Slipstream/auto_review

Fork 0

fix(release): use bot login for registry auth #112

Merged

jwilger merged 3 commits from fix/release-prepare-image-build into main

2026-05-06 10:19:14 -07:00

jwilger commented

2026-05-06 10:01:26 -07:00

Owner

Summary

Use a dedicated RELEASE_BOT_LOGIN variable for skopeo registry authentication in release prepare and publish workflows.
Keep RELEASE_BOT_NAME for signed git commit attribution while documenting the separate registry login requirement.
Add release tooling contract coverage for the login split.

Verification

nix develop --command bash tests/release_tooling_test.sh

Fixes the release-prepare candidate image publish failure from run 218.

## Summary - Use a dedicated RELEASE_BOT_LOGIN variable for skopeo registry authentication in release prepare and publish workflows. - Keep RELEASE_BOT_NAME for signed git commit attribution while documenting the separate registry login requirement. - Add release tooling contract coverage for the login split. ## Verification - nix develop --command bash tests/release_tooling_test.sh Fixes the release-prepare candidate image publish failure from run 218.

jwilger added 1 commit

2026-05-06 10:01:26 -07:00

fix(release): use bot login for registry auth

CI / auto_review semantic review (pull_request) Blocked by required conditions

Details

CI / Nix flake check (pull_request) Has been cancelled

Details

d08e82a586

jwilger added 1 commit

2026-05-06 10:03:17 -07:00

fix(release): keep bot identity variable names

CI / Nix flake check (pull_request) Successful in 2m49s

Details

CI / auto_review semantic review (pull_request) Successful in 1s

Details

auto_review auto_review: 2 warnings

c4e80f6a29

auto-review approved these changes

2026-05-06 10:06:34 -07:00

Dismissed

auto-review left a comment

The PR introduces checks for the presence of RELEASE_CANDIDATE_TOKEN and RELEASE_PUBLISH_TOKEN in the release workflows to prevent failures due to missing tokens. The changes appear safe to merge, ensuring better error handling and documentation for required environment variables.

Walkthrough

.forgejo/workflows/release-prepare.yml
- Added a check to ensure RELEASE_CANDIDATE_TOKEN is set, preventing silent failures when the token is missing.
- This change improves error handling by providing a clear error message if the token is not set.
.forgejo/workflows/release-publish.yml
- Added a check to ensure RELEASE_PUBLISH_TOKEN is set, similar to the prepare workflow.
- This ensures that the publish workflow does not proceed without the necessary authentication token.
tests/release_tooling_test.sh
- Updated tests to verify that the workflows fail clearly when the required tokens are missing, ensuring that the new checks are effective.

The PR introduces checks for the presence of `RELEASE_CANDIDATE_TOKEN` and `RELEASE_PUBLISH_TOKEN` in the release workflows to prevent failures due to missing tokens. The changes appear safe to merge, ensuring better error handling and documentation for required environment variables. ## Walkthrough - **.forgejo/workflows/release-prepare.yml** - Added a check to ensure `RELEASE_CANDIDATE_TOKEN` is set, preventing silent failures when the token is missing. - This change improves error handling by providing a clear error message if the token is not set. - **.forgejo/workflows/release-publish.yml** - Added a check to ensure `RELEASE_PUBLISH_TOKEN` is set, similar to the prepare workflow. - This ensures that the publish workflow does not proceed without the necessary authentication token. - **tests/release_tooling_test.sh** - Updated tests to verify that the workflows fail clearly when the required tokens are missing, ensuring that the new checks are effective.

.forgejo/workflows/release-prepare.yml Outdated

🟡 Warning: Lines 7–10: Ensure that the RELEASE_CANDIDATE_TOKEN is set in the environment or documented as a required variable for the release-prepare workflow.

🟡 **Warning:** **Lines 7–10:** Ensure that the `RELEASE_CANDIDATE_TOKEN` is set in the environment or documented as a required variable for the release-prepare workflow.

jwilger marked this conversation as resolved

.forgejo/workflows/release-publish.yml

🟡 Warning: Lines 7–10: Ensure that the RELEASE_PUBLISH_TOKEN is set in the environment or documented as a required variable for the release-publish workflow.

🟡 **Warning:** **Lines 7–10:** Ensure that the `RELEASE_PUBLISH_TOKEN` is set in the environment or documented as a required variable for the release-publish workflow.

jwilger marked this conversation as resolved

jwilger added 1 commit

2026-05-06 10:10:58 -07:00

fix(release): reuse publish token for candidates

CI / Nix flake check (pull_request) Successful in 2m46s

Details

CI / auto_review semantic review (pull_request) Successful in 2s

Details

auto_review auto_review: 1 warning

Publish release / release-publish (pull_request) Has been skipped

Details

14ad533d4e

jwilger dismissed auto-review's review

2026-05-06 10:10:58 -07:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

auto-review approved these changes

2026-05-06 10:14:35 -07:00

auto-review left a comment

This PR updates the release workflows to use a single RELEASE_PUBLISH_TOKEN for both candidate and final image publication, simplifying the credential management. The changes appear safe to merge, but ensure that the new token setup is correctly configured in the environment.

Walkthrough

Δ since `c4e80f6`:

Workflow Changes:
- .forgejo/workflows/release-prepare.yml: Updated to use RELEASE_PUBLISH_TOKEN instead of RELEASE_CANDIDATE_TOKEN for Docker image publication.
Documentation Updates:
- docs/OPERATIONS.md and docs/THREAT-MODEL.md: Updated to reflect the new token usage and removed references to the candidate token.
Test Adjustments:
- tests/release_tooling_test.sh: Adjusted to test for the presence of RELEASE_PUBLISH_TOKEN instead of RELEASE_CANDIDATE_TOKEN. Removed checks related to the candidate token.

This PR updates the release workflows to use a single `RELEASE_PUBLISH_TOKEN` for both candidate and final image publication, simplifying the credential management. The changes appear safe to merge, but ensure that the new token setup is correctly configured in the environment. ## Walkthrough ### Δ since c4e80f6: - **Workflow Changes**: - `.forgejo/workflows/release-prepare.yml`: Updated to use `RELEASE_PUBLISH_TOKEN` instead of `RELEASE_CANDIDATE_TOKEN` for Docker image publication. - **Documentation Updates**: - `docs/OPERATIONS.md` and `docs/THREAT-MODEL.md`: Updated to reflect the new token usage and removed references to the candidate token. - **Test Adjustments**: - `tests/release_tooling_test.sh`: Adjusted to test for the presence of `RELEASE_PUBLISH_TOKEN` instead of `RELEASE_CANDIDATE_TOKEN`. Removed checks related to the candidate token.

.forgejo/workflows/release-prepare.yml

🟡 Warning: Ensure that the RELEASE_PUBLISH_TOKEN is correctly set in the secrets and that it has the appropriate permissions for publishing to the registry.

🟡 **Warning:** Ensure that the `RELEASE_PUBLISH_TOKEN` is correctly set in the secrets and that it has the appropriate permissions for publishing to the registry.

jwilger marked this conversation as resolved

jwilger merged commit 3a6e5d9d8f into main

2026-05-06 10:19:14 -07:00

jwilger deleted branch fix/release-prepare-image-build

2026-05-06 10:19:14 -07:00

jwilger referenced this pull request from a commit

2026-05-06 10:19:15 -07:00

fix(release): use bot login for registry auth (#112)