Skip to content

feat(release): bootstrap release-please self-management for org-defaults repo#35

Merged
brodkin merged 1 commit into
mainfrom
chore/release-please-self-bootstrap
May 9, 2026
Merged

feat(release): bootstrap release-please self-management for org-defaults repo#35
brodkin merged 1 commit into
mainfrom
chore/release-please-self-bootstrap

Conversation

@brodkin

@brodkin brodkin commented May 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Bootstraps release-please self-management for SpiceLabsHQ/.github. Going forward this repo gets versioned point releases (v0.1.0, v0.1.1, …) authored by Rosemary Releaser, instead of the current rolling-v1-tag manual moves.

This is the DEV-225 Phase 5 smoke test PR — also the permanent self-release setup for this repo. Two birds.

Files added

File Purpose
.github/workflows/release-please-self.yml Caller workflow on push: main invoking release-please.yml@v1 with the Rosemary Releaser App secrets
.github/workflows/release-cascade-check.yml No-op tag-push workflow that emits a ::notice:: with the actor identity — proves tag-cascade auth chain is healthy
release-please-config.json release-type: simple, single package at root, bootstrap-sha pinned to bce3abd (PR #34's merge) so the first release window starts here, not since the beginning of time
.release-please-manifest.json {".": "0.0.0"}
version.txt Placeholder 0.0.0 — release-please bumps it on each release (release-type: simple convention)

Smoke-test sequence after merge

  1. push:main fires release-please-self.yml.
  2. release-please scans commits since bootstrap-sha (just this PR's feat: squash commit) → proposes release PR for v0.1.0.
  3. Proof point feat(workflows): centralize Claude Code PR review via reusable workflow #1: the release PR's author should be rosemary-releaser[bot] (not the human who merged or github-actions[bot]). Confirm via PR's author chip on GitHub.
  4. Merge the release PR → tag v0.1.0 created on main.
  5. Proof point chore: onboard this repo to centralized Claude PR review #2: release-cascade-check.yml fires on the v0.1.0 tag push. If GITHUB_TOKEN had leaked into the path, GitHub would suppress this trigger (recursion safety) and the workflow would stay silent.
  6. The cascade check emits ::notice:: with actor=rosemary-releaser[bot] (or similar App identity). Visible in the workflow run summary.

Why bootstrap-sha and not "scan all history"

This repo has a substantial pre-DEV-214 history (Pepper rename, prompt iterations, etc.). Without bootstrap-sha, the first release PR would scan it all and produce an unmanageable changelog. Pinning to bce3abd (the secret-rename merge from earlier today) means the first changelog covers only this PR's changes — clean smoke-test signal. bootstrap-sha is ignored after the first release; subsequent runs use the previous tag as the lower bound.

Why release-type: simple

The repo isn't a code package — it's a collection of reusable workflows. simple tracks version in version.txt only, no language-specific package-file hooks. If we ever want version markers in README badges or workflow header comments, we add them via extra-files later.

Coexistence with the rolling v1 tag

release-please will create v1.0.0, v1.0.1, etc. — different tags from the existing rolling v1. The rolling v1 continues to point at "latest released v1.x.y", advanced manually after each release-please-cut release (or via a separate workflow we can add later). For now, the rolling v1 is unaffected.

Test plan

Refs: DEV-225

…lts repo

Adds release-please self-management to SpiceLabsHQ/.github so this repo
gets versioned point releases (v0.1.0, v0.1.1, etc.) instead of the
current rolling-v1-tag manual moves.

What this adds
--------------
- .github/workflows/release-please-self.yml — caller workflow on push:main
  invoking SpiceLabsHQ/.github/.github/workflows/release-please.yml@v1 with
  the Rosemary Releaser App secrets. The App identity ensures the release
  PR is authored by rosemary-releaser[bot] AND that tag pushes from the
  release PR merge can fire downstream workflows.
- .github/workflows/release-cascade-check.yml — no-op smoke test that fires
  on tag push and emits a notice with the actor identity. Lets us confirm
  end-to-end that tag-cascade auth chain is healthy.
- release-please-config.json — release-type: simple, single package at
  repo root, bootstrap-sha pinned to bce3abd so the first release window
  starts after PR #34 (the secret-rename) instead of scanning all history.
- .release-please-manifest.json — initial state {".": "0.0.0"}.
- version.txt — initial 0.0.0 placeholder that release-please will bump
  on each release (release-type: simple convention).

Smoke-test sequence after merge
-------------------------------
1. push:main fires release-please-self.yml
2. release-please scans commits since bootstrap-sha → finds this feat:
   commit → proposes a release PR for v0.1.0
3. The release PR is authored by rosemary-releaser[bot] (proof point #1)
4. Merging the release PR creates tag v0.1.0
5. The tag push fires release-cascade-check.yml (proof point #2)
6. Cascade check's notice should show actor=rosemary-releaser[bot]

Refs: DEV-225
@brodkin brodkin merged commit 9cb5103 into main May 9, 2026
1 check passed
@brodkin brodkin deleted the chore/release-please-self-bootstrap branch May 9, 2026 02:48

@pepper-pr-review pepper-pr-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified against DEV-225 (Linear) — aligned. This PR implements Phase 5 (smoke test) of the release-please provisioning work, bootstrapping self-management for the .github repo.

Test coverage is appropriate for workflow infrastructure: the workflows themselves are the executable behavior, and the release-cascade-check.yml is the regression test that will prove tag-cascade auth works after merge. The PR body documents the complete smoke-test sequence with proof points.

Configuration is sound: release-type: simple matches the README's documented pattern for non-code-package repos; bootstrap-sha correctly pins to PR #34's merge (bce3abd) to avoid scanning pre-release-please history; manifest and version.txt follow conventions; caller workflow properly references the reusable workflow at @v1 and passes both App secrets with correct permissions.

Security: no hardcoded credentials, no command injection, no workflow-level write permissions, appropriate use of pull_request trigger (not pull_request_target), and the cascade-check workflow safely echoes environment variables without execution risk.

Nicely documented — the inline comments in both workflows explain the why, and the PR body provides the complete smoke-test runbook. Once merged, watch for the release PR to open authored by rosemary-releaser[bot], which will be proof-point #1 that the App auth chain is healthy. 🌿

— Pepper

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pepper-approved Pepper approved this PR

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant