Skip to content

chore: improve various gha pipeline#8076

Merged
olblak merged 5 commits intoupdatecli:mainfrom
olblak:gha_workflows
Mar 25, 2026
Merged

chore: improve various gha pipeline#8076
olblak merged 5 commits intoupdatecli:mainfrom
olblak:gha_workflows

Conversation

@olblak
Copy link
Copy Markdown
Member

@olblak olblak commented Mar 24, 2026
edited
Loading

Various GitHub action improvements

  • Update release pipeline to announce new releases on social media
  • Update release pipeline to be trigger on tag creation starting with v*
  • Update updatecli manifest with label monitor:active
  • Remove github action permission from updatecli gha pipeline

Test

Untested 🤷🏾

Additional Information

Checklist

  • I have updated the documentation via pull request in website repository.

Tradeoff

Potential improvement

olblak added 4 commits March 24, 2026 20:37
@olblak
chore: update release description template
d3f0544 
Signed-off-by: Olblak <[email protected]>
@olblak
chore: unset github workflow permission in updatecli pipeline
51fae5c 
Signed-off-by: Olblak <[email protected]>
@olblak
chore: improve release pipeline
004d714 
* Notify new release on OpenCollective, Mastodon, and Blueskey
* Trigger goreleaser on release tag

Signed-off-by: Olblak <[email protected]>
@olblak
chore: rename updatecli label
c10aead
@olblak olblak added the chore label Mar 24, 2026
@olblak olblak requested a review from Copilot March 24, 2026 19:55
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repository’s release and automation configuration, primarily to improve GitHub Actions hygiene and extend the release process with social media announcements.

Changes:

  • Adds GoReleaser announce configuration to publish release announcements (Bluesky, Mastodon, OpenCollective).
  • Updates Updatecli pipeline labeling and adjusts the Updatecli workflow label filter accordingly.
  • Cleans up and modernizes GitHub Actions workflows (permissions tightening, runner version bumps, release workflow trigger adjustments, and attestation step).

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
updatecli/updatecli.d/updatecli.yaml Updates Updatecli pipeline labels (monitor: active, release: updatecli).
.goreleaser.yml Adds social announcements configuration under announce.
.github/workflows/updatecli_update.yaml Tightens workflow token permissions and updates label filter to monitor:active.
.github/workflows/updatecli.yaml Tightens workflow token permissions (currently impacts checkout).
.github/workflows/release.yaml Moves release trigger to tag pushes, bumps runner, adds attestation, and wires announcement secrets.
.github/workflows/release-drafter.yml Adds explicit workflow permissions and bumps runner version.
.github/release-drafter.yaml Normalizes YAML quoting and adds a “Sponsors” section to the release notes template.
Comments suppressed due to low confidence (2)

.github/workflows/updatecli_update.yaml:17

  • With permissions: {} at the workflow level and no job-level permissions override, the default GITHUB_TOKEN has no contents: read access. actions/checkout typically requires contents: read to clone the repo, so this workflow may fail at checkout. Add permissions: { contents: read } (workflow or job level), or configure checkout to avoid using GITHUB_TOKEN (e.g., persist-credentials: false and an alternate token).
permissions: {}

jobs:
  updatecli:
    runs-on: ubuntu-latest
    steps:
      - name: "Checkout"
        uses: "actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3" # v6.0.0

.github/workflows/updatecli.yaml:16

  • With permissions: {} at the workflow level and no job-level permissions override, the default GITHUB_TOKEN has no contents: read access. actions/checkout generally needs contents: read to fetch the repository, so this workflow may fail at the checkout step. Add permissions: { contents: read } (workflow or job), or adjust checkout to avoid relying on GITHUB_TOKEN.
permissions: {}

jobs:
  updatecli:
    runs-on: ubuntu-latest
    steps:
      - name: "Checkout"
        uses: "actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3" # v6.0.0

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@olblak olblak changed the title chore: various github action cleanup chore: improve various gha pipeline Mar 24, 2026
@olblak olblak enabled auto-merge (squash) March 25, 2026 05:44
@olblak olblak merged commit 9b2e87c into updatecli:main Mar 25, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

chore

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@olblak