ci: restructure release workflow for atomic publish, hard-gate on signing#778
Merged
Merged
Conversation
…ning Reverses PR #776's soft-fail design and makes the GitHub Release the LAST thing that happens, gated on every prerequisite — including UPM signing. What changed - New `prepare-release-notes` job — generates `release.md` in parallel with tests/builds and uploads as `release-notes` artifact. - New `build-signed-upm-package` job — runs in parallel with tests/builds. Verifies secrets, runs `upm pack`, verifies attestation + filename prefix, uploads `.tgz` as `signed-upm-package` artifact. NOT continue-on-error. - `release-unity-plugin` is now the atomic publish point. `needs:` extended to include `prepare-release-notes` and `build-signed-upm-package`. Downloads all asset artifacts and creates the GitHub Release + tag with the full asset set in a single `softprops/action-gh-release@v2` call. Release notes read from artifact via `body_path:` and re-exposed as `release_notes` output for `publish_discord`. - `publish-unity-installer`, `publish-mcp-server`, and `sign-and-publish-upm` jobs REMOVED — collapsed into `release-unity-plugin` so a failed upload cannot strand a release with incomplete assets. - `publish_discord.needs` / `cleanup-artifacts.needs` re-pointed at `release-unity-plugin` (was: the three removed publish jobs). - `cleanup-artifacts` extended to delete `signed-upm-package` and `release-notes` artifacts in addition to the existing two. Hard-gate semantics - Missing UPM signing secrets cause `build-signed-upm-package` to fail fast with a clear `::error::` message. The release pipeline fails as a whole; no GitHub Release is created. - `docs/openupm-signing.md` rewritten: all soft-fail language removed; the doc now states signing is a hard gate and that "no GitHub Release is created" without it. Validation - `.github/workflows/release.yml` validated with PyYAML — well-formed YAML. Per-job `needs:` graph inspected; no references to removed jobs remain. (Unity Editor / EditMode tests are not the gate for workflow-YAML diffs; CI on the PR is the authoritative signal, same coping strategy as #776.) Closes #777
…ndomized heredoc delimiter, doc precision simplify-pass: 1
Contributor
Test Results 12 files 564 suites 46m 30s ⏱️ Results for commit 561dac5. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/release.ymlso the GitHub Release is the last thing that happens, gated on every prerequisite (tests, builds, signed UPM tarball, release notes). All assets are uploaded in a single atomicsoftprops/action-gh-release@v2call.build-signed-upm-package(extracted from the oldsign-and-publish-upm) is notcontinue-on-error. Missing UPM signing secrets fail fast and no GitHub Release is created.prepare-release-notesjob decouples notes generation from release creation; release notes are produced in parallel with tests and consumed from an artifact byrelease-unity-plugin.publish-unity-installer,publish-mcp-server, andsign-and-publish-upmare removed — their uploads are folded intorelease-unity-pluginso a failed upload cannot strand the release with incomplete assets.publish_discord.needsandcleanup-artifacts.needsre-pointed atrelease-unity-plugin(was: the three removed publish jobs).cleanup-artifactsextended to delete the two new artifacts.docs/openupm-signing.mdrewritten to remove all soft-fail language and document the hard-gate semantics.Job graph (after)
Test plan
release.ymlvalidated as well-formed YAML with PyYAML.needs:graph inspected: no references to removed jobs (publish-unity-installer,publish-mcp-server,sign-and-publish-upm) remain inpublish_discord.needsorcleanup-artifacts.needs.build-signed-upm-packageandprepare-release-notesconfirmed to run in parallel with tests (neither depends onrelease-unity-plugin).release-unity-plugin.needsincludes both new jobs plus all existing test/build deps.build-signed-upm-packageconfirmed NOTcontinue-on-error(hard gate).docs/openupm-signing.mdno longer contains soft-fail language; explicitly states "no GitHub Release is created" without signing.releaseworkflow ispush: main-only, so the canonical signal here is the existingtest-cli/test-pull-requestworkflows running on the PR; the restructured release workflow runs end-to-end on the next merge tomain).Closes #777