chore: add initial scaffold for labs release check orchestration (#2919)

harbournick · web-flow · commit c1f616e45c48 · 2026-04-22T17:47:45.000-07:00
* chore: add initial scaffold for labs release check orchestration

* chore: tweak gha
diff --git a/.github/workflows/release-qualification-dispatch.yml b/.github/workflows/release-qualification-dispatch.yml
@@ -0,0 +1,124 @@
+name: 🧪 Dispatch Release Qualification
+
+on:
+  pull_request:
+    branches:
+      - stable
+    types:
+      - opened
+      - ready_for_review
+      - reopened
+      - synchronize
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: release-qualification-dispatch-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  dispatch-release-qualification:
+    if: github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-latest
+    steps:
+      - name: Build dispatch payload
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: |
+          set -euo pipefail
+
+          MERGE_PREPARATION_STATUS="unknown"
+          if [[ "${PR_TITLE}" == *"conflicts need resolution"* ]]; then
+            MERGE_PREPARATION_STATUS="conflicts"
+          fi
+
+          cat <<EOF > release-qualification-payload.json
+          {
+            "repositoryOwner": "${{ github.repository_owner }}",
+            "repositoryName": "${GITHUB_REPOSITORY#*/}",
+            "repositoryFullName": "${{ github.repository }}",
+            "pullRequestNumber": ${{ github.event.pull_request.number }},
+            "pullRequestUrl": "${{ github.event.pull_request.html_url }}",
+            "baseRef": "${{ github.event.pull_request.base.ref }}",
+            "headRef": "${{ github.event.pull_request.head.ref }}",
+            "headSha": "${{ github.event.pull_request.head.sha }}",
+            "mergePreparationStatus": "${MERGE_PREPARATION_STATUS}",
+            "triggerEvent": "${{ github.event.action }}"
+          }
+          EOF
+
+      - name: Dispatch to Labs release orchestrator
+        id: dispatch
+        env:
+          LABS_RELEASE_QUALIFICATION_TOKEN: ${{ secrets.LABS_RELEASE_QUALIFICATION_TOKEN }}
+          LABS_RELEASE_QUALIFICATION_URL: ${{ vars.LABS_RELEASE_QUALIFICATION_URL }}
+        run: |
+          set -euo pipefail
+
+          if [[ -z "${LABS_RELEASE_QUALIFICATION_URL}" ]]; then
+            echo "LABS_RELEASE_QUALIFICATION_URL is required." >&2
+            exit 1
+          fi
+
+          if [[ -z "${LABS_RELEASE_QUALIFICATION_TOKEN}" ]]; then
+            echo "LABS_RELEASE_QUALIFICATION_TOKEN is required." >&2
+            exit 1
+          fi
+
+          RESPONSE_FILE="$(mktemp)"
+          set +e
+          HTTP_STATUS="$(curl \
+            --fail-with-body \
+            --silent \
+            --show-error \
+            --output "${RESPONSE_FILE}" \
+            --write-out '%{http_code}' \
+            -X POST \
+            -H 'content-type: application/json' \
+            -H "x-labs-internal-token: ${LABS_RELEASE_QUALIFICATION_TOKEN}" \
+            --data @release-qualification-payload.json \
+            "${LABS_RELEASE_QUALIFICATION_URL}")"
+          CURL_EXIT=$?
+          set -e
+
+          if [[ "${CURL_EXIT}" -ne 0 ]]; then
+            cat "${RESPONSE_FILE}"
+            exit "${CURL_EXIT}"
+          fi
+
+          if [[ "${HTTP_STATUS}" -lt 200 || "${HTTP_STATUS}" -ge 300 ]]; then
+            cat "${RESPONSE_FILE}"
+            exit 1
+          fi
+
+          RUN_ID="$(jq -r '.run.runId // empty' "${RESPONSE_FILE}")"
+          RUN_STATUS="$(jq -r '.run.status // empty' "${RESPONSE_FILE}")"
+          CREATED="$(jq -r '.created // false' "${RESPONSE_FILE}")"
+
+          if [[ -z "${RUN_ID}" || -z "${RUN_STATUS}" ]]; then
+            cat "${RESPONSE_FILE}"
+            echo "Labs response did not include the expected run metadata." >&2
+            exit 1
+          fi
+
+          echo "run_id=${RUN_ID}" >> "${GITHUB_OUTPUT}"
+          echo "run_status=${RUN_STATUS}" >> "${GITHUB_OUTPUT}"
+          echo "created=${CREATED}" >> "${GITHUB_OUTPUT}"
+
+      - name: Write workflow summary
+        run: |
+          {
+            echo "### Release Qualification Dispatch"
+            echo
+            echo "| Field | Value |"
+            echo "| --- | --- |"
+            echo "| PR | #${{ github.event.pull_request.number }} |"
+            echo "| Base branch | \`${{ github.event.pull_request.base.ref }}\` |"
+            echo "| Head branch | \`${{ github.event.pull_request.head.ref }}\` |"
+            echo "| Head SHA | \`${{ github.event.pull_request.head.sha }}\` |"
+            echo "| Labs run | \`${{ steps.dispatch.outputs.run_id }}\` |"
+            echo "| Labs status | \`${{ steps.dispatch.outputs.run_status }}\` |"
+            echo "| New run created | \`${{ steps.dispatch.outputs.created }}\` |"
+          } >> "${GITHUB_STEP_SUMMARY}"
diff --git a/cicd.md b/cicd.md
@@ -81,7 +81,25 @@ main (next) → stable (latest) → X.x (maintenance)
 - If the merge conflicts, commits the conflicted merge to the branch so a human can resolve it there
 - Merging that PR triggers the automatic stable release workflow
 
-#### 4. Create Patch Branch (`create-patch.yml`)
+#### 4. Release Qualification Dispatch (`release-qualification-dispatch.yml`)
+
+**Trigger**: Pull requests targeting `stable` (`opened`, `reopened`, `synchronize`, `ready_for_review`)
+
+**Actions**:
+
+- Sends the PR head SHA and branch metadata to the Labs release-orchestrator service
+- Lets Labs create a generic GitHub check run on that SHA
+- Does not wait on or expose any private Labs details in the repository
+- Re-triggers automatically when new commits are pushed to the PR branch
+
+Only same-repository PRs dispatch to Labs. Forked PRs are intentionally skipped so private Labs credentials are never exposed to untrusted branches.
+
+**Required configuration**:
+
+- variable: `LABS_RELEASE_QUALIFICATION_URL`
+- secret: `LABS_RELEASE_QUALIFICATION_TOKEN`
+
+#### 5. Create Patch Branch (`create-patch.yml`)
 
 **Trigger**: Manual workflow dispatch
 
@@ -92,7 +110,7 @@ main (next) → stable (latest) → X.x (maintenance)
 - Creates `X.x` branch from last stable tag
 - Enables patching of old versions
 
-#### 5. Forward Port (`forward-port.yml`)
+#### 6. Forward Port (`forward-port.yml`)
 
 **Triggers**:
 
@@ -107,7 +125,7 @@ main (next) → stable (latest) → X.x (maintenance)
 
 ### Support Workflows
 
-#### 6. Test Suite (`test-suite.yml`)
+#### 7. Test Suite (`test-suite.yml`)
 
 **Type**: Reusable workflow
 
@@ -118,7 +136,7 @@ main (next) → stable (latest) → X.x (maintenance)
 - Visual regression tests (Playwright)
 - E2E tests (external service)
 
-#### 7. Visual Tests (`test-example-apps.yml`)
+#### 8. Visual Tests (`test-example-apps.yml`)
 
 **Triggers**:
 
@@ -211,10 +229,12 @@ These skip semantic-release entirely — useful for re-publishing a failed platf
 
 1. Run "Promote to Stable" workflow
 2. Review the generated PR from the candidate branch into `stable`
-3. If needed, resolve merge conflicts on the candidate branch
-4. Merge the PR into `stable`
-5. Automatically publishes `1.1.0` as @latest
-6. Syncs back to main with version bump
+3. Labs receives the PR head SHA and creates the `Release Qualification` GitHub check run
+4. If needed, resolve merge conflicts on the candidate branch and push fixes
+5. Re-run or wait for qualification on the new PR head SHA
+6. Merge the PR into `stable`
+7. Automatically publishes `1.1.0` as @latest
+8. Syncs back to main with version bump
 
 ### Scenario 3: Hotfix to Current Stable
 
