Split-job release workflow + --mode assertion flag#91
Open
theoephraim wants to merge 1 commit into
Open
Conversation
Add a `--mode <version-pr|publish>` flag to `bumpy ci release` so each job in a split-job release workflow can assert its expected runtime state and fail loudly on drift instead of silently routing. Updates the project's own release.yaml to use the recommended pattern: a `plan` job (no write perms) gates a `version-pr` job (PR-only creds) and a `publish` job (scoped to a new `publish` GitHub Environment with id-token: write), so npm trusted-publisher OIDC can be pinned to the environment and NPM_TOKEN exposure can be scoped via env secrets. Internal: ReleaseOptions field `mode: 'auto-publish' | 'version-pr'` renamed to `autoPublish: boolean` for clarity; new `assertMode` field carries the assertion. `--mode` + `--auto-publish` together is rejected at the CLI level. Docs: github-actions.md restructured to lead with the split-job workflow + environment setup, with the single-job version kept as a simplified alternative. Auto-publish flagged as not recommended.
|
The changes in this PR will be included in the next version bump.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--mode <version-pr|publish>tobumpy ci releasefor asserting the detected release mode (errors instead of silently smart-routing when the runtime state doesn't match what the job expects). Cannot be combined with--auto-publish.planjob gating aversion-prjob (PR-write creds only) and apublishjob (environment: publish,id-token: writefor npm trusted publishing).Why
Without a split, every push to main runs a job with
id-token: write(orNPM_TOKENin env) — even when the workflow is only updating the Version Packages PR. The split scopes those credentials to the publish job only and lets the npm trusted publisher be pinned to a specific GitHub Environment so rogue workflow files in the repo can't request a valid OIDC token.The
--modeflag turns the split's implicitif:gate into an explicit runtime assertion: if the publish job somehow runs while bump files are still present (a race, weird merge, or someone manually re-triggers it), it fails fast instead of silently falling into the version-pr code path.Notable internals
ReleaseOptions.mode: 'auto-publish' | 'version-pr'renamed toautoPublish: boolean— cleaner CLI-flag-to-internal mapping. The only caller is packages/bumpy/src/cli.ts.ciReleaseCommandnow computesdetectedModeonce and consolidates the two near-identical "fall through to publish" branches.Test plan
bun run check— typecheck + format cleanbun run test— 225 tests passplan→version-prpath here, since this PR itself ships with a bump file)publishenvironment in repo settings + pin the npm trusted publisher to it before the next publish run🤖 Generated with Claude Code