From 96cda06624d5a0ddddf48da1b3fe08eea46a7ffa Mon Sep 17 00:00:00 2001 From: Robert Allen Date: Mon, 9 Mar 2026 11:07:26 -0400 Subject: [PATCH 1/4] fix(ci): repair three release-triggered workflow failures - signed-releases: trigger on workflow_run instead of release:published to avoid race condition where assets aren't uploaded yet - sbom: add --clobber flag to avoid conflict with release.yml's sbom job - changelog: create PR instead of direct commit to respect branch protection --- .github/workflows/changelog.yml | 54 ++++++++++---------- .github/workflows/sbom.yml | 3 +- .github/workflows/signed-releases.yml | 72 +++++++++++++++++---------- 3 files changed, 74 insertions(+), 55 deletions(-) diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 3a38397..2d3205d 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -17,46 +17,44 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - # v6.0.2 + # yamllint disable-line rule:line-length uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Generate changelog - # v4.5.0 - uses: orhun/git-cliff-action@c93ef52f3d0ddcdcc9bd5447d98d458a11cd4f72 + # yamllint disable-line rule:line-length + uses: orhun/git-cliff-action@c93ef52f3d0ddcdcc9bd5447d98d458a11cd4f72 # v4.5.0 with: config: cliff.toml args: --verbose env: OUTPUT: CHANGELOG.md - - name: Commit changelog - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - TAG_NAME: ${{ github.ref_name }} + - name: Check for changes + id: diff run: | if git diff --quiet CHANGELOG.md 2>/dev/null; then - echo "No changes to commit" - exit 0 - fi - - REPO="${{ github.repository }}" - API_PATH="repos/${REPO}/contents/CHANGELOG.md" - CONTENT=$(base64 -i CHANGELOG.md) - SHA=$(gh api "$API_PATH" \ - --jq '.sha' 2>/dev/null || echo "") - - MSG="docs: update CHANGELOG.md for ${TAG_NAME}" - ARGS=( - -f "message=${MSG}" - -f "content=${CONTENT}" - -f "branch=main" - ) - if [ -n "$SHA" ]; then - ARGS+=(-f "sha=${SHA}") + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "changed=true" >> "$GITHUB_OUTPUT" fi - gh api "$API_PATH" \ - --method PUT "${ARGS[@]}" - echo "Changelog updated via GitHub API" + - name: Create pull request + if: steps.diff.outputs.changed == 'true' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TAG_NAME: ${{ github.ref_name }} + run: | + BRANCH="chore/changelog-${TAG_NAME}" + git checkout -b "${BRANCH}" + git add CHANGELOG.md + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git commit -m "docs: update CHANGELOG.md for ${TAG_NAME}" + git push origin "${BRANCH}" + gh pr create \ + --title "docs: update CHANGELOG.md for ${TAG_NAME}" \ + --body "Auto-generated changelog update for ${TAG_NAME}." \ + --base main \ + --head "${BRANCH}" diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 287c98c..7d5806d 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -48,4 +48,5 @@ jobs: GH_TOKEN: ${{ github.token }} TAG_NAME: ${{ github.event.release.tag_name }} run: | - gh release upload "${TAG_NAME}" nsip-sbom-spdx.json + gh release upload "${TAG_NAME}" nsip-sbom-spdx.json \ + --clobber diff --git a/.github/workflows/signed-releases.yml b/.github/workflows/signed-releases.yml index 9a65609..fbbd837 100644 --- a/.github/workflows/signed-releases.yml +++ b/.github/workflows/signed-releases.yml @@ -1,9 +1,10 @@ - +--- name: Signed Releases -on: - release: - types: [published] +"on": + workflow_run: + workflows: ["Release"] + types: [completed] permissions: contents: write @@ -13,17 +14,27 @@ jobs: sign-assets: name: Sign Release Assets runs-on: ubuntu-latest - + if: >- + github.event.workflow_run.conclusion == 'success' + && startsWith(github.event.workflow_run.head_branch, 'v') steps: + - name: Get tag name + id: tag + env: + TAG: ${{ github.event.workflow_run.head_branch }} + run: echo "tag=${TAG}" >> "$GITHUB_OUTPUT" + - name: Install Cosign - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + # yamllint disable-line rule:line-length + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Download release assets env: GH_TOKEN: ${{ github.token }} + TAG: ${{ steps.tag.outputs.tag }} run: | - gh release download ${{ github.event.release.tag_name }} \ - --repo ${{ github.repository }} \ + gh release download "${TAG}" \ + --repo "${{ github.repository }}" \ --pattern '*' - name: Sign assets with Cosign @@ -48,40 +59,49 @@ jobs: - name: Upload signatures env: GH_TOKEN: ${{ github.token }} + TAG: ${{ steps.tag.outputs.tag }} run: | - gh release upload ${{ github.event.release.tag_name }} \ - --repo ${{ github.repository }} \ + gh release upload "${TAG}" \ + --repo "${{ github.repository }}" \ --clobber \ *.sig SHA256SUMS SHA512SUMS - name: Update release notes env: GH_TOKEN: ${{ github.token }} + TAG: ${{ steps.tag.outputs.tag }} + # yamllint disable rule:line-length run: | - cat >> release_notes.md << 'NOTES' - + EXISTING=$(gh release view "${TAG}" \ + --repo "${{ github.repository }}" \ + --json body -q .body) + + cat > release_notes.md <.sig \ - --certificate-identity-regexp=".*" \ - --certificate-oidc-issuer-regexp=".*" \ + cosign verify-blob \\ + --signature .sig \\ + --certificate-identity-regexp=".*" \\ + --certificate-oidc-issuer-regexp=".*" \\ - + # Verify checksums sha256sum --check SHA256SUMS - ``` + \`\`\` NOTES - - gh release edit ${{ github.event.release.tag_name }} \ - --repo ${{ github.repository }} \ + + gh release edit "${TAG}" \ + --repo "${{ github.repository }}" \ --notes-file release_notes.md + # yamllint enable rule:line-length From e14df8234614d4843e5b8308cb35e144b438b6d9 Mon Sep 17 00:00:00 2001 From: Robert Allen Date: Mon, 9 Mar 2026 11:14:43 -0400 Subject: [PATCH 2/4] Update .github/workflows/changelog.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/changelog.yml | 47 +++++++++++++++++++++++++++------ 1 file changed, 39 insertions(+), 8 deletions(-) diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 2d3205d..6e7c0d0 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -47,14 +47,45 @@ jobs: TAG_NAME: ${{ github.ref_name }} run: | BRANCH="chore/changelog-${TAG_NAME}" - git checkout -b "${BRANCH}" + + # Reuse existing remote branch if it already exists; otherwise create it. + if git ls-remote --exit-code origin "${BRANCH}" >/dev/null 2>&1; then + echo "Branch ${BRANCH} already exists on origin; checking it out." + git fetch origin "${BRANCH}:${BRANCH}" + git checkout "${BRANCH}" + else + echo "Creating new branch ${BRANCH}." + git checkout -b "${BRANCH}" + fi + git add CHANGELOG.md git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" - git commit -m "docs: update CHANGELOG.md for ${TAG_NAME}" - git push origin "${BRANCH}" - gh pr create \ - --title "docs: update CHANGELOG.md for ${TAG_NAME}" \ - --body "Auto-generated changelog update for ${TAG_NAME}." \ - --base main \ - --head "${BRANCH}" + + # Only commit and push if there are staged changes. + if git diff --cached --quiet; then + echo "No changes to commit on branch ${BRANCH}; skipping commit and push." + else + git commit -m "docs: update CHANGELOG.md for ${TAG_NAME}" + git push origin "${BRANCH}" + fi + + TITLE="docs: update CHANGELOG.md for ${TAG_NAME}" + BODY="Auto-generated changelog update for ${TAG_NAME}." + + # Reuse existing open PR for this branch if present; otherwise create a new one. + PR_NUMBER="$(gh pr list --head "${BRANCH}" --state open --json number --jq '.[0].number' || true)" + + if [ -z "${PR_NUMBER}" ]; then + echo "No existing pull request for ${BRANCH}; creating a new one." + gh pr create \ + --title "${TITLE}" \ + --body "${BODY}" \ + --base main \ + --head "${BRANCH}" + else + echo "Pull request #${PR_NUMBER} already exists for ${BRANCH}; updating title and body." + gh pr edit "${PR_NUMBER}" \ + --title "${TITLE}" \ + --body "${BODY}" + fi From b7846fb17fbb3473b1f6a90563bac8571b2e4686 Mon Sep 17 00:00:00 2001 From: Robert Allen Date: Mon, 9 Mar 2026 11:14:57 -0400 Subject: [PATCH 3/4] Update .github/workflows/signed-releases.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/signed-releases.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/signed-releases.yml b/.github/workflows/signed-releases.yml index fbbd837..ae0a7e5 100644 --- a/.github/workflows/signed-releases.yml +++ b/.github/workflows/signed-releases.yml @@ -76,9 +76,9 @@ jobs: --repo "${{ github.repository }}" \ --json body -q .body) - cat > release_notes.md < release_notes.md + cat <<'NOTES' >> release_notes.md ## Verification All release assets are signed with [Sigstore Cosign](https://github.com/sigstore/cosign). From 1a795702cd645e6ee39df68aa78b8fabb0de9975 Mon Sep 17 00:00:00 2001 From: Robert Allen Date: Mon, 9 Mar 2026 11:32:24 -0400 Subject: [PATCH 4/4] fix: use Rng::fill instead of Rng::random for rand 0.9/0.10 compat Rng::random() was removed in newer rand versions. Rng::fill() is stable across both 0.9 and 0.10. --- crates/mcp/oauth/token.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crates/mcp/oauth/token.rs b/crates/mcp/oauth/token.rs index ecfc8eb..c914768 100644 --- a/crates/mcp/oauth/token.rs +++ b/crates/mcp/oauth/token.rs @@ -57,8 +57,8 @@ pub struct TokenResponse { /// Generate an opaque refresh token. fn generate_refresh_token() -> String { - use rand::Rng as _; - let bytes: [u8; 32] = rand::rng().random(); + let mut bytes = [0u8; 32]; + rand::fill(&mut bytes); base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes) }