Slipstream/auto_review
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases 27 Packages Activity Actions

fix(release): keep release jobs containerized #159

Merged
jwilger merged 2 commits from fix/release-publish-native-nix-path into main 2026-05-07 23:09:47 -07:00
Conversation 2 Commits 2 Files changed 5 +59 -103
jwilger commented 2026-05-07 22:48:59 -07:00
Owner
Copy link

Summary

  • Move release-publish back to the Docker runner and use the same container-local Nix install/cache path as CI.
  • Move semantic review requests back to the Docker runner; host service access should be provided by runner/container networking rather than native host execution.
  • Defer Linux aarch64 binary release archives until a dedicated Linux aarch64 build runner is available; final release assets now publish the x86_64 archive plus checksums, signature, SBOM, and provenance.
  • Update release tooling tests, operations docs, and threat model to match the containerized release boundary.

Runner-side follow-up

  • Fix the Forgejo runner Docker configuration/NixOS networking so job containers can reach host services on ports 8080 and 8090.
  • Fix the Docker credential helper configuration for the runner service so public image pulls do not try to call docker-credential-osxkeychain.

Validation

  • bash -n on extracted release-publish and semantic-review shell blocks
  • git diff --check -- changed workflow/docs/test files
  • nix build .#checks.x86_64-linux.release-tooling --print-build-logs
## Summary - Move release-publish back to the Docker runner and use the same container-local Nix install/cache path as CI. - Move semantic review requests back to the Docker runner; host service access should be provided by runner/container networking rather than native host execution. - Defer Linux aarch64 binary release archives until a dedicated Linux aarch64 build runner is available; final release assets now publish the x86_64 archive plus checksums, signature, SBOM, and provenance. - Update release tooling tests, operations docs, and threat model to match the containerized release boundary. ## Runner-side follow-up - Fix the Forgejo runner Docker configuration/NixOS networking so job containers can reach host services on ports 8080 and 8090. - Fix the Docker credential helper configuration for the runner service so public image pulls do not try to call docker-credential-osxkeychain. ## Validation - bash -n on extracted release-publish and semantic-review shell blocks - git diff --check -- changed workflow/docs/test files - nix build .#checks.x86_64-linux.release-tooling --print-build-logs
fix(release): find nix on native runner
All checks were successful
CI / Nix flake check (pull_request) Successful in 3m23s
Details
CI / auto_review semantic review (pull_request) Successful in 0s
Details
auto_review auto_review: no findings
915e793f32
auto-review approved these changes 2026-05-07 22:52:32 -07:00
Dismissed
auto-review left a comment
Copy link

The PR updates the release-publish workflow to locate Nix through the NixOS system profile when the native runner's PATH is minimal, ensuring the workflow does not attempt to install Nix or use sudo. The changes appear safe to merge.

The PR updates the release-publish workflow to locate Nix through the NixOS system profile when the native runner's PATH is minimal, ensuring the workflow does not attempt to install Nix or use sudo. The changes appear safe to merge.
fix(release): keep release jobs containerized
All checks were successful
CI / Nix flake check (pull_request) Successful in 3m25s
Details
CI / auto_review semantic review (pull_request) Successful in 0s
Details
auto_review auto_review: no findings
Publish release / release-publish (pull_request) Has been skipped
Details
b1f7f5edc8
jwilger dismissed auto-review's review 2026-05-07 22:58:19 -07:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

jwilger changed title from fix(release): find nix on native runner to fix(release): keep release jobs containerized 2026-05-07 22:58:26 -07:00
auto-review approved these changes 2026-05-07 23:09:27 -07:00
auto-review left a comment
Copy link

This PR transitions the release and semantic review jobs to run in Docker containers, simplifying the setup and aligning with CI practices. The aarch64 binary release is deferred, focusing on x86_64 for now. The changes appear safe to merge, but ensure Docker runner configurations are complete.

Walkthrough

Δ since 915e793:

  • CI Workflow Changes:
    • Semantic review jobs now run in Docker, simplifying network access and configuration.
    • Release-publish jobs also transition to Docker, with Nix installation handled within the container.
  • Release Process Adjustments:
    • Deferred aarch64 binary releases until a dedicated runner is available.
    • Updated documentation and tests to reflect the focus on x86_64 binaries.
  • Documentation Updates:
    • Operations and threat model documents updated to align with the new release process and architecture support.
This PR transitions the release and semantic review jobs to run in Docker containers, simplifying the setup and aligning with CI practices. The aarch64 binary release is deferred, focusing on x86_64 for now. The changes appear safe to merge, but ensure Docker runner configurations are complete. ## Walkthrough ### Δ since 915e793: - **CI Workflow Changes**: - Semantic review jobs now run in Docker, simplifying network access and configuration. - Release-publish jobs also transition to Docker, with Nix installation handled within the container. - **Release Process Adjustments**: - Deferred aarch64 binary releases until a dedicated runner is available. - Updated documentation and tests to reflect the focus on x86_64 binaries. - **Documentation Updates**: - Operations and threat model documents updated to align with the new release process and architecture support.
jwilger deleted branch fix/release-publish-native-nix-path 2026-05-07 23:09:47 -07:00
Sign in to join this conversation.
Reviewers
No reviewers
auto-review
Labels
Clear labels   
bug

   
discussion

   
enhancement
  
bug
Something is not working

  
duplicate
This issue or pull request already exists

  
enhancement
New feature

  
help wanted
Need some help

  
invalid
Something is wrong

  
question
More information is needed

  
wontfix
This won't be fixed

No labels
bug
discussion
enhancement
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Slipstream/auto_review!159
No description provided.