Skip to content

chore(ci): add release-please and version tags to DockerHub release process#450

Open
omercnet wants to merge 4 commits intomainfrom
shuni/task-20260326171521
Open

chore(ci): add release-please and version tags to DockerHub release process#450
omercnet wants to merge 4 commits intomainfrom
shuni/task-20260326171521

Conversation

@omercnet
Copy link
Copy Markdown
Member

@omercnet omercnet commented Mar 26, 2026

Fixes descope/etc#14777

View workflow run

Perfect! I've successfully implemented release-please and gated DockerHub releases on version tags for the authzcache repository. Here's what was done:

Changes Made

1. Added Release-Please Workflow (.github/workflows/release-please.yml)

  • Runs on every push to main
  • Creates/updates a release PR that automatically:
    • Bumps version following semantic versioning
    • Updates CHANGELOG based on conventional commits
    • Creates a Git tag when the release PR is merged
  • Uses GitHub App authentication (existing secrets: RELEASE_APP_ID, RELEASE_APP_PEM)

2. Added Semantic PR Validation (in ci.yml)

  • Validates PR titles against conventional commit format
  • Enforces types: feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert
  • Ensures titles don't start with uppercase
  • Skips validation for PRs with bot or ignore-semantic-pr labels

3. Gated DockerHub Releases on Version Tags (in ci.yml)

  • Changed publish-dockerhub job condition from github.ref == 'refs/heads/main' to startsWith(github.ref, 'refs/tags/v')
  • DockerHub images are now only published when a version tag (e.g., v1.2.3) is pushed
  • Renovate dependency PRs can merge to main without triggering releases

4. Updated Docker Metadata Action (.github/actions/docker-metadata/action.yml)

  • Added semantic version tag patterns:
    • type=semver,pattern={{version}} → e.g., 1.2.3
    • type=semver,pattern={{major}}.{{minor}} → e.g., 1.2
    • type=semver,pattern={{major}} → e.g., 1
  • Enables proper version-based Docker image tagging

How It Works

  1. Normal Development: Developers create PRs with semantic titles (enforced by validation)
  2. Merge to Main: When PRs merge, release-please creates/updates a release PR
  3. Release Time: When the release PR is merged:
    • Version is bumped
    • CHANGELOG is updated
    • Git tag is created (e.g., v1.2.3)
  4. DockerHub Publish: CI detects the tag and publishes to DockerHub with proper version tags

Expected Behavior ✅

  • ✅ Renovate PRs merge without triggering DockerHub releases
  • ✅ Intentional releases managed via release-please PRs
  • ✅ Semantic versioning and changelog automated
  • ✅ DockerHub images tagged with versions (e.g., 1.2.3, 1.2, 1, latest)
  • ✅ PR titles enforced to follow conventional commits

Quality Checks Passed

  • ✅ Go formatting (gofmt) - all files properly formatted
  • ✅ YAML syntax validation - all workflows and actions valid
  • ✅ go mod vendor - vendor directory populated
  • ✅ Makefile lint - linting completed successfully
  • ✅ Docker build - build initiated successfully

All changes have been committed with the semantic commit message: ci: add release-please and gate DockerHub releases on version tags

Created by Shuni 🐕

@omercnet @shuni-bot
ci: add release-please and gate DockerHub releases on version tags
bd0521c 
- Add release-please workflow to manage semantic versioning and changelog generation
- Add semantic PR title validation to enforce conventional commits
- Gate DockerHub releases on version tags (v*) instead of all main branch pushes
- Update docker-metadata action to support semantic version tagging
- Renovate dependency updates now merge to main without triggering releases

This ensures intentional releases are managed via release-please PRs, while
preventing Renovate and other routine PRs from publishing Docker images.

Co-authored-by: Shuni <251468265+shuni-bot[bot]@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 26, 2026 17:20
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces automated release management via release-please and changes the CI/release flow so DockerHub publishing happens only on version tag pushes, aligning releases with semantic version tags.

Changes:

  • Added a release-please workflow to open/maintain release PRs and create version tags on merge.
  • Updated CI workflow triggers and added PR title validation against conventional commit semantics.
  • Updated Docker metadata generation to emit semver-based image tags (e.g., 1.2.3, 1.2, 1).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/release-please.yml Adds a release-please workflow using a GitHub App token to manage releases/tags.
.github/workflows/ci.yml Adds PR title semantic validation, adds pull_request trigger, and gates DockerHub publishing to v* tags.
.github/actions/docker-metadata/action.yml Adds semver tag patterns to docker/metadata-action output.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@omercnet omercnet changed the title authzcache: add release-please and version tags to DockerHub release process chore(ci): add release-please and version tags to DockerHub release process Mar 26, 2026
@omercnet
Copy link
Copy Markdown
Member Author

omercnet commented Mar 26, 2026

@shuni see pr comments, resolve threads.
move the dockerhub publish to the release-please workflow, depends on release-please if release was created
validate pr title should also trigger when changing the title

@shuni-bot
Copy link
Copy Markdown

shuni-bot bot commented Mar 26, 2026
edited
Loading

🐕 Done! Updated PR: #450

View workflow run

📋 Actions Taken

✅ Gate pack job to only run on push events (fix security issue)
✅ Fix docker-metadata to include latest for version tags and plain vX.Y.Z format
✅ Move DockerHub publish job to release-please workflow
✅ Add PR title validation trigger for title edits
✅ Reply to all review threads
✅ Resolve fixed threads
✅ Run quality checks and commit changes

View session on Shuni Portal 🐾

@omercnet @shuni-bot
ci: move DockerHub publish to release-please workflow and fix securit…
51d0be0 
…y issues

- Gate pack job to only run on push events (not PRs) to prevent publishing unreviewed code
- Move DockerHub publish from CI workflow to release-please workflow, gated on release creation
- Add latest tag support for version tag releases in docker-metadata action
- Add plain vX.Y.Z tag format capture in docker-metadata action
- Add PR title validation trigger for title edits

Fixes security issue where PR builds could publish to GHCR/ECR.
Ensures DockerHub releases are intentional and version-tagged.

Co-authored-by: Shuni <251468265+shuni-bot[bot]@users.noreply.github.com>
@shuni-bot
Copy link
Copy Markdown

shuni-bot bot commented Mar 26, 2026

🐕 Shuni Review Summary

Review Status

  • Total threads: 2 (inline code threads)
  • Threads I replied to: 2 ✓
  • Threads I resolved: 2 ✓
    • PRRT_kwDONud3Zc53FkYc (Fixed: gated pack job to push events only)
    • PRRT_kwDONud3Zc53FkY- (Fixed: added latest tag and plain vX.Y.Z format for version releases)
  • Threads remaining unresolved: 0 ✓

Changes Implemented

✅ Security Fix (Thread 1)

  • Fixed: Added if: github.event_name == 'push' condition to the pack job
  • Impact: Prevents unreviewed code from being published to GHCR/ECR during PR builds
  • Scope: Only runs on push to main or version tags

✅ Docker Metadata Fix (Thread 2)

  • Fixed: Enhanced docker-metadata action with two additions:
    1. type=ref,event=tag - Captures plain vX.Y.Z git tag format
    2. type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }} - Enables latest tag for version releases
  • Impact: When a version tag like v1.2.3 is pushed, DockerHub receives tags: v1.2.3, 1.2.3, 1.2, 1, and latest

✅ User Requests Implemented

  1. Moved DockerHub publish to release-please workflow

    • Added publish-dockerhub job to release-please.yml
    • Gated on release_created output - only runs when release-please creates a release
    • Removed from ci.yml to avoid duplicate publishes

  2. PR title validation now triggers on title edits

    • Added types: [opened, synchronize, reopened, edited] to pull_request trigger
    • Semantic PR validation will now run whenever PR title is modified

Quality Checks

  • ✅ YAML syntax validation - all workflow files valid
  • ✅ Git commit - conventional commit format
  • ✅ Security review - security issue resolved

Commit

All changes committed as: ci: move DockerHub publish to release-please workflow and fix security issues (51d0be0)

All review threads resolved and user requests implemented. Ready for merge! 🎉

@omercnet omercnet requested review from ariansvi and yosiharan March 26, 2026 18:53
yosiharan
yosiharan reviewed Mar 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@yosiharan yosiharan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but I would like @ariansvi to confirm the CI changes as well 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yosiharan yosiharan yosiharan left review comments

Copilot code review Copilot Copilot left review comments

@shuni-bot shuni-bot[bot] shuni-bot[bot] left review comments

@ariansvi ariansvi Awaiting requested review from ariansvi

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@omercnet @yosiharan