Skip to content

feat(_release-rust): draft→upload→publish for immutable releases#110

Merged
emmanuelm41 merged 1 commit into
mainfrom
feat/release-immutable-draft-publish
Jul 1, 2026
Merged

feat(_release-rust): draft→upload→publish for immutable releases#110
emmanuelm41 merged 1 commit into
mainfrom
feat/release-immutable-draft-publish

Conversation

@emmanuelm41

@emmanuelm41 emmanuelm41 commented Jul 1, 2026

Copy link
Copy Markdown
Member

What

Change the reusable Rust release workflow's release job from create-published-then-upload to create-draft → upload assets → publish.

Why

GitHub immutable releases (GA) lock a release's git tag and assets at publish time — once published, assets can't be added, modified, or deleted. The prior flow published first (gh release create with no --draft) then uploaded assets, so with immutability enabled the post-publish gh release upload would be rejected and every release would break. GitHub's required flow is: create draft → attach all assets → publish. This PR implements exactly that.

Backward-compatible

The final state is an identical published release with all assets attached — repos without immutability enabled see no functional difference. Because of that, the plan is not to split old/new behavior across tags: after merge, both the v10 and v11 moving tags advance to this commit (they currently point at the same commit and stay in lockstep). Consumers on either tag get the new flow; nobody is left behind.

Details:

  • The publish transition (gh release edit --draft=false) still fires the release: published event downstream workflows trigger on — now at the end of the job rather than the start.
  • release_draft: true still works: the draft is left unpublished for manual review (auto-publish skipped). Description updated to match.
  • Pre-release / --latest=false attributes are set at create time and persist through the publish transition.

Context

Enables immutable releases for kunobi-ninja/kache — refs kunobi-ninja/kache#481 (kache-side doc PR: kunobi-ninja/kache#482).

GitHub immutable releases lock a release's tag and assets at publish
time — assets can no longer be added, modified, or deleted once
published. The prior flow created the release already-published and
uploaded assets afterward, which is incompatible: the post-publish
uploads would be rejected.

Always create the release as a draft, attach every asset, then flip it
to published as the final step (unless release_draft asks to stop at the
draft for manual review). The publish transition still fires the
`release: published` event downstream workflows depend on, and the
final state is identical for repos without immutability enabled, so this
is backward-compatible.

Refs kunobi-ninja/kache#481
emmanuelm41 added a commit to kunobi-ninja/kache that referenced this pull request Jul 1, 2026
This repo will have GitHub immutable releases enabled — publishing a
release locks its tag + assets. That requires the reusable release
workflow to create a draft, attach all assets, then publish (see
Zondax/_workflows#110), which the pinned @v10 tag now carries. Document
that constraint on the release job so the pin isn't rolled back to a
tag predating the draft→publish flow.

No functional change (pin stays @v10).

Closes #481
@emmanuelm41 emmanuelm41 merged commit f78aa3c into main Jul 1, 2026
1 check passed
@emmanuelm41 emmanuelm41 deleted the feat/release-immutable-draft-publish branch July 1, 2026 20:56
emmanuelm41 added a commit that referenced this pull request Jul 1, 2026
#111)

The draft→upload→publish change (#110) made the publish transition
(gh release edit --draft=false) run as GITHUB_TOKEN / github-actions[bot].
GitHub suppresses workflow triggers for events produced by GITHUB_TOKEN,
so the resulting release: published event was sterile — downstream
release-triggered workflows (crates publish, package publish) never ran.

Publish with the caller's release PAT (secrets.pgp_signer_token) when
provided, falling back to GITHUB_TOKEN. A PAT-authored publish cascades,
restoring the pre-#110 behavior where the direct create-publish (also
authored by the PAT) triggered downstream release workflows.

Refs kunobi-ninja/kache#481
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant