feat: add release announcement discussion to release-labeler#23
Conversation
Add announce-release job that creates a GitHub Discussion in the Announcements category when a release is published. Category ID is resolved dynamically via GraphQL (portable across repos), duplicates are checked against the first 100 discussions, and the body is passed via file to avoid shell expansion issues with release notes. Top-level permissions reduced to contents:read only, with job-level permissions for each job (discussions:write for announce-release, issues:write + pull-requests:write for label-release). Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Summary of ChangesHello @CybotTM, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the release-labeler workflow by introducing automated release announcements. It streamlines the communication process for new software versions by publishing them directly to GitHub Discussions, thereby increasing visibility and engagement with the community without requiring manual intervention. Highlights
Changelog
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request introduces a new feature to automatically create release announcement discussions in the repository's 'Announcements' category. However, a high-severity command injection vulnerability was identified in the label-release job due to unquoted shell variables in a gh api call, which could lead to arbitrary command execution from malicious tag names. This should be addressed by properly quoting the variables. Additionally, a few improvements have been suggested to ensure security consistency across jobs and enhance the robustness of the shell scripts.
- Use env vars instead of GitHub expressions in duplicate check query - Add -- to grep to handle tags starting with hyphen - Add harden-runner to label-release job for consistent security Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Two review-driven fixes addressing 12 inline comments from copilot-pull-request-reviewer and gemini-code-assist: 1. **Optional quoting after uses:** YAML allows uses: foo, uses: 'foo', and uses: "foo". The previous regex only matched the unquoted form, so a perfectly-correct quoted reusable-workflow delegation would fail. Pattern updated to allow optional ' or " after the colon+whitespace. 2. **auto-merge.yml as alternate filename**: GH-23 already accepts either auto-merge-deps.yml or auto-merge.yml, but GH-24..27 targeted only auto-merge-deps.yml. Repos using auto-merge.yml would error on missing-target. Switched target to glob .github/workflows/auto-merge*.yml so both filenames work. Verified against: - netresearch/t3x-nr-llm (auto-merge-deps.yml, unquoted uses): pass - fabricated auto-merge.yml fixture with quoted uses: pass Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
…allowlist The automated-assessment runner enforces a command allowlist that rejects command-chaining metacharacters (; && || backticks $()) and only accepts specific base commands. Four checkpoints failed allowlist validation and were never actually evaluated against target projects. GH-6 and GH-23 used `test -f X || test -f Y` chains to test for any of several files. Rewritten as `type: file_exists` with brace expansion, which is the runner's first-class idiom for "any of these files". GH-30 and GH-31 used multi-line YAML literal-block scalars (`target: |`) to invoke `gh api` for branch protection audits. The runner's simple line parser sees the literal-block indicator as the first token and rejects with "'|' not in allowed command whitelist". Even with the allowlist passing, these cannot be executed mechanically — they require GitHub API auth context. Converted to `type: gh_api`, which the runner recognises and skips with a clear evidence string. The semantically equivalent audit is preserved in GH-32 (llm_reviews).
…ert GH-5 demotion Addresses PR #69 review feedback: GH-2 (Copilot, Gemini): added missing license filenames the skill itself documents — COPYING, COPYING.md, COPYING.txt, LICENSE-BSD-2-Clause, LICENSE-BSD-3-Clause, LICENSE-GPL-2.0, LICENSE-GPL-3.0, LICENSE-LGPL, LICENSE-LGPL-3.0, LICENSE-AGPL-3.0, LICENSE-MPL-2.0. GH-5 (Copilot): reverted demotion to info — CODEOWNERS must exist in the repository itself on the default branch (.github/, root, or docs/), and the org-wide .github mechanism explicitly does NOT cover it (that mechanism only provides templates and community-health files, never review-routing rules). Severity restored to warning; description corrected to remove the misleading org-wide claim. GH-6 (Gemini): added .github/dependabot.yaml, renovate.json5, renovate config variants, and the .json5 form for Renovate. GH-13/14 (Gemini follow-on): brace-expanded targets to also accept .github/dependabot.yaml. GH-19/20/21 (Gemini): glob target now `.github/workflows/*.{yml,yaml}` to match either extension. GH-24..27 (Gemini): glob target now `.github/workflows/auto-merge*.{yml,yaml}`. Push-back on Copilot 'auto-merge.yml weakens GH-23' comment: GH-24..27 already use a glob (auto-merge*.yml — now expanded to *.{yml,yaml}) that matches both filenames, so adding auto-merge.yml to GH-23 does not produce false failures downstream. GH-30/31 desc: wrapped long lines as YAML folded scalars (no impact on runner — these are gh_api types, the desc field is human-readable). .yamllint.yml: line-length bumped 160 → 360 to accommodate single-line brace-expansion targets that the runner cannot read as folded scalars (the runner's parser is bash regex, not a YAML library).
Summary
announce-releasejob torelease-labeler.yml.templatethat creates a GitHub Discussion in the Announcements category on each release publish-F body=@file) to avoid shell expansion issues with release notescontents: readonly; each job declares its own permissions (discussions: writefor announce-release,issues: write+pull-requests: writefor label-release)step-security/harden-runner@v2.14.2for egress auditingrelease-labeling.mdreference docs with new "Release Announcements" section and setup instructionsTest plan