Skip to content

ci(release): require protected manual publishing#83

Open
100yenadmin wants to merge 4 commits into
reconcile/r19a-vector-delete-reopenfrom
reconcile/r22-release-governance
Open

ci(release): require protected manual publishing#83
100yenadmin wants to merge 4 commits into
reconcile/r19a-vector-delete-reopenfrom
reconcile/r22-release-governance

Conversation

@100yenadmin

Copy link
Copy Markdown
Member

Closes #61

Summary

  • remove automatic RC publication from ordinary main pushes while retaining manual RC and stable-tag routes
  • require the protected internal-release environment before the artifact-producing job
  • add a parser-backed policy check that rejects branch-push publication, missing release approval, and required workflows hidden by path filters
  • make required CI, CodeQL, and workflow-lint gates appear on every main PR
  • apply the six mechanical Prettier fixes already identified by remote CI

GitHub governance applied

  • main requires a current-head aggregate CI gate, both CodeQL languages, Gitleaks, Dependency Review, actionlint, and zizmor
  • one fresh review and resolved conversations are required; admin enforcement is enabled; force pushes and deletion are disabled
  • internal-release requires administrator approval and permits only branch main or tags v*

Validation

  • red/green npm run check:release-governance
  • actionlint on all changed and required workflows
  • npx prettier --check .
  • focused ESLint: zero errors (existing warnings only)
  • git diff --check

Boundaries

This PR does not publish, tag, merge, deploy, roll out runtime changes, or touch a live index. It is based temporarily on the proven R19a P0 head and will be retargeted behind R19 scale evidence before promotion.

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 96043b3e-5f2f-4c04-91a5-e8bee6cc94b5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch reconcile/r22-release-governance

Comment @coderabbitai help to get the list of available commands.

@evaos-code-review-bot

evaos-code-review-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

evaOS review status: stale head

PR: #83 - ci(release): require protected manual publishing
Head: 51ca6f8c6d1d0293595ad3bf5261cfdadb95cb0b
Updated: 2026-07-13T19:20:58.992Z

evaOS review stopped because this queued head is no longer the live PR head.

Automation note: agents should wait for this comment to reach completed, stale_head, closed_or_merged_before_review, skipped, or failed before treating evaOS review as settled for this head. provider_deferred means evaOS still intends to retry.

PR URL: #83

Details: live=5a617ad3a5f91b3f3ae91dd7d6e88fe65c147e01

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown

CI Report

All checks passed

Pipeline Status

Stage Status Details
✅ Typecheck success tsc --noEmit
✅ Tests success unit tests, 3 platforms
✅ E2E success gitnexus-web changes only

Test Results

Tests Passed Failed Skipped Duration
14685 14623 0 62 19s

✅ All 14623 tests passed

62 test(s) skipped — expand for details

Code Coverage

Tests

Metric Coverage Covered Base Delta Status
Statements 80.9% 54658/67561 N/A% 🟢 ████████████████░░░░
Branches 68.03% 33571/49345 N/A% 🟢 █████████████░░░░░░░
Functions 87.04% 6344/7288 N/A% 🟢 █████████████████░░░
Lines 84.41% 48770/57771 N/A% 🟢 ████████████████░░░░

📋 View full run · Generated by CI

@evaos-code-review-bot

evaos-code-review-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

evaOS review status: stale head

PR: #83 - ci(release): require protected manual publishing
Head: cb498715c40606ebfc4eb5575050e2eb82e9d22b
Updated: 2026-07-13T19:31:30.902Z

evaOS review stopped because this queued head is no longer the live PR head.

Automation note: agents should wait for this comment to reach completed, stale_head, closed_or_merged_before_review, skipped, or failed before treating evaOS review as settled for this head. provider_deferred means evaOS still intends to retry.

PR URL: #83

Details: Superseded by a newer PR head.

@evaos-code-review-bot

evaos-code-review-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

evaOS review status: completed

PR: #83 - ci(release): require protected manual publishing
Head: bb307bd17d4384e7abe811e41d3a01dfc2716afe
Updated: 2026-07-13T20:17:00.996Z

evaOS review completed for this PR head.

