Skip to content

Support immutable releases#374

Merged
martincostello merged 6 commits intomainfrom
gh-366
Dec 17, 2025
Merged

Support immutable releases#374
martincostello merged 6 commits intomainfrom
gh-366

Conversation

@martincostello
Copy link
Copy Markdown
Member

@martincostello martincostello commented Dec 9, 2025
edited
Loading

Changes

Refactor CI/CD processes to support using immutable releases.

The process is now:

  1. Run publish-release.yml, which creates a tag
  2. ci.yml runs, attaching the NuGet packages and SBOM to a draft release for the tag, which have their checksums computed
  3. The release is published by someone after human review
  4. publish-packages.yml runs and the NuGet packages are published to NuGet.org

TODO

  • Add secrets to Vault
  • Update GitHub token broker configuration
  • Verify generating GitHub tokens ci.yml and publish-release.yml

Merge requirement checklist

  • Unit tests added/updated
  • CHANGELOG.md updated
  • Changes in public API reviewed (if applicable)

@martincostello
Simplify triggers
7e40c9c 
Run for all PR branches, not just main.
@martincostello
Support immutable releases
28d7cf1 
Refactor the release workflow to support immutable releases by adding a workflow to create a new tag, build that tag, create a release draft for it, then when undrafted publish the NuGet packages.

Resolves #366.
Copilot AI review requested due to automatic review settings December 9, 2025 10:33
@martincostello martincostello changed the title Gh 366 Support immutable releases Dec 9, 2025
@martincostello
Update allow-dependencies-licenses
e5ad62e 
Allow AGPL for the create-github-app-token action.
Copilot AI reviewed Dec 9, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the CI/CD processes to support immutable releases through a three-step workflow: creating a release tag, building and drafting a release, then publishing packages after human review.

Key changes:

  • Introduces new publish-release.yml workflow to create release tags
  • Adds publish-packages.yml workflow to publish NuGet packages after release approval
  • Refactors ci.yml to create draft releases with checksums and attached artifacts
  • Removes branch restrictions from workflow triggers to support multiple branches
  • Adds comprehensive release documentation in RELEASING.md

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 13 comments.

Show a summary per file
File Description
RELEASING.md New documentation describing the immutable release process with step-by-step instructions
.github/workflows/publish-release.yml New workflow that creates release tags, auto-incrementing versions if needed
.github/workflows/publish-packages.yml New workflow that downloads, verifies, and publishes NuGet packages from releases
.github/workflows/ci.yml Refactored to create draft releases with checksums and attach artifacts instead of directly publishing
.github/workflows/oats.yml Removed branch restriction to allow PRs from any branch
.github/workflows/lint.yml Removed branch restriction to allow PRs from any branch
.github/workflows/dotnet-format.yml Removed branch restriction to allow PRs from any branch
.github/workflows/dependency-review.yml Removed branch restriction to allow PRs from any branch
.github/workflows/codeql.yml Removed branch restriction to allow PRs from any branch

Comment thread RELEASING.md Outdated
Comment thread RELEASING.md Outdated
Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/publish-packages.yml
Comment thread .github/workflows/publish-packages.yml
Comment thread .github/workflows/ci.yml
Comment thread RELEASING.md Outdated
Comment thread RELEASING.md Outdated
Comment thread RELEASING.md Outdated
Comment thread RELEASING.md Outdated
@martincostello
Address review comments
d3441a6 
- Fix link.
- Update wording.
- Explicitly set `GH_TOKEN`.
@martincostello
Test permissions
1b34ed1 
Test the GitHub app's permissions are set up correctly to generate a GitHub token.
Copilot AI review requested due to automatic review settings December 15, 2025 14:56
@martincostello martincostello marked this pull request as ready for review December 15, 2025 15:05
@martincostello martincostello requested a review from a team as a code owner December 15, 2025 15:05
Copilot AI reviewed Dec 15, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@martincostello martincostello merged commit 5b71e72 into main Dec 17, 2025
25 checks passed
@martincostello martincostello deleted the gh-366 branch December 17, 2025 11:18
This was referenced Jan 9, 2026
Merged
Merged
@dependabot dependabot Bot mentioned this pull request Feb 20, 2026
Open
@dependabot dependabot Bot mentioned this pull request May 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@matt-hensley matt-hensley matt-hensley approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@martincostello @matt-hensley