Conversation
Reviewer's GuideBumps the project to version v2.8.2, updates docs/release notes accordingly, and introduces GitHub Actions workflows to build GitHub releases and publish the package to PyPI on tagged pushes. Sequence diagram for release workflow on tagged pushsequenceDiagram
actor Developer
participant GitHubRepo
participant ReleaseWorkflow
participant PresetReleaseRepo
participant ReleaseNotes
participant GitHubReleases
Developer->>GitHubRepo: Push tag v2.8.2
GitHubRepo-->>ReleaseWorkflow: Trigger on tag v*.*.*
ReleaseWorkflow->>ReleaseWorkflow: Checkout code
ReleaseWorkflow->>PresetReleaseRepo: Download CGS-macOS_preset.7z
ReleaseWorkflow->>PresetReleaseRepo: Download CGS_preset.7z
ReleaseWorkflow->>ReleaseWorkflow: Read docs/_github/release_notes.md
ReleaseWorkflow->>ReleaseWorkflow: Detect tag name
alt Tag name contains beta
ReleaseWorkflow->>ReleaseWorkflow: Read preset_preview.md
ReleaseWorkflow->>ReleaseWorkflow: Set is_beta = true
else Stable tag
ReleaseWorkflow->>ReleaseWorkflow: Read preset_stable.md
ReleaseWorkflow->>ReleaseWorkflow: Set is_beta = false
end
ReleaseWorkflow->>ReleaseNotes: Write full_body.md
ReleaseWorkflow->>GitHubReleases: Create release with assets and notes
Sequence diagram for PyPI publish workflow on tagged pushsequenceDiagram
actor Developer
participant GitHubRepo
participant PyPIWorkflow
participant UvTool
participant PyPIRegistry
Developer->>GitHubRepo: Push tag v2.8.2
GitHubRepo-->>PyPIWorkflow: Trigger on tag v*.*.*
PyPIWorkflow->>PyPIWorkflow: Checkout code
PyPIWorkflow->>UvTool: Install uv
PyPIWorkflow->>UvTool: Build package (uv build)
PyPIWorkflow->>UvTool: Publish package (uv publish)
UvTool->>PyPIRegistry: Upload distribution artifacts
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've found 3 issues, and left some high level feedback:
- In the
Compose Release Notesstep,echo "$base\n$extra" > /build/full_body.mdwill write a literal\nrather than a newline; useprintf '%s %s ' "$base" "$extra" > /build/full_body.mdto correctly concatenate the files. - The
Releaseworkflow declarespull-requests: writepermission but never interacts with PRs; consider dropping this permission to keep the token as narrow as possible.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In the `Compose Release Notes` step, `echo "$base\n$extra" > /build/full_body.md` will write a literal `\n` rather than a newline; use `printf '%s
%s
' "$base" "$extra" > /build/full_body.md` to correctly concatenate the files.
- The `Release` workflow declares `pull-requests: write` permission but never interacts with PRs; consider dropping this permission to keep the token as narrow as possible.
## Individual Comments
### Comment 1
<location> `.github/workflows/release.yml:50` </location>
<code_context>
+ ;;
+ esac
+
+ echo "$base\n$extra" > /build/full_body.md
+
+ - name: Create Release
</code_context>
<issue_to_address>
**issue (bug_risk):** The newline between `base` and `extra` won’t actually be inserted with `echo` as written.
In POSIX sh, `echo` prints `\n` literally, so this won’t split `base` and `extra` onto separate lines. To ensure a real newline, use e.g.:
```sh
printf '%s
%s
' "$base" "$extra" > /build/full_body.md
```
(or a here‑doc) so the release body is formatted as intended.
</issue_to_address>
### Comment 2
<location> `.github/workflows/pypi.yml:2-5` </location>
<code_context>
+name: Publish
+permissions:
+ contents: write
+ pull-requests: read
+ id-token: write
+on:
+ push:
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Workflow permissions are broader than necessary for a simple PyPI publish job.
For this publish-only job, `contents: read` should be enough, and `pull-requests: read` can likely be removed. Please restrict permissions to the minimum required (e.g., `contents: read`, `id-token: write`) to align with least-privilege practices.
```suggestion
permissions:
contents: read
id-token: write
```
</issue_to_address>
### Comment 3
<location> `docs/_github/release_notes.md:5` </location>
<code_context>
-❔ 修复内置重启卡死(难以复现,只能一点点试)
+同 `v2.8.1` , 见[参考](https://doc.comicguispider.nyc.mn/changelog/history)
+发现 tag 包替换无法打开所以转 pypi 发布 `2.8.2` ,后续应该恢复 pypi
</code_context>
<issue_to_address>
**suggestion (typo):** Consider correcting "pypi" to "PyPI" and slightly smoothing the sentence structure.
"pypi" should be capitalized as "PyPI" to match the official name. For smoother Chinese wording and readability, you could revise to: “发现 tag 包替换后无法打开,所以转 PyPI 发布 `2.8.2`,后续应该恢复 PyPI”。
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| ;; | ||
| esac | ||
|
|
||
| echo "$base\n$extra" > /build/full_body.md |
There was a problem hiding this comment.
issue (bug_risk): The newline between base and extra won’t actually be inserted with echo as written.
In POSIX sh, echo prints \n literally, so this won’t split base and extra onto separate lines. To ensure a real newline, use e.g.:
printf '%s
%s
' "$base" "$extra" > /build/full_body.md(or a here‑doc) so the release body is formatted as intended.
| permissions: | ||
| contents: write | ||
| pull-requests: read | ||
| id-token: write |
There was a problem hiding this comment.
🚨 suggestion (security): Workflow permissions are broader than necessary for a simple PyPI publish job.
For this publish-only job, contents: read should be enough, and pull-requests: read can likely be removed. Please restrict permissions to the minimum required (e.g., contents: read, id-token: write) to align with least-privilege practices.
| permissions: | |
| contents: write | |
| pull-requests: read | |
| id-token: write | |
| permissions: | |
| contents: read | |
| id-token: write |
|
|
||
| ❔ 修复内置重启卡死(难以复现,只能一点点试) | ||
| 同 `v2.8.1` , 见[参考](https://doc.comicguispider.nyc.mn/changelog/history) | ||
| 发现 tag 包替换无法打开所以转 pypi 发布 `2.8.2` ,后续应该恢复 pypi |
There was a problem hiding this comment.
suggestion (typo): Consider correcting "pypi" to "PyPI" and slightly smoothing the sentence structure.
"pypi" should be capitalized as "PyPI" to match the official name. For smoother Chinese wording and readability, you could revise to: “发现 tag 包替换后无法打开,所以转 PyPI 发布 2.8.2,后续应该恢复 PyPI”。
Description
Related Issues
Checklist:
Summary by Sourcery
Bump the project to version v2.8.2 and wire up automated release and PyPI publishing workflows.
Bug Fixes:
Enhancements:
Build:
CI: