Skip to content

ci(release): jans-style bump-and-tag for flex, pulling from the mapped jans tag#2892

Merged
moabu merged 5 commits into
mainfrom
ci/release-align-jans-tag
Jun 24, 2026
Merged

ci(release): jans-style bump-and-tag for flex, pulling from the mapped jans tag#2892
moabu merged 5 commits into
mainfrom
ci/release-align-jans-tag

Conversation

@mo-auto

@mo-auto mo-auto commented Jun 24, 2026

Copy link
Copy Markdown
Member

Summary

Aligns flex's release flow to jans's (jenkins-offboarding follow-up). flex is always +4 major ahead of jans (flex v6.2.0 ↔ jans v2.2.0); main stays at nightly and the real version is materialized only at tag time, never committed.

Changes

1. build-packages.yml — derive the jans tag on dispatch too. The +4-major flex→jans mapping ran only on tag-push; jans_branch/jans_setup_branch are now optional (empty = auto-derive from the tag for both push and dispatch; non-empty = explicit override). Any flex tag pulls jans artifacts from the matching jans release.

2. release-trigger.yml (new) — jans-style "bump & tag". Dispatch a version → checkout main → detached HEAD → bump the working tree → --verify → commit → push only the tag → create the release. main is byte-for-byte untouched; the tag push triggers build-packages.yml.

3. automation/release/version_bump.py (new) — dual-versioned bump + verify. Rewrites every flex-owned 0.0.0-nightly/0.0.0 sentinel:

  • flex images (ghcr.io/gluufederation/flex/*), chart version/dep pins, version.py, admin-ui/package.json, CN_VERSIONflex version;
  • jans images (ghcr.io/janssenproject/jans/*) and a chart appVersion deploying a jans image → the +4-mapped jans version;
  • image tags take the docker suffix (6.2.0-1 / 2.2.0-1).
    --verify aborts the release if any sentinel was missed.

4. Removed release.yml (release-please) + activate-release.yml — replaced by the above (jans uses neither).

Notes

  • Auto-triggering a flex release after a jans release is a deliberate follow-up (not in this PR).
  • A few helm-docs-generated README/version tables and one system-requirements prose line take the flex version on otherwise-jans references — cosmetic + regenerated; happy to EXCLUDE them if preferred.

Summary by CodeRabbit

  • New Features
    • Added a manually triggered “Release: bump & tag” workflow to validate versions, bump Flex versions, create an annotated v<version> tag, and publish GitHub release notes.
    • Added an automation script that updates Flex/Jans versions and associated image/download references across the repo.
    • Enhanced the package build workflow with optional manual inputs to override Jans branch parameters during dispatch runs.
  • Bug Fixes
    • Made release creation/upload more reliable by ensuring the GitHub release exists before uploading assets.
  • Chores
    • Removed older release/activation workflows that previously handled prerelease creation and manual release bumping.

…ajor)

The +4-major flex->jans tag mapping (v6.2.0 -> jans v2.2.0) only ran on tag-push; workflow_dispatch
used the required jans_branch input (default 'main'), so a dispatched release couldn't pull from the
matching jans release. Make jans_branch/jans_setup_branch optional and derive the jans tag from the
resolved tag for both events, honoring a non-empty jans_branch as an explicit override. This lets us
cut or replay a flex release for any tag and have it pull jans artifacts from the mapped jans release
- without committing any version to main (the version is still derived from the tag at build time).

Signed-off-by: moauto <54212639+mo-auto@users.noreply.github.com>
@mo-auto mo-auto requested review from iromli and moabu as code owners June 24, 2026 09:18
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 58872719-4fe7-41e8-b199-3d0f7c97b63b

📥 Commits

Reviewing files that changed from the base of the PR and between 4323471 and bd8521b.

📒 Files selected for processing (3)
  • .github/workflows/build-packages.yml
  • .github/workflows/release-trigger.yml
  • automation/release/version_bump.py

📝 Walkthrough

Walkthrough

The PR updates build-packages branch resolution, adds a manual release workflow, and introduces a script that rewrites Flex-owned release versions, verifies remaining sentinels, and supports release tagging.

Changes

Release automation updates

Layer / File(s) Summary
Branch inputs and derivation
.github/workflows/build-packages.yml
Adds optional Jans branch override inputs and rewrites branch resolution to apply manual overrides or derive Jans values from the resolved Flex tag.
Release existence check
.github/workflows/build-packages.yml
Creates the GitHub Release on push when it is missing before asset upload.
Manual release workflow
.github/workflows/release-trigger.yml
Adds a manually triggered release workflow with validation, detached-head release preparation, version bumping, tag push, GitHub Release creation, and summary output.
Version helpers and file utilities
automation/release/version_bump.py
Adds nightly/version helpers, file utilities, and release-version mapping logic.
Bump rewrite logic
automation/release/version_bump.py
Rewrites charts, values, Dockerfiles, URLs, and version fields for the release bump.
Verification and CLI entrypoint
automation/release/version_bump.py
Verifies remaining sentinels and exposes the CLI for bump or verify runs.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested reviewers

  • iromli

Poem

🐇 I hop by tags with steady feet,
Through nightly fields and versioned wheat.
Branches bend, then releases sing,
A tidy bump for every spring.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 43.75% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly captures the main release-flow change: flex bump-and-tag logic using the mapped Jans tag.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/release-align-jans-tag

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@mo-auto mo-auto added the area-CI Indicates work required in automatic builds or CI infrastructure label Jun 24, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-packages.yml:
- Line 25: The `jans_setup_branch` override is only honored inside the
`jans_branch` override path, so a standalone `jans_setup_branch` input gets
ignored and later reset to `JANS_BRANCH`. Update the workflow logic around the
dispatch inputs and the branch resolution block so `jans_setup_branch` is
applied independently of `jans_branch`, and only falls back to `JANS_BRANCH`
when it is truly unset; check the input handling near the
`jans_branch`/`jans_setup_branch` assignments and the final defaulting logic
that currently forces `JANS_BRANCH`.
- Around line 137-140: The workflow dispatch inputs are being expanded directly
into the shell in the branch override logic, which can allow shell or GITHUB_ENV
injection. Update the build-packages workflow around the
JANS_BRANCH/JANS_SETUP_BRANCH handling and the later similar input usage to
avoid inline `${{ inputs.* }}` inside `run:`; pass values through the step env
or another safe mechanism, and write to env files with strict quoting/encoding
so newlines and quotes cannot break assignments.
- Around line 149-155: The Jans tag mapping logic in the workflow can generate
invalid version strings for non-semver tags or majors below 4, so tighten the
guard around the JANS_BRANCH assignment. Update the tag parsing in the shell
block that derives VERSION_ONLY, MAJOR, and REST_OF_VERSION so it only maps
valid semver tags with a sufficiently large numeric major, and otherwise skips
or fails safely before setting JANS_BRANCH. Use the existing variables and
branch-mapping condition in this section to prevent outputs like negative majors
or incomplete tags.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 18784b7e-d0db-4bdf-9b82-4929d0749d75

📥 Commits

Reviewing files that changed from the base of the PR and between e5f82d7 and 41ee0b3.

📒 Files selected for processing (1)
  • .github/workflows/build-packages.yml

Comment thread .github/workflows/build-packages.yml
Comment thread .github/workflows/build-packages.yml Outdated
Comment thread .github/workflows/build-packages.yml Outdated
Add release-trigger.yml + automation/release/version_bump.py and remove release.yml
(release-please) and the broken activate-release.yml, mirroring jans's release model: a manual
workflow bumps every flex-owned version in the working tree on a detached HEAD, verifies it, commits,
and pushes ONLY the tag - main stays at nightly, nothing is committed. The tag push triggers
build-packages.yml, which pulls jans artifacts from the +4-mapped jans tag.

version_bump.py is dual-versioned: flex images/charts/installers take the flex version (6.2.0)
while upstream janssenproject/jans images take the +4-mapped jans version (2.2.0). A --verify pass
aborts the release if any dev-version sentinel was missed.

Signed-off-by: moauto <54212639+mo-auto@users.noreply.github.com>
@mo-auto mo-auto changed the title ci(release): build any flex tag against the +4-major-mapped jans tag ci(release): jans-style bump-and-tag for flex, pulling from the mapped jans tag Jun 24, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-trigger.yml:
- Around line 25-27: The `dry_run` input in the release workflow currently only
skips pushing, but the `bump version` step still performs the local commit and
annotated tag. Update the logic in the release job around `dry_run` so the `git
commit` and `git tag` actions are also bypassed when `dry_run` is true, keeping
the behavior consistent with the `dry_run` description and the existing release
steps that handle version bumping.
- Around line 115-132: The tag push and release creation flow in the release
trigger job is not recoverable because the tag can already exist before the
release is created, blocking reruns and downstream uploads. Update the release
path around the tag push and gh release create steps so it is idempotent: either
create or verify the GitHub Release before any asset-uploading build runs, or
make the downstream build/upload steps wait and retry until the release exists.
Use the existing release-trigger steps and the release creation command as the
main points to adjust.
- Around line 51-67: The Summary step is still interpolating the unvalidated ref
directly into a shell command, which leaves command substitution exposed. Update
the workflow section that builds the summary to pass ref through env first, then
consume it safely in the shell using a validated value and printf instead of
inline interpolation. Reuse the same pattern already used in Validate version
input, and apply it in the Summary step handling around the release-trigger
workflow.
- Around line 70-75: The checkout step is persisting MOWORKFLOWTOKEN into the
local git config before executing untrusted code from the selected ref, so
harden the workflow by updating the Checkout source ref step to use
persist-credentials: false and remove credential persistence from the
actions/checkout setup. Then ensure MOWORKFLOWTOKEN is only provided to the
specific tag-push/release steps that need it, including the later
release-related steps associated with the workflow’s push/release logic, so
checked-out code runs before any PAT is injected.

In `@automation/release/version_bump.py`:
- Around line 398-403: Validate the --docker-suffix argument in version_bump.py
before it reaches bump(), since args.docker_suffix is currently passed through
unchecked and can produce invalid image tags when the script is run directly.
Add a parse-time validation alongside the existing args.version check in
main/argument parsing, and reject nonconforming suffix values with ap.error
before calling bump().
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4da9de57-56ae-4d06-a998-be57af3a32ff

📥 Commits

Reviewing files that changed from the base of the PR and between 41ee0b3 and 4323471.

📒 Files selected for processing (4)
  • .github/workflows/activate-release.yml
  • .github/workflows/release-trigger.yml
  • .github/workflows/release.yml
  • automation/release/version_bump.py
💤 Files with no reviewable changes (2)
  • .github/workflows/activate-release.yml
  • .github/workflows/release.yml

Comment thread .github/workflows/release-trigger.yml
Comment thread .github/workflows/release-trigger.yml
Comment thread .github/workflows/release-trigger.yml Outdated
Comment thread .github/workflows/release-trigger.yml
Comment thread automation/release/version_bump.py
mo-auto and others added 3 commits June 24, 2026 17:27
- Resolve jans_setup_branch independently of jans_branch (a standalone setup-branch input was
  ignored and reset to JANS_BRANCH).
- Pass workflow_dispatch inputs through env instead of inlining ${{ inputs.* }} into run blocks,
  validate override refs against a plain-ref charset, and write GITHUB_ENV via printf, so a crafted
  value can't inject shell or env assignments.
- Map the jans tag only for a full vX.Y.Z with major >= 4; non-semver tags or majors below 4 now fail
  safely before producing a negative/garbage branch (was: any numeric major -> v$((MAJOR-4)).rest).

Signed-off-by: moauto <54212639+mo-auto@users.noreply.github.com>
…ew follow-up)

release-trigger.yml:
- dry_run now also skips the commit + tag (was: only the push), matching the input's description.
- Checkout no longer persists the PAT (persist-credentials: false); the bump runs ref code before any
  push, so the tag push supplies MOWORKFLOWTOKEN via a one-off authenticated URL instead.
- Summary passes the unvalidated ref through env and emits with printf, closing the command-
  substitution exposure.

build-packages.yml:
- The upload step ensures the release exists (idempotent 'gh release view || create', push-event only,
  tolerant of parallel matrix legs) before uploading, so a tag-push race or a re-run self-heals.

version_bump.py:
- Validate --docker-suffix at parse time (alphanumerics + dots) so direct invocation can't produce
  invalid image tags.

Signed-off-by: moauto <54212639+mo-auto@users.noreply.github.com>
@moabu moabu merged commit fe348f1 into main Jun 24, 2026
4 of 5 checks passed
@moabu moabu deleted the ci/release-align-jans-tag branch June 24, 2026 14:47
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area-CI Indicates work required in automatic builds or CI infrastructure

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants