Slipstream/auto_review
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases 27 Packages Activity Actions

fix(release): enforce binary-only release artifacts #246

Merged
jwilger merged 6 commits from issue-220-binary-only-release-artifacts into main 2026-05-18 10:09:59 -07:00
Conversation 5 Commits 6 Files changed 13 +317 -30
jwilger commented 2026-05-18 09:47:01 -07:00
Owner
Copy link

Why this change

  • See issue #220.
  • The branch also needed process/doc changes so PR and commit narratives remain complete across multi-commit work and to prevent future loss of review context.

What changed

  • Keep release behavior from issue #220 intact:
    • binary-only Linux release publication and publish-permission hardening remain unchanged.
  • Add and test Forgejo PR creation guardrails for issue-based branches:
    • .opencode/plugins/auto-review-forgejo.ts now requires a closure trailer in PR description/body only (Closes/Fixes/Resolves #<issue>).
    • .opencode/plugins/auto-review-forgejo.test.ts covers issue-branch trailer enforcement (including rejection when missing and title-only trailer usage).
  • Align Forgejo workflow guidance and command documentation to MCP-first usage and description-trailer policy:
    • AGENTS.md
    • .opencode/rules/forgejo.md
    • .opencode/agents/build.md
    • .opencode/commands/prepare-forgejo-pr.md
  • Improve commit and PR narrative standards so bodies explain why and include all branch work:
    • CONTRIBUTING.md
    • AGENTS.md commit-body guidance
    • .forgejo/pull_request_template.md
    • .opencode/commands/prepare-forgejo-pr.md
  • Clarify PR “Why” policy to allow concise issue-referencing rationale (See issue #<N>) while still requiring scope-complete PR bodies.

Scope of this PR

  • Code+tests: .opencode/plugins/auto-review-forgejo.ts, .opencode/plugins/auto-review-forgejo.test.ts
  • Workflow/docs/rules: AGENTS.md, CONTRIBUTING.md, .forgejo/pull_request_template.md, .opencode/commands/prepare-forgejo-pr.md, .opencode/rules/forgejo.md, .opencode/agents/build.md
  • Existing release behavior updates from issue #220 remain included in earlier commits.

Validation

  • node --test --experimental-strip-types .opencode/plugins/auto-review-forgejo.test.ts
  • cargo fmt --all -- --check
  • cargo clippy --workspace --all-targets -- -D warnings
  • cargo nextest run --workspace --no-tests=pass
  • cargo deny check licenses bans sources
  • cargo build --workspace

Closes #220

## Why this change - See issue #220. - The branch also needed process/doc changes so PR and commit narratives remain complete across multi-commit work and to prevent future loss of review context. ## What changed - Keep release behavior from issue #220 intact: - binary-only Linux release publication and publish-permission hardening remain unchanged. - Add and test Forgejo PR creation guardrails for issue-based branches: - `.opencode/plugins/auto-review-forgejo.ts` now requires a closure trailer in PR **description/body** only (`Closes/Fixes/Resolves #<issue>`). - `.opencode/plugins/auto-review-forgejo.test.ts` covers issue-branch trailer enforcement (including rejection when missing and title-only trailer usage). - Align Forgejo workflow guidance and command documentation to MCP-first usage and description-trailer policy: - `AGENTS.md` - `.opencode/rules/forgejo.md` - `.opencode/agents/build.md` - `.opencode/commands/prepare-forgejo-pr.md` - Improve commit and PR narrative standards so bodies explain why and include all branch work: - `CONTRIBUTING.md` - `AGENTS.md` commit-body guidance - `.forgejo/pull_request_template.md` - `.opencode/commands/prepare-forgejo-pr.md` - Clarify PR “Why” policy to allow concise issue-referencing rationale (`See issue #<N>`) while still requiring scope-complete PR bodies. ## Scope of this PR - Code+tests: `.opencode/plugins/auto-review-forgejo.ts`, `.opencode/plugins/auto-review-forgejo.test.ts` - Workflow/docs/rules: `AGENTS.md`, `CONTRIBUTING.md`, `.forgejo/pull_request_template.md`, `.opencode/commands/prepare-forgejo-pr.md`, `.opencode/rules/forgejo.md`, `.opencode/agents/build.md` - Existing release behavior updates from issue #220 remain included in earlier commits. ## Validation - `node --test --experimental-strip-types .opencode/plugins/auto-review-forgejo.test.ts` - `cargo fmt --all -- --check` - `cargo clippy --workspace --all-targets -- -D warnings` - `cargo nextest run --workspace --no-tests=pass` - `cargo deny check licenses bans sources` - `cargo build --workspace` Closes #220
fix(release): enforce binary-only release artifacts
All checks were successful
CI / Format check (pull_request) Successful in 6s
Details
CI / Dependency policy (pull_request) Successful in 12s
Details
CI / Build (pull_request) Successful in 33s
Details
CI / Request auto_review semantic review (pull_request) Successful in 1s
Details
CI / Build PR artifacts (no token) (pull_request) Successful in 2s
Details
auto_review auto_review: no findings
CI / Clippy (pull_request) Successful in 40s
Details
CI / Test (pull_request) Successful in 53s
Details
aaf4423622
 
Require release publish workflow to keep token-bearing guard to release metadata only and publish Linux archive/checksum/signature/SBOM/provenance assets. Update workflow contract tests and operations/threat docs to match binary-only posture.
auto-review approved these changes 2026-05-18 09:48:39 -07:00
Dismissed
auto-review left a comment
Copy link

The PR enforces a binary-only release process, updating workflows and documentation to reflect this change. It removes legacy Docker references and ensures only specific release metadata files are allowed for token-bearing publish operations. The changes appear safe to merge.

Walkthrough

  • release-prepare.yml: Updated wording to specify Linux release-candidate tarball artifacts.
  • release-publish.yml: Restricted token-bearing publish operations to specific release metadata files.
  • ci_workflow_contract.rs: Added tests to ensure only binary release assets are created and non-release metadata file diffs are rejected.
  • OPERATIONS.md & THREAT-MODEL.md: Updated documentation to reflect the binary-only release process and the scope of release publishing credentials.
The PR enforces a binary-only release process, updating workflows and documentation to reflect this change. It removes legacy Docker references and ensures only specific release metadata files are allowed for token-bearing publish operations. The changes appear safe to merge. ## Walkthrough - **release-prepare.yml**: Updated wording to specify Linux release-candidate tarball artifacts. - **release-publish.yml**: Restricted token-bearing publish operations to specific release metadata files. - **ci_workflow_contract.rs**: Added tests to ensure only binary release assets are created and non-release metadata file diffs are rejected. - **OPERATIONS.md & THREAT-MODEL.md**: Updated documentation to reflect the binary-only release process and the scope of release publishing credentials.
docs: align Forgejo workflow guidance
All checks were successful
CI / Format check (pull_request) Successful in 5s
Details
CI / Clippy (pull_request) Successful in 39s
Details
CI / Request auto_review semantic review (pull_request) Successful in 1s
Details
CI / Dependency policy (pull_request) Successful in 10s
Details
CI / Test (pull_request) Successful in 53s
Details
CI / Build (pull_request) Successful in 34s
Details
CI / Build PR artifacts (no token) (pull_request) Successful in 2s
Details
auto_review auto_review: no findings
c13e0e8026
jwilger dismissed auto-review's review 2026-05-18 09:59:33 -07:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

auto-review approved these changes 2026-05-18 10:01:09 -07:00
Dismissed
auto-review left a comment
Copy link

The PR introduces a policy to enforce closure trailers in PR descriptions for issue-based branches, with corresponding tests and documentation updates. The changes appear well-structured and safe to merge.

Walkthrough

Δ since aaf4423:

  • Policy Enforcement: .opencode/plugins/auto-review-forgejo.ts now enforces that PRs from issue-based branches include a closure trailer in the description.
  • Testing: New tests in .opencode/plugins/auto-review-forgejo.test.ts ensure the policy is correctly enforced.
  • Documentation: Updated several markdown files to reflect the new policy and preferred usage of Forgejo MCP tools over tea for PR creation.
The PR introduces a policy to enforce closure trailers in PR descriptions for issue-based branches, with corresponding tests and documentation updates. The changes appear well-structured and safe to merge. ## Walkthrough ### Δ since aaf4423: - **Policy Enforcement**: `.opencode/plugins/auto-review-forgejo.ts` now enforces that PRs from issue-based branches include a closure trailer in the description. - **Testing**: New tests in `.opencode/plugins/auto-review-forgejo.test.ts` ensure the policy is correctly enforced. - **Documentation**: Updated several markdown files to reflect the new policy and preferred usage of Forgejo MCP tools over `tea` for PR creation.
docs: require why in commit and PR bodies
All checks were successful
CI / Dependency policy (pull_request) Successful in 11s
Details
CI / Test (pull_request) Successful in 51s
Details
CI / Build PR artifacts (no token) (pull_request) Successful in 2s
Details
auto_review auto_review: no findings
CI / Format check (pull_request) Successful in 5s
Details
CI / Clippy (pull_request) Successful in 39s
Details
CI / Build (pull_request) Successful in 33s
Details
CI / Request auto_review semantic review (pull_request) Successful in 1s
Details
1250ca102e
 
Why:\n- PR and commit histories were not consistently recording rationale, making review context and future audits harder to follow.\n\nWhat:\n- Codified a why-first message format in AGENTS.md and CONTRIBUTING.md.\n- Updated PR template to require Why/What/Consequences sections.\n- Updated the PR-prep command checklist to check message-body rationale before gates.\n\nValidation:\n- docs-only change (no runtime checks run).
jwilger dismissed auto-review's review 2026-05-18 10:02:44 -07:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

auto-review approved these changes 2026-05-18 10:04:22 -07:00
Dismissed
auto-review left a comment
Copy link

This PR updates documentation and templates to enforce a 'Why' / 'What' / 'Validation' format for PR and commit messages, improving clarity and context for future reviews. The changes appear safe to merge.

Walkthrough

  • .forgejo/pull_request_template.md: Updated to include 'Why this change', 'What changed', and 'Consequences' sections, emphasizing the importance of context in PR descriptions.
  • .opencode/commands/prepare-forgejo-pr.md: Introduced a structured format for commit messages, ensuring contributors provide context and validation for their changes.
  • AGENTS.md: Added a template for commit messages that includes 'Why', 'What', and 'Validation' sections, promoting better documentation of changes.
  • CONTRIBUTING.md: Reinforced the structured commit message format, aiding in the documentation of the rationale behind changes.
This PR updates documentation and templates to enforce a 'Why' / 'What' / 'Validation' format for PR and commit messages, improving clarity and context for future reviews. The changes appear safe to merge. ## Walkthrough - **.forgejo/pull_request_template.md**: Updated to include 'Why this change', 'What changed', and 'Consequences' sections, emphasizing the importance of context in PR descriptions. - **.opencode/commands/prepare-forgejo-pr.md**: Introduced a structured format for commit messages, ensuring contributors provide context and validation for their changes. - **AGENTS.md**: Added a template for commit messages that includes 'Why', 'What', and 'Validation' sections, promoting better documentation of changes. - **CONTRIBUTING.md**: Reinforced the structured commit message format, aiding in the documentation of the rationale behind changes.
docs: require PR body to cover branch scope
All checks were successful
CI / Format check (pull_request) Successful in 6s
Details
CI / Clippy (pull_request) Successful in 39s
Details
CI / Test (pull_request) Successful in 52s
Details
CI / Build (pull_request) Successful in 32s
Details
CI / Dependency policy (pull_request) Successful in 10s
Details
CI / Request auto_review semantic review (pull_request) Successful in 1s
Details
CI / Build PR artifacts (no token) (pull_request) Successful in 2s
Details
auto_review auto_review: no findings
4205ed6586
 
Why:\n- Branch-level PR descriptions were missing requirements to account for all committed work, creating incomplete review context when multiple commits land together.\n\nWhat:\n- Clarified commit/PR body rules to require PR titles stay concise and branch-level bodies list all changes.\n- Added branch-scope check guidance to the PR body template and PR prep command.\n- Updated release/Forgejo workflow docs to reinforce the new conventions.\n\nValidation:\n- docs-only change (no runtime tests run).
jwilger dismissed auto-review's review 2026-05-18 10:04:41 -07:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

auto-review approved these changes 2026-05-18 10:06:18 -07:00
Dismissed
auto-review left a comment
Copy link

This PR enhances the documentation and templates to ensure that PR descriptions capture the full scope of changes in a branch, not just the latest commit. It aligns the contribution guidelines and templates with this approach, promoting comprehensive documentation for reviewers.

This PR enhances the documentation and templates to ensure that PR descriptions capture the full scope of changes in a branch, not just the latest commit. It aligns the contribution guidelines and templates with this approach, promoting comprehensive documentation for reviewers.
docs: clarify PR why requirements
All checks were successful
CI / Format check (pull_request) Successful in 6s
Details
CI / Test (pull_request) Successful in 54s
Details
CI / Build (pull_request) Successful in 33s
Details
CI / Clippy (pull_request) Successful in 41s
Details
CI / Dependency policy (pull_request) Successful in 13s
Details
CI / Request auto_review semantic review (pull_request) Successful in 1s
Details
CI / Build PR artifacts (no token) (pull_request) Successful in 2s
Details
auto_review auto_review: no findings
d9000b89b3
 
Why:
- PR rationale was still ambiguous in practice, especially for issue-linked work, and rule text did not consistently permit concise issue-based Why statements.

What:
- Clarified AGENTS/CONTRIBUTING and PR workflow command templates so Why sections may legitimately be .
- Updated the PR template to enforce complete Why coverage for all-branch work while allowing issue-referencing Why lines.
- Kept PR-body-scope guidance explicit for branch-wide changes.

Validation:
- docs-only update (no runtime validation run).
jwilger dismissed auto-review's review 2026-05-18 10:07:09 -07:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

auto-review approved these changes 2026-05-18 10:08:48 -07:00
auto-review left a comment
Copy link

The PR introduces changes to enforce binary-only release artifacts and adds guardrails for Forgejo PR creation, requiring issue closure trailers in PR descriptions. Documentation and templates have been updated to reflect these changes. The updates appear safe to merge.

Walkthrough

Δ since 4205ed6:

  • Documentation and Templates:
    • Updated .forgejo/pull_request_template.md, .opencode/commands/prepare-forgejo-pr.md, AGENTS.md, and CONTRIBUTING.md to allow concise issue-referencing rationale in PR descriptions.
    • Emphasized the importance of including a closure trailer in PR descriptions to ensure issues are automatically closed upon merging.
The PR introduces changes to enforce binary-only release artifacts and adds guardrails for Forgejo PR creation, requiring issue closure trailers in PR descriptions. Documentation and templates have been updated to reflect these changes. The updates appear safe to merge. ## Walkthrough ### Δ since 4205ed6: - **Documentation and Templates**: - Updated `.forgejo/pull_request_template.md`, `.opencode/commands/prepare-forgejo-pr.md`, `AGENTS.md`, and `CONTRIBUTING.md` to allow concise issue-referencing rationale in PR descriptions. - Emphasized the importance of including a closure trailer in PR descriptions to ensure issues are automatically closed upon merging.
Sign in to join this conversation.
Reviewers
No reviewers
auto-review
Labels
Clear labels   
bug

   
discussion

   
enhancement
  
bug
Something is not working

  
duplicate
This issue or pull request already exists

  
enhancement
New feature

  
help wanted
Need some help

  
invalid
Something is wrong

  
question
More information is needed

  
wontfix
This won't be fixed

No labels
bug
discussion
enhancement
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Slipstream/auto_review!246
No description provided.