Skip to content

ci(release): notes via workflow input, attached as CHANGELOG.md asset (no repo maintenance)#54

Merged
aksOps merged 3 commits intomainfrom
fix-release-no-autopush
Apr 23, 2026
Merged

ci(release): notes via workflow input, attached as CHANGELOG.md asset (no repo maintenance)#54
aksOps merged 3 commits intomainfrom
fix-release-no-autopush

Conversation

@aksOps
Copy link
Copy Markdown
Contributor

@aksOps aksOps commented Apr 23, 2026
edited
Loading

Revised approach

After the initial "extract from CHANGELOG.md" design, the user requested zero in-repo overhead:

create a changlelog.md file in release itself with the content same as release note. no overhead

So this PR flips the flow again — release notes come from a `notes` workflow input, not from a CHANGELOG.md section.

New release procedure

```sh
gh workflow run release.yml --ref main \
-f bump=patch \
-f notes=$'### Changed\n\n- Describe changes here...\n\n### Upgrade impact\n\nDrop-in replacement.'
```

That's the entire release flow. One CLI command.

What happens

  1. Workflow takes the `notes` input as the source of truth.
  2. Writes the notes to `dist/CHANGELOG.md`.
  3. Uses the notes as the GitHub release body (with the cosign verify footer appended).
  4. Uploads `dist/CHANGELOG.md` as a release asset alongside binaries / sigs / SHA256SUMS / provenance.

What's removed

  • The auto-rename + `git push origin HEAD:main` step (was rejected by branch protection).
  • The `extract from CHANGELOG.md` logic (required maintaining a live `[Unreleased]` section or pre-release PR).
  • The per-version sections in in-repo `CHANGELOG.md` — that file is now a thin static pointer to the Releases page.

What stays

  • ✅ Signed binaries (cosign keyless, Rekor-anchored)
  • ✅ Signed SHA256SUMS
  • ✅ SLSA build provenance
  • ✅ BestPractices `release_notes` Met — release body is curated human-readable notes, CHANGELOG.md asset attached to every release

Files

  • `.github/workflows/release.yml` — adds `notes` input, replaces extract step with prepare-notes step, adds `dist/CHANGELOG.md` to release assets.
  • `CHANGELOG.md` — reduced to a static pointer file explaining the release procedure. No per-version entries to maintain.

Net: -117 / +41 lines.

Test plan (for v0.0.4)

  • Merge this PR

  • Run:

    gh workflow run release.yml --ref main \\
  -f bump=patch \\
  -f notes=\$'### Changed\\n\\n- Drop auto-push from release workflow — notes now come from workflow input and are attached as CHANGELOG.md asset.\\n- Thin in-repo CHANGELOG.md.\\n\\n### Upgrade impact\\n\\nDrop-in replacement.'

  • Confirm release v0.0.4 on GitHub:

    • Body has the curated notes + cosign verify footer
    • Assets include `CHANGELOG.md` with the same notes
    • Assets include signed binaries + SHA256SUMS
    • `.intoto.jsonl` provenance bundle uploaded

🤖 Generated with Claude Code

aksOps and others added 2 commits April 23, 2026 08:00
@aksOps
checkpoint: pre-yolo 2026-04-23T08:00:42
6de4ba2
@aksOps @claude
ci(release): drop auto-push to main; require pre-release CHANGELOG PR
2ef66e3 
The previous design had release.yml auto-rename [Unreleased] → [X.Y.Z]
and push the rename commit back to main as github-actions[bot]. That
collided with branch protection on main:

    remote: error: GH013: Repository rule violations found for refs/heads/main.
    - Changes must be made through a pull request.
    - 3 of 3 required status checks are expected.
    - Commits must have verified signatures.

Rather than weakening branch protection or adding a bypass token, flip
the flow: the release workflow now ONLY reads from CHANGELOG.md. It
extracts `## [vX.Y.Z]` (or `## [X.Y.Z]`) and fails loudly if the section
is absent, instructing the maintainer to open a PR first.

Release procedure:

    1. Open PR: add `## [X.Y.Z] — YYYY-MM-DD` with curated bullets to
       CHANGELOG.md (or rename [Unreleased] to [X.Y.Z]).
    2. Merge it.
    3. `gh workflow run release.yml --ref main -f bump=patch`.

Benefits:
- CHANGELOG.md is only ever modified via normal PR review.
- Branch protection stays intact, no bot bypass needed.
- Release notes are reviewable before the release fires.
- Workflow has no `contents: write` side-effects to the source tree.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@aksOps aksOps enabled auto-merge (squash) April 23, 2026 08:02
@aksOps @claude
ci(release): notes come from workflow input; attach as CHANGELOG.md a…
3f3855f 
…sset

Previous design required maintaining a ## [vX.Y.Z] section in CHANGELOG.md
via a pre-release PR. User feedback: "no overhead" — don't make me
maintain CHANGELOG.md in-repo.

New design:

  1. release.yml accepts a `notes` input (Markdown). The maintainer
     provides the release notes at release time:

         gh workflow run release.yml --ref main \\
           -f bump=patch \\
           -f notes=$'### Changed\\n\\n- ...'

  2. The workflow uses `notes` verbatim as the GitHub release body,
     AND writes the same content to dist/CHANGELOG.md, uploaded as a
     release asset.

  3. In-repo CHANGELOG.md is now a thin static pointer to the Releases
     page. Zero per-release maintenance. No auto-commits. No pre-release
     PR.

This matches the user's "create a changelog.md file in release itself
with the content same as release note. no overhead" directive.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@aksOps aksOps changed the title ci(release): drop auto-push to main; require pre-release CHANGELOG PR ci(release): notes via workflow input, attached as CHANGELOG.md asset (no repo maintenance) Apr 23, 2026
@aksOps aksOps merged commit 8e9809f into main Apr 23, 2026
11 checks passed
@aksOps aksOps deleted the fix-release-no-autopush branch April 23, 2026 08:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aksOps