ci: branch-protection-friendly release flow + unblock Dependabot PR #2#3
Merged
ci: branch-protection-friendly release flow + unblock Dependabot PR #2#3
Conversation
Branch protection on main requires every change to land via a PR with all 16 required checks passing. The previous Publish Release workflow did `git push origin main` directly, so it now hits GH013 "Repository rule violations found for refs/heads/main". Replacing the single-shot release.yml with two workflows that respect branch protection AND keep zero-touch releases: release-prepare.yml (manual workflow_dispatch) - Computes new version, creates `release/vX.Y.Z` branch - Bumps info.xml + CHANGELOG (same Keep-a-Changelog logic as before) - Pushes the release branch (release/* is not a protected ref) - Opens a PR labeled `release` with a body that encodes the prerelease flag in stable HTML-comment markers - Manually fires ci.yml + integration.yml on the release branch via `gh workflow run` — workflow_dispatch is the documented exception to GITHUB_TOKEN's anti-loop rule (https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow), so the PR's required-checks gate gets satisfied without a PAT release-publish.yml (auto on PR merge with `release` label, or manual workflow_dispatch for retry) - Reads the now-bumped version from main's info.xml - Verifies tag does not exist - Creates + pushes annotated tag (tags are not under branch rules) - Builds release notes - Builds the App Store tarball (same allowlist as the tarball dry-run job in integration.yml — they're meant to stay in sync) - Publishes the GitHub Release - Polls GitHub's CDN until gzip-valid + tar-valid + SHA-256 matches - Signs the CDN-verified tarball and posts to the Nextcloud App Store Supporting changes: - ci.yml + integration.yml gain a `workflow_dispatch:` trigger so release-prepare can fire them on release/* branches - The label `release` is created idempotently by release-prepare - No new secrets needed; everything works with the built-in GITHUB_TOKEN User flow per release: 1. Click "Run workflow" on Release — Prepare PR 2. Review and merge the PR (CI runs as on any PR) 3. release-publish fires on merge — tag, tarball, GH release, CDN verify, App Store upload happen automatically Validated locally: actionlint exit 0, REUSE 26/26 compliant. Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
markdownlint v0.40.0 (shipped by markdownlint-cli2-action v21, which Dependabot is bumping to in PR #2) introduces MD060 "table-column-style" — pads pipe characters with spaces to visually align tables in source. This fires 16 times across README.md and .github/SECURITY.md against tables that render identically with or without padding. Disabling the rule because: - The rule is purely cosmetic; rendered tables look the same - Auto-formatting every table in the repo to satisfy MD060 is significant churn for zero functional gain - This unblocks Dependabot's PR #2 once main updates and the bot rebases Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two commits, each independently reviewable:
ci: split release flow into prepare-PR + publish-on-merge— fixes the Publish Release workflow run that errored withGH013: Repository rule violationsongit push origin main. Replaces the single-shotrelease.ymlwith a two-phase flow that respects the new branch ruleset (PR + 16/16 checks required) without introducing any new secret.ci: disable MD060 in markdownlint— unblocks Dependabot PR #2: markdownlint v0.40.0 (shipped by markdownlint-cli2-action v21) introduces MD060 table-column-style which fires 16 times against perfectly-rendered tables inREADME.mdand.github/SECURITY.md. Disabling.New release flow
release-prepare.ymlworkflow_dispatch(manual)info.xml+ CHANGELOG onrelease/vX.Y.Zbranch, opens labeled PR, fires CI on the branchrelease-publish.ymlpull_request: closed(auto on PR merge with labelrelease) orworkflow_dispatch(recovery)Why no PAT needed: GITHUB_TOKEN-pushed commits don't trigger downstream workflows (anti-loop), but
workflow_dispatchis the documented exception. Phase 1 callsgh workflow run ci.yml --ref release/vX.Y.Zto fire CI on the prep PR's branch — the required-checks gate gets satisfied without a long-lived token.Tag pushes are not covered by branch rulesets (which gate only
refs/heads/*), so Phase 2 cangit push origin vX.Y.Zdirectly.User flow per release
bump_typeandprereleaseLocal validation
actionlint -shellcheck="shellcheck -e SC2129,SC2002"reuse lintTest plan
release/vX.Y.Y+1PR opens with CI running