Skip to content

feat: auto-release on tracked upstream version bump#446

Open
fzipi wants to merge 1 commit into
mainfrom
feat/auto-release-on-upstream-bump
Open

feat: auto-release on tracked upstream version bump#446
fzipi wants to merge 1 commit into
mainfrom
feat/auto-release-on-upstream-bump

Conversation

@fzipi

@fzipi fzipi commented Jul 3, 2026

Copy link
Copy Markdown
Member

Summary

  • Adds .github/workflows/auto-release.yml, triggered on push to main when docker-bake.hcl changes
  • Compares the modsec2-version, modsec3-version, httpd-version, and nginx-version values before/after the push; if any changed, it creates a release/YYYYMMDD tag (with a numeric suffix on same-day collisions) and a GitHub release
  • Adds workflow_call (with explicit dockerhub_user/dockerhub_token secret inputs) to publish.yml so the new workflow can invoke the build-and-push job directly, without depending on GITHUB_TOKEN-created releases re-triggering the release: published event (which GitHub Actions does not do)

Test plan

  • actionlint / zizmor pass on both workflow files
  • Merge a PR that bumps one of the four tracked versions in docker-bake.hcl and confirm a release is tagged and images are published
  • Merge a PR that changes docker-bake.hcl without touching the tracked versions (e.g. a CRS bump) and confirm no release is created

AI Disclosure

Per the project's AI-Assisted Contribution Policy:

  1. AI tools used: Claude (Sonnet 5, via Claude Code)
  2. What was generated or assisted: Design and implementation of .github/workflows/auto-release.yml (diffing tracked version variables in docker-bake.hcl between pushes, tagging/creating the release with same-day collision handling) and the workflow_call addition to publish.yml with explicit secret inputs, needed because GitHub Actions doesn't let a GITHUB_TOKEN-created release re-trigger the release: published event.
  3. Review performed: actionlint and zizmor run against both workflow files (zero findings). I reviewed the job/permission structure and the version-diff logic myself before publishing; the actual tag-and-publish path is still marked as unverified in the test plan below pending a real merge that bumps one of the tracked versions.

Summary by CodeRabbit

  • New Features
    • Added an automated release workflow that detects version changes on main and creates a new release tag when upstream versions change.
    • Release notes are generated automatically and published artifacts/images are kicked off from the release process.
  • Chores
    • Updated the publishing workflow to require Docker Hub credentials when triggered by another workflow.

Adds a workflow that watches docker-bake.hcl for changes to
modsec2-version, modsec3-version, httpd-version, or nginx-version.
When one of these changes lands on main, it tags and creates a
GitHub release, then invokes the publish workflow directly as a
reusable workflow so the images build and push without waiting for
the next manual release.
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow (auto-release.yml) that detects version bumps in docker-bake.hcl on pushes to main, creates a date-based release tag, and triggers the reusable publish.yml workflow. The publish.yml workflow now declares required dockerhub_user and dockerhub_token secrets.

Changes

Auto-release Workflow

Layer / File(s) Summary
Version bump detection
.github/workflows/auto-release.yml
Adds trigger on docker-bake.hcl changes to main and a check-version-bump job comparing version variables (modsec2/3, httpd, nginx) between commits via git/awk to set a bumped output.
Tagging, release, and publish wiring
.github/workflows/auto-release.yml, .github/workflows/publish.yml
Adds tag-and-release job creating a date-based release tag and GitHub release, and a publish job calling publish.yml with DockerHub secrets; publish.yml now requires dockerhub_user and dockerhub_token as workflow_call secrets.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Push as Push to main
  participant CheckJob as check-version-bump
  participant TagJob as tag-and-release
  participant PublishJob as publish
  participant PublishWF as publish.yml

  Push->>CheckJob: trigger on docker-bake.hcl change
  CheckJob->>CheckJob: compare versions (before vs current SHA)
  CheckJob-->>TagJob: bumped=true
  TagJob->>TagJob: create release tag
  TagJob->>TagJob: gh release create
  TagJob-->>PublishJob: release created
  PublishJob->>PublishWF: call workflow with dockerhub_user, dockerhub_token
Loading

Related issues: None specified.

Related PRs: None specified.

Suggested labels: ci, github-actions

Suggested reviewers: None specified.

🐰 A hop, a bump, a version's shift,
New tags emerge, a release gift,
Workflows dance from push to pack,
DockerHub keys unlock the track,
The carrot's won—automation's lift!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: an automated release triggered by tracked upstream version bumps.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/auto-release-on-upstream-bump

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/auto-release.yml:
- Around line 66-82: Add workflow-level concurrency to the auto-release workflow
so only one release run on main can create tags at a time. The issue is in the
Create release tag and GitHub release step: the gh api loop in tag-and-release
is a non-atomic existence check, so overlapping runs can still pick the same tag
and collide. Fix it by adding a top-level concurrency group keyed to the
workflow/ref so runs serialize before reaching gh release create, and keep the
tag-generation logic in the tag-and-release job as the unique symbol to locate.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: ce7ea26f-1d71-47ed-b33d-760eddb544e7

📥 Commits

Reviewing files that changed from the base of the PR and between b015e92 and 81046cb.

📒 Files selected for processing (2)
  • .github/workflows/auto-release.yml
  • .github/workflows/publish.yml

Comment on lines +66 to +82
- name: Create release tag and GitHub release
env:
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
base="release/$(date -u +%Y%m%d)"
tag="$base"
suffix=1
while gh api "repos/${{ github.repository }}/git/ref/tags/$tag" >/dev/null 2>&1; do
tag="${base}-${suffix}"
suffix=$((suffix + 1))
done

gh release create "$tag" \
--target "${{ github.sha }}" \
--title "$tag" \
--generate-notes

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Race window in tag-existence check; no run-level concurrency control.

Two pushes to main touching docker-bake.hcl in quick succession can trigger overlapping workflow runs. Both tag-and-release jobs would independently loop-check git/ref/tags/$tag, and since the existence check and the gh release create call aren't atomic, both could pass the check for the same $tag before either creates it, causing one run to fail with a duplicate-tag error. Additionally, since only the gh api exit code is checked, a transient non-404 failure (auth hiccup, rate limit, network blip) would be indistinguishable from "tag not found" and cause the script to proceed as if the name were free.

Add a workflow-level concurrency group to serialize runs on main.

🔒 Suggested fix
 on:
   push:
     branches: [main]
     paths:
       - docker-bake.hcl
 
+concurrency:
+  group: auto-release-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 permissions: {}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-release.yml around lines 66 - 82, Add workflow-level
concurrency to the auto-release workflow so only one release run on main can
create tags at a time. The issue is in the Create release tag and GitHub release
step: the gh api loop in tag-and-release is a non-atomic existence check, so
overlapping runs can still pick the same tag and collide. Fix it by adding a
top-level concurrency group keyed to the workflow/ref so runs serialize before
reaching gh release create, and keep the tag-generation logic in the
tag-and-release job as the unique symbol to locate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant