feat(APP-963): modular release system — design + modules#5
Open
tyhonchik wants to merge 1 commit into
Open
Conversation
…flows)
Design-first deliverable for APP-963: standardise releases across repos around the
Build → Test → Release → Deploy spine, with loadable modules in github-templates.
- docs/release-design.md: scenarios A–D, the 4-step spine, module catalog, the
explicit-paths credential model + security contract, distribution/versioning.
- steps/: composite actions (setup, compute-version[changesets|semantic-release],
slack-notify, extract-slack-ts, read-changelog, build-release-notes,
generate-release-summary, parse-playwright-results, gh-ensure-{pr,tag,release},
git-ensure-branch). Scripts co-located + referenced via $GITHUB_ACTION_PATH so the
actions are self-contained across repos; generateReleaseSummary genericised (no
hardcoded repo).
- .github/workflows/: reusable workflows (release-start, release-finalize,
deploy-vercel, deploy-docker, e2e, release-self). VERCEL_TOKEN resolved only inside
deploy-vercel. op:// inputs validated; no secrets: inherit; third-party actions
SHA-pinned.
- examples/: per-scenario caller workflows. .github/dependabot.yml + _selftest.yml.
Additive only: steps/credential-retrieval (v0.4, live) is untouched, so existing SHA
pins keep working. Consumer migrations are downstream (SREDO-695/697/698).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
APP-963 (SEAL best-practices; blocks SREDO-695/697/698). Every Aragon repo re-implements a near-identical release pipeline. This design-first PR standardises them into loadable modules here, so secrets are handled the same way, the broad-permission Vercel token has one place it can be read, and a fix patches everywhere via one bump.
Deliverables
docs/release-design.md— the study/design: scenarios A–D (app / library / backend / indexer), the Build → Test → Release → Deploy spine, the module catalog, the explicit-paths credential model, the security contract, and distribution/versioning. (primary deliverable)steps/— 12 new composite actions incl.compute-version(the pluggablechangesets | semantic-releaseseam). Scripts are co-located and called via$GITHUB_ACTION_PATHso the actions work cross-repo;generateReleaseSummaryno longer hardcodes a repo..github/workflows/— reusable workflows:release-start,release-finalize,deploy-vercel,deploy-docker,e2e,release-self.examples/— per-scenario caller workflows. Plus.github/dependabot.ymland a_selftestsmoke workflow.Key decisions
op://paths; one scopedOP_SERVICE_ACCOUNT_TOKEN; nosecrets: inherit; inputs validated; third-party actions SHA-pinned.release-self); consumers pin SHAs + Dependabot.Safety
Additive only —
steps/credential-retrieval(v0.4, in use by app / app-backend / gov-ui-kit) is untouched, so existing@v0.4SHA pins keep working. Migrating consumers is downstream (SREDO tickets).Validation
actionlintclean; all workflow/action YAML parses;node --checkon all scripts._selftest.yml(manual dispatch) smoke-tests the leaf actions in-repo.Reviewer notes
aragon/github-templates/steps/*@mainduring bootstrap (relative./steps/*would resolve against the caller repo). Pin these to the cut tag/SHA when releasingv0.5.v0.5/v1is for the DevOps owner (CODEOWNER).