Skip to content

feat: add release announcement discussion to release-labeler#23

Merged
CybotTM merged 2 commits into
mainfrom
feat/release-announcements
Feb 22, 2026
Merged

feat: add release announcement discussion to release-labeler#23
CybotTM merged 2 commits into
mainfrom
feat/release-announcements

Conversation

@CybotTM

@CybotTM CybotTM commented Feb 22, 2026

Copy link
Copy Markdown
Member

Summary

  • Add announce-release job to release-labeler.yml.template that creates a GitHub Discussion in the Announcements category on each release publish
  • Category ID resolved dynamically via GraphQL query by name (portable across repos without hardcoded IDs)
  • Duplicate detection checks first 100 discussions by title before creating
  • Discussion body passed via file (-F body=@file) to avoid shell expansion issues with release notes
  • Top-level permissions reduced to contents: read only; each job declares its own permissions (discussions: write for announce-release, issues: write + pull-requests: write for label-release)
  • Uses step-security/harden-runner@v2.14.2 for egress auditing
  • Updated release-labeling.md reference docs with new "Release Announcements" section and setup instructions

Test plan

  • Verify YAML syntax is valid
  • Adopt template in a test repository with Discussions enabled and publish a release
  • Confirm discussion is created in Announcements category
  • Confirm duplicate detection skips on re-publish
  • Confirm graceful skip when Announcements category does not exist

Add announce-release job that creates a GitHub Discussion in the
Announcements category when a release is published. Category ID is
resolved dynamically via GraphQL (portable across repos), duplicates
are checked against the first 100 discussions, and the body is passed
via file to avoid shell expansion issues with release notes.

Top-level permissions reduced to contents:read only, with job-level
permissions for each job (discussions:write for announce-release,
issues:write + pull-requests:write for label-release).

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello @CybotTM, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the release-labeler workflow by introducing automated release announcements. It streamlines the communication process for new software versions by publishing them directly to GitHub Discussions, thereby increasing visibility and engagement with the community without requiring manual intervention.

Highlights

  • New Release Announcement Job: Added an announce-release job to the release-labeler.yml.template workflow to automate the creation of GitHub Discussions.
  • Automated Discussion Creation: Implemented automatic creation of GitHub Discussions in the 'Announcements' category upon each release publication.
  • Dynamic Category Resolution: Enabled dynamic resolution of the 'Announcements' category ID using GraphQL, ensuring the workflow is portable across repositories.
  • Duplicate Discussion Detection: Incorporated logic to check for existing discussions by release tag, preventing the creation of duplicate announcements.
  • Secure Discussion Body Handling: Ensured safe construction of discussion bodies by passing content via a temporary file, avoiding shell expansion issues with release notes.
  • Refined Workflow Permissions: Refactored workflow permissions to use minimal top-level contents: read and job-specific permissions (discussions: write for announcements, issues: write and pull-requests: write for labeling).
  • Security Hardening: Integrated step-security/harden-runner for enhanced security through egress auditing in the announcement job.
  • Updated Documentation: Updated the release-labeling.md documentation with a new 'Release Announcements' section and detailed setup instructions.
Changelog
  • skills/github-project/assets/release-labeler.yml.template
    • Introduced a new announce-release job responsible for creating GitHub Discussion announcements.
    • Updated workflow comments and usage instructions to reflect the new announcement feature and required permissions.
    • Adjusted top-level workflow permissions to contents: read and defined specific permissions for each job (discussions: write for announce-release, issues: write and pull-requests: write for label-release).
    • Added a step to dynamically resolve the 'Announcements' discussion category ID using a GraphQL query.
    • Implemented logic to check for existing discussions by release tag to prevent duplicates.
    • Ensured the discussion body is safely constructed and passed to the GraphQL mutation.
    • Integrated step-security/harden-runner for security hardening.
  • skills/github-project/references/release-labeling.md
    • Revised the workflow overview to include the new discussion announcement step.
    • Added a dedicated 'Release Announcements' section detailing its functionality, implementation, and setup requirements.
    • Updated the 'Ensure permissions' section to include the discussions: write permission.
    • Modified the setup instructions to guide users on enabling GitHub Discussions.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new feature to automatically create release announcement discussions in the repository's 'Announcements' category. However, a high-severity command injection vulnerability was identified in the label-release job due to unquoted shell variables in a gh api call, which could lead to arbitrary command execution from malicious tag names. This should be addressed by properly quoting the variables. Additionally, a few improvements have been suggested to ensure security consistency across jobs and enhance the robustness of the shell scripts.