Automation note: agents should wait for this comment to reach completed, stale_head, closed_or_merged_before_review, skipped, or failed before treating evaOS review as settled for this head. provider_deferred means evaOS still intends to retry.

PR URL: #83

Review URL: #83 (review)

@evaos-code-review-bot evaos-code-review-bot Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Walkthrough

PR: #83 - ci(release): require protected manual publishing
Head: bb307bd17d4384e7abe811e41d3a01dfc2716afe into reconcile/r19a-vector-delete-reopen. Review event: COMMENT.
Provider: GLM/Z.ai through ZCode (zcode-glm, zcode, model GLM-5.2).

Estimated review effort: 3/5 (~46 min)

Changed Files

File Status Churn Purpose Risk
.github/scripts/check-release-governance.mjs added +75/-0 Changed file Moderate: validated P3 finding
.github/workflows/ci-quality.yml modified +1/-0 Changed file Low
.github/workflows/ci.yml modified +3/-4 Changed file Low
.github/workflows/codeql.yml modified +2/-3 Changed file Low
.github/workflows/publish.yml modified +6/-12 Changed file Low
.github/workflows/workflow-lint.yml modified +2/-4 Changed file Low
package-lock.json modified +2/-1 Configuration Low
package.json modified +3/-1 Configuration Low

Review Signal

Validated inline findings: 1 (P0: 0, P1: 0, P2: 0, P3: 1).
Dropped findings before posting: 0. High-severity findings: 0.

Risk Taxonomy

  • Runtime correctness: 1

Validation and Proof

2 required validation/proof recommendation(s) selected from changed files.

  • required: TypeScript/web build or CI proof - Runtime TypeScript/web files or package/config files changed. Proof: npm run build; typecheck; focused Vitest; green GitHub check.
  • required: CI/release smoke proof - CI, release, launchd, or package metadata changed. Proof: green GitHub check; release-status; coverage-audit; rollback note.
    Proof status: missing - 2 required validation/proof recommendation(s) missing from PR metadata.
    Profile validation hints: Call out stale index, wrong repo identity, memory growth, and destructive analyze behavior.
    Profile proof expectations: Look for focused CLI, index, query, or migration proof.

Related Context

Related issues/PRs: #61.
Suggested labels: none.
Suggested reviewers: none from current metadata.

Review Settings Preview

  • Profile: assertive
  • Enabled sections: Review summary (inline_review); Walkthrough (inline_review); Changed-files table (walkthrough); Effort estimate (walkthrough); Related issues/PRs (walkthrough); Suggested labels (suggestion_only); Review status comment (sticky_status)
  • Path instructions: none
  • Label suggestions: gitnexus, code-intelligence, backend
  • Reviewer suggestions: none
  • Suggestion behavior: suggestions only; labels and reviewers are not auto-applied.
  • Roadmap-only settings: auto-apply labels; auto-request reviewers; required status checks

Pre-merge checklist

  • Inline comments target current RIGHT-side diff lines.
  • No secret-like content survived into posted inline comments.
  • REQUEST_CHANGES is only used when eligible P0/P1 findings survive validation.
  • Required behavior proof is present or not applicable.
  • Labels and reviewers are suggestions only; the bot did not auto-apply them.

'dependency-review.yml',
'workflow-lint.yml',
]) {
const candidate = readWorkflow(filename);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P3: Missing workflow file crashes script instead of failing gracefully

readWorkflow() (line 9-10) calls fs.readFileSync without a try/catch. In the loop at line 51-71, if any of ci.yml, codeql.yml, gitleaks.yml, dependency-review.yml, or workflow-lint.yml is absent on a branch (e.g. a long-lived branch predating one of these workflows, or a fork that removed one), the script throws an uncaught ENOENT with a stack trace rather than emitting a governance 'fail()' message and exitCode=1. The effect is still a CI failure, so this is cosmetic, but wrapping readWorkflow in a try/catch that calls fail(${filename} could not be read: ...) would produce a legible governance error consistent with the script's own messaging contract.

Category: Runtime correctness

Why this matters: A stack trace from a missing-file ENOENT is a confusing CI signal for a governance check; the script already has a fail() channel designed exactly for this. Low impact because all five files exist on main and this branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant