Conversation
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/34c8400f-ce29-4429-a454-b91614f2473f Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot name it "Release Punter" |
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/796051fd-b3b7-46dd-87bf-884bfff4414e Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot move inline variable expansions to env var references to avoid shell injection |
…nt shell injection Agent-Logs-Url: https://github.com/github/gh-aw/sessions/d184af5e-c5bf-4c67-841a-0b13f898be1e Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in 19a81d0. All three injection points are now safe:
|
| echo "changed=true" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
| - name: Commit and push |
There was a problem hiding this comment.
@copilot add a JSON validation of releases.json to ensure it wasn't broken
There was a problem hiding this comment.
Done in ea29e78 — added a "Validate releases.json" step between the update and the commit. It runs jq empty on the file and fails the workflow if the JSON is invalid, preventing a corrupt file from being committed.
There was a problem hiding this comment.
Pull request overview
Adds a manually triggered GitHub Actions workflow (“Release Punter”) to update the stable alias in .github/aw/releases.json, with guardrails around who can run it and what release tags are allowed.
Changes:
- Introduces a
workflow_dispatchworkflow that resolves a target version (explicit input or latest release). - Validates the triggering actor’s repo role and validates the target tag corresponds to a published (non-draft) release.
- Updates
.aliases.stablein.github/aw/releases.jsonand commits/pushes the change only when necessary.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
|
|
There was a problem hiding this comment.
workflow_dispatch can be run against any branch/ref in the UI. With the default actions/checkout behavior and a plain git push, this workflow will modify and push to whichever ref was selected when dispatching (including feature branches), rather than reliably updating the repository’s default branch.
Consider explicitly checking out github.event.repository.default_branch (or failing early when github.ref is not the default branch) and pushing to that branch to ensure stable is always updated in the intended place.
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/fffd70fe-9740-4577-a96e-044a9248c748 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
💥 [THE END] — Illustrated by Smoke Claude
| update-stable: | ||
| name: Release Punter | ||
| runs-on: ubuntu-latest | ||
| # Never run on forks — they cannot push to the upstream repository |
There was a problem hiding this comment.
The fork guard is a good safety measure! Consider also adding a check that github.ref == refs/heads/main (or refs/heads/$\{\{ github.event.repository.default_branch }}) so this workflow only updates stable from the default branch, preventing accidental stable alias updates from feature branches dispatched in the UI.
| }); | ||
| version = release.tag_name; | ||
| core.info(`ℹ️ No version specified, resolved to latest: ${version}`); | ||
| } |
There was a problem hiding this comment.
The pre-release warning via core.warning is good UX. Consider also surfacing this in the step summary (core.summary.addRaw(...)) so it's visible in the Actions UI without having to dig into logs — enterprise users monitoring releases will appreciate the extra visibility.
pelikhan
deleted the
copilot/create-action-workflow-update-stable-release
branch
Summary
Adds a new standard GitHub Actions workflow (
.github/workflows/update-stable-release.yml) named Release Punter to update thestablealias in.github/aw/releases.json.Changes
.github/workflows/update-stable-release.yml(new file)A
workflow_dispatch-triggered workflow named "Release Punter" with the following behaviour:version(e.g.v1.2.3). Omit to use the latest published release.!github.event.repository.fork)adminormaintainrole viaGET /repos/{owner}/{repo}/collaborators/{actor}/permission→role_nameversionis given, resolves togithub.rest.repos.getLatestReleasevMAJOR.MINOR.PATCH, exists as a published (non-draft) GitHub release, and warns if it is flagged as pre-release.aliases.stablein.github/aw/releases.jsonusingjqreleases.jsonis still valid JSON after thejqupdate before committinggithub-actions[bot]with messagechore: update stable release to vX.Y.Zcancel-in-progress: falseprevents two simultaneous runs from producing conflicting commits${{ }}expression expansions are bound toenv:variables and accessed viaprocess.env.*(JS) or$VAR(shell)The default path (no version input) moves
stableto the latest release; providing an older version enables easy rollback.✨ PR Review Safe Output Test - Run 23797519571