Comment thread skills/github-project/assets/release-labeler.yml.template Outdated
Comment thread skills/github-project/assets/release-labeler.yml.template
- Use env vars instead of GitHub expressions in duplicate check query
- Add -- to grep to handle tags starting with hyphen
- Add harden-runner to label-release job for consistent security

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
@CybotTM CybotTM merged commit 8ac095e into main Feb 22, 2026
6 checks passed
@CybotTM CybotTM deleted the feat/release-announcements branch February 22, 2026 12:38
CybotTM added a commit that referenced this pull request Mar 30, 2026
… guide

Add GH-23 through GH-29 checkpoints covering auto-merge workflow trigger,
bot detection, merge flags, and strategy detection. Extend SKILL.md with
a new-repo checklist and pitfalls table. Add canonical workflow template
to auto-merge-guide.md with design decision rationale.
CybotTM added a commit that referenced this pull request Apr 24, 2026
Two review-driven fixes addressing 12 inline comments from
copilot-pull-request-reviewer and gemini-code-assist:

1. **Optional quoting after uses:** YAML allows uses: foo,
   uses: 'foo', and uses: "foo". The previous regex only matched the
   unquoted form, so a perfectly-correct quoted reusable-workflow
   delegation would fail. Pattern updated to allow optional ' or "
   after the colon+whitespace.

2. **auto-merge.yml as alternate filename**: GH-23 already accepts
   either auto-merge-deps.yml or auto-merge.yml, but GH-24..27
   targeted only auto-merge-deps.yml. Repos using auto-merge.yml
   would error on missing-target. Switched target to glob
   .github/workflows/auto-merge*.yml so both filenames work.

Verified against:
- netresearch/t3x-nr-llm (auto-merge-deps.yml, unquoted uses): pass
- fabricated auto-merge.yml fixture with quoted uses: pass

Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
CybotTM added a commit that referenced this pull request May 4, 2026
…allowlist

The automated-assessment runner enforces a command allowlist that rejects
command-chaining metacharacters (; && || backticks $()) and only accepts
specific base commands. Four checkpoints failed allowlist validation and
were never actually evaluated against target projects.

GH-6 and GH-23 used `test -f X || test -f Y` chains to test for any of
several files. Rewritten as `type: file_exists` with brace expansion,
which is the runner's first-class idiom for "any of these files".

GH-30 and GH-31 used multi-line YAML literal-block scalars (`target: |`)
to invoke `gh api` for branch protection audits. The runner's simple
line parser sees the literal-block indicator as the first token and
rejects with "'|' not in allowed command whitelist". Even with the
allowlist passing, these cannot be executed mechanically — they require
GitHub API auth context. Converted to `type: gh_api`, which the runner
recognises and skips with a clear evidence string. The semantically
equivalent audit is preserved in GH-32 (llm_reviews).
CybotTM added a commit that referenced this pull request May 4, 2026
…ert GH-5 demotion

Addresses PR #69 review feedback:

GH-2 (Copilot, Gemini): added missing license filenames the skill itself
documents — COPYING, COPYING.md, COPYING.txt, LICENSE-BSD-2-Clause,
LICENSE-BSD-3-Clause, LICENSE-GPL-2.0, LICENSE-GPL-3.0, LICENSE-LGPL,
LICENSE-LGPL-3.0, LICENSE-AGPL-3.0, LICENSE-MPL-2.0.

GH-5 (Copilot): reverted demotion to info — CODEOWNERS must exist in the
repository itself on the default branch (.github/, root, or docs/), and
the org-wide .github mechanism explicitly does NOT cover it (that
mechanism only provides templates and community-health files, never
review-routing rules). Severity restored to warning; description
corrected to remove the misleading org-wide claim.

GH-6 (Gemini): added .github/dependabot.yaml, renovate.json5, renovate
config variants, and the .json5 form for Renovate.

GH-13/14 (Gemini follow-on): brace-expanded targets to also accept
.github/dependabot.yaml.

GH-19/20/21 (Gemini): glob target now `.github/workflows/*.{yml,yaml}`
to match either extension.

GH-24..27 (Gemini): glob target now
`.github/workflows/auto-merge*.{yml,yaml}`.

Push-back on Copilot 'auto-merge.yml weakens GH-23' comment: GH-24..27
already use a glob (auto-merge*.yml — now expanded to *.{yml,yaml})
that matches both filenames, so adding auto-merge.yml to GH-23 does
not produce false failures downstream.

GH-30/31 desc: wrapped long lines as YAML folded scalars (no impact on
runner — these are gh_api types, the desc field is human-readable).

.yamllint.yml: line-length bumped 160 → 360 to accommodate single-line
brace-expansion targets that the runner cannot read as folded scalars
(the runner's parser is bash regex, not a YAML library).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant