ci(release): enable meta self-release (all task + self-caller)#242
Merged
Conversation
meta has no `mise run all` (config repo), so the auto-release driver couldn't validate it. Add an `all` task (actionlint + ci scans; the driver runs the secret/license scans separately) and a Self-Release workflow_dispatch caller of the reusable auto-release.yml@main, so meta can dogfood its own release driver. Refs TMDs#239.
Contributor
There was a problem hiding this comment.
Pull request overview
此 PR 讓 meta repo 可以「自我使用(dogfood)」自身的可重用 auto-release driver:補上 mise run all 的入口任務,並新增一個 workflow_dispatch 的 Self-Release caller 來呼叫 auto-release.yml@main,使 config repo 也能走與 consumer repo 一致的 release 流程。
Changes:
- 在
mise.toml新增[tasks.all]作為 auto-release driver 的驗證入口(actionlint + CI 掃描)。 - 新增
.github/workflows/self-release.yml,提供手動觸發的 Self-Release 工作流程,轉呼叫可重用的auto-release.yml@main並轉送必要 secrets。
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| mise.toml | 新增 all 任務作為 release driver 的驗證 gate 入口(供 mise run all 使用)。 |
| .github/workflows/self-release.yml | 新增可手動觸發的 caller workflow,呼叫可重用的 auto-release driver 並轉送 inputs/secrets。 |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…lease The auto-release driver runs ci:trivy-license / betterleaks / trufflehog as separate steps after `mise run all`, so keeping ci:trivy-license inside [tasks.ci] (which [tasks.all] depends on) double-scanned it in the meta self-release pipeline. Drop it from [tasks.ci] so meta matches the consumer pattern, where license/secret scans live only in the driver. iac:trivy (config scan) and ci:semgrep are NOT run separately by the driver, so they correctly stay in ci. The [tasks.all] non-duplication comment is now accurate.
Move contents:write from the workflow level down to jobs.self-release, and keep the workflow-level default at contents:read. Matches the repo's other self-* callers (self-dependency-review, self-supply-chain), which run minimal workflow perms and elevate per job. Functionally identical for the reusable auto-release.yml call (the caller job's permissions govern the reused workflow's GITHUB_TOKEN), while tightening the default token scope.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
meta couldn't use its own auto-release driver because the driver runs
mise run alland meta (a config repo) had noalltask. This enables meta to dogfood the driver:[tasks.all]=iac:actionlint+ci(trivy + semgrep). Read-only, no working-tree drift. The license/secret scans (trivy-license/betterleaks/trufflehog) are run by the driver itself as separate steps, so they are deliberately kept OUT ofall/cito avoid double-scanning — matching the 13 consumer repos' pattern..github/workflows/self-release.yml=workflow_dispatchcaller (version + dry_run) ofauto-release.yml@main, forwarding the ci-read + pre-release App secrets — same pattern as the 13 consumer callers.Follow-up (after merge)
Cut meta patch release via Self-Release (dry_run first, then
v0.2.5.5). Real release needs the pre-release App in meta's main/dev rulesetbypass_actors.Refs TMDs#239.
Closes #243