Skip to content

ci(release): Switch from action-prepare-release to Craft #1858

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
BYK wants to merge 14 commits into
base: master
Choose a base branch
from
Open

ci(release): Switch from action-prepare-release to Craft #1858

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
5b7c296
ci(release): Switch from action-prepare-release to Craft
BYK Jan 9, 2026
450f8a9
ci(release): Restore GitHub App token authentication
BYK Jan 9, 2026
403e8c2
fix: Pin actions to SHA and add permissions blocks
BYK Jan 10, 2026
e9a46ba
fix: Use correct action version SHAs (restore original versions)
BYK Jan 10, 2026
dc88a07
fix: Use correct action version SHAs (restore original versions)
BYK Jan 10, 2026
0ac249d
fix: Add permissions block to workflows
BYK Jan 10, 2026
c37fca0
fix: Clean up action version comments
BYK Jan 12, 2026
8676966
Update Craft SHA to 1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce
BYK Jan 13, 2026
221609c
Add explicit permissions block to image.yml
BYK Jan 13, 2026
eb6ec6b
Revert permissions changes to image.yml
BYK Jan 13, 2026
fc8eb44
fix: revert extraneous changes to non-release workflow files
BYK Jan 14, 2026
1ec9171
fix: clean up release.yml formatting and version comments
BYK Jan 14, 2026
354af49
build(craft): Update Craft action to c6e2f04
BYK Jan 14, 2026
4ba8a0f
chore: add unlabeled trigger to changelog-preview
BYK Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 47 additions & 44 deletions .craft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,48 +2,51 @@ minVersion: "2.15.0"
changelog:
policy: auto
targets:
- name: github
- name: registry
apps:
app:symbolicator:
urlTemplate: https://downloads.sentry-cdn.com/symbolicator/{{version}}/{{file}}
includeNames: /^symbolicator-.*$/i
- name: gcs
bucket: sentry-sdk-assets
includeNames: /^symbolicator-.*$/
paths:
- path: /symbolicator/{{version}}/
metadata:
cacheControl: public, max-age=2592000
- path: /symbolicator/latest/
metadata:
cacheControl: public, max-age=600
- id: release
name: docker
source: ghcr.io/getsentry/symbolicator
target: ghcr.io/getsentry/symbolicator
- id: latest
name: docker
source: ghcr.io/getsentry/symbolicator
target: ghcr.io/getsentry/symbolicator
targetFormat: '{{{target}}}:latest'
- name: github
- name: registry
apps:
app:symbolicator:
urlTemplate:
https://downloads.sentry-cdn.com/symbolicator/{{version}}/{{file}}
includeNames: /^symbolicator-.*$/i
- name: gcs
bucket: sentry-sdk-assets
includeNames: /^symbolicator-.*$/
paths:
- path: /symbolicator/{{version}}/
metadata:
cacheControl: public, max-age=2592000
- path: /symbolicator/latest/
metadata:
cacheControl: public, max-age=600
- id: release
name: docker
source: ghcr.io/getsentry/symbolicator
target: ghcr.io/getsentry/symbolicator
- id: latest
name: docker
source: ghcr.io/getsentry/symbolicator
target: ghcr.io/getsentry/symbolicator
targetFormat: '{{{target}}}:latest'
requireNames:
- /^symbolicator-Darwin-universal$/
- /^symbolicator-Linux-x86_64$/
- /^symbolicator-Linux-aarch64$/
- /^symbolicator-Linux-x86_64-debug.zip$/
- /^symbolicator-Linux-aarch64-debug.zip$/
- /^symbolicator-aarch64-apple-darwin-debug.zip$/
- /^symbolicator-x86_64-apple-darwin-debug.zip$/
- /^symbolicli-Darwin-universal$/
- /^symbolicli-Linux-x86_64$/
- /^symbolicli-Linux-aarch64$/
- /^symbolicli-Windows-x86_64\.exe$/
- /^symsorter-Darwin-universal$/
- /^symsorter-Linux-x86_64$/
- /^symsorter-Linux-aarch64$/
- /^symsorter-Windows-x86_64\.exe$/
- /^wasm-split-Darwin-universal$/
- /^wasm-split-Linux-x86_64$/
- /^wasm-split-Linux-aarch64$/
- /^wasm-split-Windows-x86_64\.exe$/
- /^symbolicator-Darwin-universal$/
- /^symbolicator-Linux-x86_64$/
- /^symbolicator-Linux-aarch64$/
- /^symbolicator-Linux-x86_64-debug.zip$/
- /^symbolicator-Linux-aarch64-debug.zip$/
- /^symbolicator-aarch64-apple-darwin-debug.zip$/
- /^symbolicator-x86_64-apple-darwin-debug.zip$/
- /^symbolicli-Darwin-universal$/
- /^symbolicli-Linux-x86_64$/
- /^symbolicli-Linux-aarch64$/
- /^symbolicli-Windows-x86_64\.exe$/
- /^symsorter-Darwin-universal$/
- /^symsorter-Linux-x86_64$/
- /^symsorter-Linux-aarch64$/
- /^symsorter-Windows-x86_64\.exe$/
- /^wasm-split-Darwin-universal$/
- /^wasm-split-Linux-x86_64$/
- /^wasm-split-Linux-aarch64$/
- /^wasm-split-Windows-x86_64\.exe$/
versioning:
policy: calver
10 changes: 7 additions & 3 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
branches:
- release/**


permissions:
contents: write
pull-requests: write
jobs:
linux:
name: Build Binary on Linux ${{ matrix.arch }}
Expand All @@ -19,7 +23,7 @@ jobs:

steps:
- name: Checkout sources
uses: actions/checkout@v6.0.1
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

- name: Install rust stable toolchain
run: rustup toolchain install stable --profile minimal --no-self-update
Expand Down Expand Up @@ -64,7 +68,7 @@ jobs:
runs-on: macos-14
steps:
- name: Checkout sources
uses: actions/checkout@v6.0.1
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

- name: Install rust stable toolchain
run: rustup toolchain install stable --profile minimal --target x86_64-apple-darwin --target aarch64-apple-darwin --no-self-update
Expand Down Expand Up @@ -122,7 +126,7 @@ jobs:
runs-on: windows-2022

steps:
- uses: actions/checkout@v6.0.1
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
submodules: recursive

Expand Down
17 changes: 17 additions & 0 deletions .github/workflows/changelog-preview.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: Changelog Preview
on:
pull_request:
types:
- opened
- synchronize
- reopened
- edited
- labeled
permissions:
contents: write
pull-requests: write

jobs:
changelog-preview:
uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2
secrets: inherit
Comment thread Fixed
18 changes: 11 additions & 7 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ concurrency:
env:
RUSTFLAGS: -Dwarnings


permissions:
contents: write
pull-requests: write
jobs:
lints:
name: Lints
Expand All @@ -25,7 +29,7 @@ jobs:
sudo apt-get install -y libcurl4-openssl-dev

- name: Checkout sources
uses: actions/checkout@v6.0.1
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

- name: Install rust stable toolchain
run: rustup toolchain install stable --profile minimal --component rustfmt --component clippy --no-self-update
Expand All @@ -49,7 +53,7 @@ jobs:
sudo apt-get install -y libcurl4-openssl-dev

- name: Checkout sources
uses: actions/checkout@v6.0.1
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

- name: Install rust stable toolchain
run: rustup toolchain install stable --profile minimal --no-self-update
Expand Down Expand Up @@ -79,11 +83,11 @@ jobs:
sudo apt-get install -y libcurl4-openssl-dev

- name: Checkout Symbolicator
uses: actions/checkout@v6.0.1
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

# Checkout Sentry and run integration tests against latest Symbolicator
- name: Checkout sentry
uses: actions/checkout@v6.0.1
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
repository: getsentry/sentry
path: sentry
Expand Down Expand Up @@ -132,7 +136,7 @@ jobs:
sudo apt-get install -y libcurl4-openssl-dev

- name: Checkout sources
uses: actions/checkout@v6.0.1
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

- name: Install rust stable toolchain
run: rustup toolchain install stable --profile minimal --component rust-docs --no-self-update
Expand All @@ -147,7 +151,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v6.0.1
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

- uses: astral-sh/setup-uv@884ad927a57e558e7a70b92f2bccf9198a4be546 # v6

Expand All @@ -170,7 +174,7 @@ jobs:
sudo apt update
sudo apt-get install -y libcurl4-openssl-dev

- uses: actions/checkout@v6.0.1
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

- name: Install rust stable toolchain
run: rustup toolchain install stable --profile minimal --component llvm-tools-preview --no-self-update
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,18 @@ on:
branches:
- master


permissions:
contents: write
pull-requests: write
jobs:
docs:
name: Publish Docs
runs-on: ubuntu-latest

steps:
- name: Checkout sources
uses: actions/checkout@v6.0.1
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

- uses: astral-sh/setup-uv@884ad927a57e558e7a70b92f2bccf9198a4be546 # v6

Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/enforce-license-compliance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
pull_request:
branches: [master]


permissions:
contents: write
pull-requests: write
jobs:
enforce-license-compliance:
runs-on: ubuntu-latest
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/pre-commit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,16 @@ defaults:
# bash --noprofile --norc -eo pipefail {0}
shell: bash --noprofile --norc -eo pipefail -ux {0}


permissions:
contents: write
pull-requests: write
jobs:
pre-commit:
name: pre-commit
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.2.2
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.2.2

- name: Get changed files
id: changes
Expand Down
52 changes: 25 additions & 27 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,38 +3,36 @@ on:
workflow_dispatch:
inputs:
version:
description: Version to release (optional)
description: Version to release (or "auto")
required: false
force:
description: Force a release even when there are release-blockers (optional)
description: Force a release even when there are release-blockers
required: false
schedule:
# We want the release to be at 9-10am Pacific Time
# We also want it to be 1 hour before the on-prem release
- cron: '0 17 15 * *' # 5pm UTC on the 15th of every month
- cron: '0 17 15 * *'
permissions:
contents: write
pull-requests: write

jobs:
release:
runs-on: ubuntu-latest
name: "Release a new Symbolicator version"

name: Release a new version
steps:
- name: Get auth token
id: token
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
with:
app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}

- uses: actions/checkout@v6.0.1
with:
token: ${{ steps.token.outputs.token }}
fetch-depth: 0

- name: Prepare release
uses: getsentry/action-prepare-release@v1
env:
GITHUB_TOKEN: ${{ steps.token.outputs.token }}
with:
version: ${{ github.event.inputs.version }}
force: ${{ github.event.inputs.force }}
calver: true
- name: Get auth token
id: token
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
with:
app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
with:
token: ${{ steps.token.outputs.token }}
fetch-depth: 0
- name: Prepare release
uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce # v2
env:
GITHUB_TOKEN: ${{ steps.token.outputs.token }}
with:
version: ${{ inputs.version }}
force: ${{ inputs.force }}
Copy link
Copy Markdown

@sentry sentry Bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The scheduled release workflow passes empty strings for inputs.version and inputs.force to the craft action, which may cause the run to fail.
Severity: HIGH

Suggested Fix

Conditionally provide a default value for the inputs when the workflow is triggered by a schedule. For example, you can use a ternary expression to default to 'auto' for the version: version: ${{ github.event_name == 'workflow_dispatch' && inputs.version || 'auto' }}. A similar approach can be used for the force input if needed.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/release.yml#L37-L38

Potential issue: The `release.yml` workflow is configured to run on both
`workflow_dispatch` and a `schedule`. When triggered by the schedule, the `inputs`
context is empty. Consequently, empty strings are passed for the `version` and `force`
parameters to the `getsentry/craft` action. It is unconfirmed how the `craft` action
handles empty string inputs for these parameters. This could potentially lead to a
failure during the automated, scheduled release process if the action does not have a
fallback or default behavior.

Did we get this right? 👍 / 👎 to inform future reviews.

38 changes: 21 additions & 17 deletions .github/workflows/update-deps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,21 @@
name: Update Dependencies

on:
# Run every Monday at 3am.
schedule:
- cron: '0 3 * * 1'
# Allow a manual trigger to be able to run the update when there are new dependencies or after a PR merge to resolve CHANGELOG conflicts.
workflow_dispatch:

jobs:
native:
uses: getsentry/github-workflows/.github/workflows/updater.yml@v3
with:
path: crates/symbolicator-crash/sentry-native
name: Native SDK
secrets:
api-token: ${{ secrets.CI_DEPLOY_KEY }}
name: Update Dependencies

on:
# Run every Monday at 3am.
schedule:
- cron: '0 3 * * 1'
# Allow a manual trigger to be able to run the update when there are new dependencies or after a PR merge to resolve CHANGELOG conflicts.
workflow_dispatch:


permissions:
contents: write
pull-requests: write
jobs:
native:
uses: getsentry/github-workflows/.github/workflows/updater.yml@v3
with:
path: crates/symbolicator-crash/sentry-native
name: Native SDK
secrets:
api-token: ${{ secrets.CI_DEPLOY_KEY }}
4 changes: 2 additions & 2 deletions .github/workflows/validate-pipelines.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
outputs:
gocd: ${{ steps.changes.outputs.gocd }}
steps:
- uses: actions/checkout@v6.0.1
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Check for relevant file changes
uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: changes
Expand All @@ -39,7 +39,7 @@ jobs:
id-token: "write"

steps:
- uses: actions/checkout@v6.0.1
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- id: 'auth'
uses: google-github-actions/auth@v3
with:
Expand Down
Loading
Loading