Read CLAUDE.md for project conventions
  • Analyze the full diff (git diff origin/main...HEAD)
  • Read the complete release.yml file for context
  • Perform security and correctness analysis
  • Check for consistency and completeness
  • Post comprehensive review feedback

Starting code review...

@akshaylive akshaylive merged commit 0b9d378 into main Jul 9, 2026
14 checks passed
@akshaylive akshaylive deleted the akshaya/revert_tag_only_release branch July 9, 2026 23:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants