Skip to content

chore(release): drop deprecated with: block and workflow_dispatch.bump#66

Merged
CybotTM merged 1 commit into
mainfrom
chore/drop-deprecated-release-inputs
Apr 30, 2026
Merged

chore(release): drop deprecated with: block and workflow_dispatch.bump#66
CybotTM merged 1 commit into
mainfrom
chore/drop-deprecated-release-inputs

Conversation

@CybotTM

@CybotTM CybotTM commented Apr 30, 2026

Copy link
Copy Markdown
Member

Summary

Drops the now-deprecated bits from this caller's release workflow:

  • The workflow_dispatch: trigger and its bump input. The upstream reusable workflow's bump input has been documented DEPRECATED — ignored since the auto-bump job was removed; clicking "Run workflow" in the GitHub UI was a no-op.
  • The with: block (bump: only, or bump: + attest: for matrix-skill). attest was deprecated in netresearch/skill-repo-skill#79 when SLSA build provenance flipped from opt-in to always-on; bump has been deprecated for longer.
  • Stale comments on the id-token/attestations permission lines that referenced the old "when attest: true" phrasing.
 on:
   push:
     tags:
       - 'v*'
-  workflow_dispatch:
-    inputs:
-      bump:
-        description: 'Version bump type'
-        required: true
-        type: choice
-        options:
-          - patch
-          - minor
-          - major

 jobs:
   release:
     uses: netresearch/skill-repo-skill/.github/workflows/release.yml@main
-    with:
-      bump: ${{ inputs.bump }}
     permissions:
       contents: write          # release upload
-      id-token: write          # OIDC for sigstore (required when attest: true)
-      attestations: write      # GitHub native attestation API (required when attest: true)
+      id-token: write          # OIDC for sigstore (required by the attest job)
+      attestations: write      # GitHub native attestation API (required by the attest job)

Behaviour change

None. Releases still trigger on signed tag-push and produce SLSA-attested archives. The workflow_dispatch UI button did nothing functional already; this just removes the dead button.

Test plan

  • CI green on this PR
  • Next release of this repo continues to publish to the GitHub releases page with SLSA attestation, verifiable via gh attestation verify <archive>.zip --owner netresearch

Both inputs that this caller used to pass to the upstream reusable
release workflow are now deprecated/ignored:

  - `bump` was deprecated when the auto-bump job was removed from
    skill-repo-skill (releases now happen via signed tag-push only).
  - `attest` (matrix-skill only) was deprecated when SLSA build
    provenance flipped from opt-in to always-on in
    netresearch/skill-repo-skill#79.

Removing them keeps release.yml honest. Also drops the
workflow_dispatch trigger entirely — clicking "Run workflow" did
nothing useful since the upstream only acts on tag-push. Comments on
the id-token/attestations grants are normalized away from
"required when attest: true" to "required by the attest job".

Net effect: zero behaviour change. Releases continue to ship via
signed tag-push and produce SLSA-attested archives.
Copilot AI review requested due to automatic review settings April 30, 2026 09:03
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@github-actions

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@CybotTM CybotTM merged commit 285c6a3 into main Apr 30, 2026
13 checks passed
@CybotTM CybotTM deleted the chore/drop-deprecated-release-inputs branch April 30, 2026 09:09

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Removes deprecated/unused inputs and configuration from the repository’s release workflow caller, aligning it with the current behavior of the upstream reusable release workflow (netresearch/skill-repo-skill) and cleaning up permissions comments.

Changes:

  • Removed the workflow_dispatch trigger (and its unused bump input).
  • Dropped the deprecated with: bump: ... input passed to the reusable workflow.
  • Updated permission-line comments to reflect current attestation requirements.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@CybotTM CybotTM mentioned this pull request May 15, 2026
CybotTM added a commit that referenced this pull request May 15, 2026
## Release v2.14.0

Minor release. `.claude-plugin/plugin.json` and
`skills/github-project/SKILL.md` frontmatter `metadata.version` were
already synced to `2.14.0` on `main` via
[#74](#74) —
this PR is the empty release marker that closes the v2.13.1 → v2.14.0
window and triggers the signed-tag release.

### Highlights since v2.13.1

- **`agentic-workflows` reference** documenting `gh-aw` and `awf`
workflow-as-prompt tooling for autonomous GitHub Actions — new patterns
for running AI agents on PRs/issues without bespoke wiring
([#75](#75)).
- **AI reviewer pushback patterns** — handling Copilot/Sourcery review
comments that disagree with the codebase intent, including when to defer
and when to push back
([#66](#66),
[#74](#74)).
- **PR-merge / branch-protection / CodeQL gotchas** documented, plus
auto-detection of allowed merge strategy in the `--delete-branch`
snippet so the recipe doesn't break on repos with merge-commit-only
policies
([#69](#69),
[#71](#71),
[#72](#72)).
- **GraphQL `Repository.mergeQueue`** for queue detection — replaces a
brittle REST probe
([#70](#70)).
- **Assessment checkpoints overhaul**: new GH-34/GH-35/GH-36,
follow_uses delegation for CodeQL/Scorecard, org_provides for
community-health files, broader licence/Dependabot/workflow targets,
plus reusable-workflow-pitfalls reference. Multiple false-positive
findings demoted to `info` to reduce assessment noise
([#56](#56),
[#57](#57),
[#58](#58),
[#59](#59),
[#60](#60),
[#61](#61),
[#62](#62),
[#63](#63),
[#64](#64),
[#65](#65),
[#73](#73)).
- **npm distribution** — the skill now also ships via
`@netresearch/agent-skill-coordinator`
([#54](#54),
[#55](#55)).
- **Release pipeline hardening** — dropped the deprecated `with: bump:`
block + `workflow_dispatch.bump` input so releases happen exclusively
via locally-signed tags, plus SLSA-provenance permissions on the caller
([#52](#52),
[#53](#53)).

### Release plan

After merge: tag main with a signed annotated tag, push, the
`skill-repo-skill` reusable workflow publishes archives + SHA256SUMS
with cosign + SLSA attestation, then narrative notes get applied via `gh
release edit ... --notes-file`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants