ci: add secure release pipeline (prepare-release workflows)#259
Merged
ci: add secure release pipeline (prepare-release workflows)#259
Conversation
Add two-stage release pipeline where appkit prepares artifacts and a private secure repo handles npm publishing via OIDC Trusted Publishing. Changes: - Update .release-it.json configs to disable git/github/npm operations, used for version calculation and changelog generation only - Add prepare-release.yml workflow (push to main): builds, packs, and uploads artifacts with SHA256 digests for the secure repo to consume - Add prepare-release-lakebase.yml for independent lakebase releases - Add template dependency pinning lint step to CI (tools/check-template-deps.js) - Remove old release.yml and release-lakebase.yml workflows - Remove unused release and release:ci package.json scripts - Update CLAUDE.md releasing section with new architecture Signed-off-by: Pawel Kosiec <[email protected]>
- Remove stale -c .release-it.prepare.json from workflow version checks - Add pull_request trigger to prepare-release for PR testing - Split VERSION into separate meta artifact for faster poll reads - Refactor check-template-deps.js to TypeScript - Add secure repo usage comment to sync-versions.ts Signed-off-by: Pawel Kosiec <[email protected]>
Project-level .npmrc caused E401 in nested npm install (dev-playground client postinstall). Match CI workflow pattern: use default ~/.npmrc. Signed-off-by: Pawel Kosiec <[email protected]>
Bare tsx isn't on PATH in CI runners — use pnpm exec tsx like all other workflow steps. Signed-off-by: Pawel Kosiec <[email protected]>
Add PR trigger to prepare-release-lakebase workflow and trivial changes to packages/appkit and packages/lakebase to produce releasable commits for version detection. TODO: revert before merging Signed-off-by: Pawel Kosiec <[email protected]>
release-it uses git describe by default, which only finds tags reachable from the current commit. On PR checkouts (merge commit), tags may not be reachable. Setting getLatestTagFromAllRefs: true considers all tags regardless of reachability. Also remove 2>/dev/null from version check to show release-it errors. Signed-off-by: Pawel Kosiec <[email protected]>
release-it fails with "ref HEAD is not a symbolic ref" on PR merge commit checkouts. Use github.head_ref to checkout the actual branch. Also revert trivial test changes in package source files — existing conventional commits from main are sufficient for version detection. Signed-off-by: Pawel Kosiec <[email protected]>
- Fix .release-it.prepare.json reference to .release-it.json in CLAUDE.md - Add check-template-deps.ts to tools list in CLAUDE.md - Add missing paths filter on pull_request trigger in prepare-release-lakebase so it only runs when lakebase files change (matching the push trigger) Signed-off-by: Pawel Kosiec <[email protected]>
- New tools/finalize-release.ts: handles changelog splicing, version bumps, NOTICE copy, and git commit/tag for the secure release pipeline - Updated tools/publish-template-tag.ts: added lockfile diff check to verify only @databricks/appkit* packages change during template sync Signed-off-by: Pawel Kosiec <[email protected]>
Signed-off-by: Pawel Kosiec <[email protected]>
Signed-off-by: Pawel Kosiec <[email protected]>
Signed-off-by: Pawel Kosiec <[email protected]>
Signed-off-by: Pawel Kosiec <[email protected]>
… sync - Add @databricks/appkit-ui to ALLOWED_PACKAGES so the lockfile diff check explicitly permits it (previously passed accidentally via substring match on @databricks/appkit) - Add -s flag to template sync git commit for DCO compliance Signed-off-by: Pawel Kosiec <[email protected]>
…sting) Signed-off-by: Pawel Kosiec <[email protected]>
pkosiec
force-pushed
the
pkosiec/centralize-release
branch
from
cc5c7dd to
227e960
Compare
…refs from prepare-release - publish-template-tag.ts: push to HEAD instead of hardcoded main (HEAD == main in production, more flexible) - Remove pull_request triggers from prepare-release workflows — these should only run on push to main - Remove temporary ref override used for PR testing Signed-off-by: Pawel Kosiec <[email protected]>
pkosiec
force-pushed
the
pkosiec/centralize-release
branch
from
227e960 to
3644af4
Compare
pkosiec
changed the title
The check verified that only @databricks/* packages changed in the lockfile after npm install. In practice, bumping appkit legitimately changes transitive dependencies (tanstack, hookform, etc.), causing the check to block valid releases. Security is already covered by the scan step on the secure release repo. Signed-off-by: Pawel Kosiec <[email protected]>
MarioCadenas
reviewed
Apr 9, 2026
- Replace blocklist regex with allowlist in check-template-deps.ts to reject file:, git:, latest, and other non-pinned specifiers while allowing exact semver, pre-release tags, and npm aliases - Find first version heading (## [) instead of assuming 3-line header in finalize-release.ts changelog insertion - Document finalize-release.ts in CLAUDE.md tools list Signed-off-by: Pawel Kosiec <[email protected]>
Route changelog diff to packages/lakebase/CHANGELOG.md when stream=lakebase instead of always writing to root CHANGELOG.md. Signed-off-by: Pawel Kosiec <[email protected]>
MarioCadenas
approved these changes
Apr 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a two-stage release pipeline where appkit prepares artifacts and a private secure repo handles npm publishing via OIDC Trusted Publishing.
What changed
.release-it.jsonconfigs updated to disable git/github/npm operations — now used only for version calculation and changelog generationprepare-release.ymlworkflow (push to main): determines version via release-it, generates changelog, builds, packs, and uploads artifacts (.tgz, SHA256 digests, changelog diff, NOTICE.md) for the secure repo to consumeprepare-release-lakebase.ymlfor independent lakebase releases (triggered bypackages/lakebase/**changes)tools/check-template-deps.js+ CI lint step: validates template/package.json uses exact versions (no^,~,>=,*)release.yml,release-lakebase.yml, and unusedrelease/release:ciscriptsWhat stays the same
pnpm release:drystill works for local previewsSecure repo (separate PR)
A companion workflow on the private secure repo polls for new
prepare-releaseartifacts every 15 minutes, then: download → verify SHA256 → security scan → npm publish via OIDC → changelog + version bump + commit + tag + push → GitHub Release → template sync.Test plan
pnpm release:drystill works locallyprepare-releaseworkflow runs on push to main and uploads artifactsprepare-release-lakebasetriggers only on lakebase path changes