ci(release): jans-style bump-and-tag for flex, pulling from the mapped jans tag#2892
Conversation
…ajor) The +4-major flex->jans tag mapping (v6.2.0 -> jans v2.2.0) only ran on tag-push; workflow_dispatch used the required jans_branch input (default 'main'), so a dispatched release couldn't pull from the matching jans release. Make jans_branch/jans_setup_branch optional and derive the jans tag from the resolved tag for both events, honoring a non-empty jans_branch as an explicit override. This lets us cut or replay a flex release for any tag and have it pull jans artifacts from the mapped jans release - without committing any version to main (the version is still derived from the tag at build time). Signed-off-by: moauto <54212639+mo-auto@users.noreply.github.com>
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThe PR updates build-packages branch resolution, adds a manual release workflow, and introduces a script that rewrites Flex-owned release versions, verifies remaining sentinels, and supports release tagging. ChangesRelease automation updates
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build-packages.yml:
- Line 25: The `jans_setup_branch` override is only honored inside the
`jans_branch` override path, so a standalone `jans_setup_branch` input gets
ignored and later reset to `JANS_BRANCH`. Update the workflow logic around the
dispatch inputs and the branch resolution block so `jans_setup_branch` is
applied independently of `jans_branch`, and only falls back to `JANS_BRANCH`
when it is truly unset; check the input handling near the
`jans_branch`/`jans_setup_branch` assignments and the final defaulting logic
that currently forces `JANS_BRANCH`.
- Around line 137-140: The workflow dispatch inputs are being expanded directly
into the shell in the branch override logic, which can allow shell or GITHUB_ENV
injection. Update the build-packages workflow around the
JANS_BRANCH/JANS_SETUP_BRANCH handling and the later similar input usage to
avoid inline `${{ inputs.* }}` inside `run:`; pass values through the step env
or another safe mechanism, and write to env files with strict quoting/encoding
so newlines and quotes cannot break assignments.
- Around line 149-155: The Jans tag mapping logic in the workflow can generate
invalid version strings for non-semver tags or majors below 4, so tighten the
guard around the JANS_BRANCH assignment. Update the tag parsing in the shell
block that derives VERSION_ONLY, MAJOR, and REST_OF_VERSION so it only maps
valid semver tags with a sufficiently large numeric major, and otherwise skips
or fails safely before setting JANS_BRANCH. Use the existing variables and
branch-mapping condition in this section to prevent outputs like negative majors
or incomplete tags.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 18784b7e-d0db-4bdf-9b82-4929d0749d75
📒 Files selected for processing (1)
.github/workflows/build-packages.yml
Add release-trigger.yml + automation/release/version_bump.py and remove release.yml (release-please) and the broken activate-release.yml, mirroring jans's release model: a manual workflow bumps every flex-owned version in the working tree on a detached HEAD, verifies it, commits, and pushes ONLY the tag - main stays at nightly, nothing is committed. The tag push triggers build-packages.yml, which pulls jans artifacts from the +4-mapped jans tag. version_bump.py is dual-versioned: flex images/charts/installers take the flex version (6.2.0) while upstream janssenproject/jans images take the +4-mapped jans version (2.2.0). A --verify pass aborts the release if any dev-version sentinel was missed. Signed-off-by: moauto <54212639+mo-auto@users.noreply.github.com>
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release-trigger.yml:
- Around line 25-27: The `dry_run` input in the release workflow currently only
skips pushing, but the `bump version` step still performs the local commit and
annotated tag. Update the logic in the release job around `dry_run` so the `git
commit` and `git tag` actions are also bypassed when `dry_run` is true, keeping
the behavior consistent with the `dry_run` description and the existing release
steps that handle version bumping.
- Around line 115-132: The tag push and release creation flow in the release
trigger job is not recoverable because the tag can already exist before the
release is created, blocking reruns and downstream uploads. Update the release
path around the tag push and gh release create steps so it is idempotent: either
create or verify the GitHub Release before any asset-uploading build runs, or
make the downstream build/upload steps wait and retry until the release exists.
Use the existing release-trigger steps and the release creation command as the
main points to adjust.
- Around line 51-67: The Summary step is still interpolating the unvalidated ref
directly into a shell command, which leaves command substitution exposed. Update
the workflow section that builds the summary to pass ref through env first, then
consume it safely in the shell using a validated value and printf instead of
inline interpolation. Reuse the same pattern already used in Validate version
input, and apply it in the Summary step handling around the release-trigger
workflow.
- Around line 70-75: The checkout step is persisting MOWORKFLOWTOKEN into the
local git config before executing untrusted code from the selected ref, so
harden the workflow by updating the Checkout source ref step to use
persist-credentials: false and remove credential persistence from the
actions/checkout setup. Then ensure MOWORKFLOWTOKEN is only provided to the
specific tag-push/release steps that need it, including the later
release-related steps associated with the workflow’s push/release logic, so
checked-out code runs before any PAT is injected.
In `@automation/release/version_bump.py`:
- Around line 398-403: Validate the --docker-suffix argument in version_bump.py
before it reaches bump(), since args.docker_suffix is currently passed through
unchecked and can produce invalid image tags when the script is run directly.
Add a parse-time validation alongside the existing args.version check in
main/argument parsing, and reject nonconforming suffix values with ap.error
before calling bump().
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 4da9de57-56ae-4d06-a998-be57af3a32ff
📒 Files selected for processing (4)
.github/workflows/activate-release.yml.github/workflows/release-trigger.yml.github/workflows/release.ymlautomation/release/version_bump.py
💤 Files with no reviewable changes (2)
- .github/workflows/activate-release.yml
- .github/workflows/release.yml
- Resolve jans_setup_branch independently of jans_branch (a standalone setup-branch input was
ignored and reset to JANS_BRANCH).
- Pass workflow_dispatch inputs through env instead of inlining ${{ inputs.* }} into run blocks,
validate override refs against a plain-ref charset, and write GITHUB_ENV via printf, so a crafted
value can't inject shell or env assignments.
- Map the jans tag only for a full vX.Y.Z with major >= 4; non-semver tags or majors below 4 now fail
safely before producing a negative/garbage branch (was: any numeric major -> v$((MAJOR-4)).rest).
Signed-off-by: moauto <54212639+mo-auto@users.noreply.github.com>
…ew follow-up) release-trigger.yml: - dry_run now also skips the commit + tag (was: only the push), matching the input's description. - Checkout no longer persists the PAT (persist-credentials: false); the bump runs ref code before any push, so the tag push supplies MOWORKFLOWTOKEN via a one-off authenticated URL instead. - Summary passes the unvalidated ref through env and emits with printf, closing the command- substitution exposure. build-packages.yml: - The upload step ensures the release exists (idempotent 'gh release view || create', push-event only, tolerant of parallel matrix legs) before uploading, so a tag-push race or a re-run self-heals. version_bump.py: - Validate --docker-suffix at parse time (alphanumerics + dots) so direct invocation can't produce invalid image tags. Signed-off-by: moauto <54212639+mo-auto@users.noreply.github.com>
|



Summary
Aligns flex's release flow to jans's (jenkins-offboarding follow-up). flex is always +4 major ahead of jans (flex
v6.2.0↔ jansv2.2.0); main stays at nightly and the real version is materialized only at tag time, never committed.Changes
1.
build-packages.yml— derive the jans tag on dispatch too. The +4-major flex→jans mapping ran only on tag-push;jans_branch/jans_setup_branchare now optional (empty = auto-derive from the tag for both push and dispatch; non-empty = explicit override). Any flex tag pulls jans artifacts from the matching jans release.2.
release-trigger.yml(new) — jans-style "bump & tag". Dispatch a version → checkout main → detached HEAD → bump the working tree →--verify→ commit → push only the tag → create the release.mainis byte-for-byte untouched; the tag push triggersbuild-packages.yml.3.
automation/release/version_bump.py(new) — dual-versioned bump + verify. Rewrites every flex-owned0.0.0-nightly/0.0.0sentinel:ghcr.io/gluufederation/flex/*), chartversion/dep pins,version.py,admin-ui/package.json,CN_VERSION→ flex version;ghcr.io/janssenproject/jans/*) and a chartappVersiondeploying a jans image → the +4-mapped jans version;6.2.0-1/2.2.0-1).--verifyaborts the release if any sentinel was missed.4. Removed
release.yml(release-please) +activate-release.yml— replaced by the above (jans uses neither).Notes
Summary by CodeRabbit
v<version>tag, and publish GitHub release notes.