Skip to content

ci: bump actions + dynamic go version + auto-release + badge fix#14

Merged
aksOps merged 3 commits into
mainfrom
ci-bump-actions
Apr 22, 2026
Merged

ci: bump actions + dynamic go version + auto-release + badge fix#14
aksOps merged 3 commits into
mainfrom
ci-bump-actions

Conversation

@aksOps

@aksOps aksOps commented Apr 19, 2026

Copy link
Copy Markdown
Contributor

Summary

Three CI hygiene items in one PR.

1. Action bumps

Action Before After
actions/checkout v4 v6
actions/setup-go v5 v6
actions/setup-node v4 v6
actions/cache v4 v5
actions/upload-artifact v4 v7
actions/download-artifact v4 v8

2. Dynamic Go version

`setup-go` now reads `go-version-file: go.mod` (currently `go 1.25.0`) instead of a hard-pinned `1.22`. Bumping `go.mod` is the single source of truth — no pipeline drift.

Node 20 → 22 LTS (runner warned about deprecation).

3. Release automation

  • New `.github/workflows/release.yml` — every push to `main` increments the beta counter and cuts a prerelease with auto-generated notes. Prior releases were cut by hand; 32 betas exist and everything after `beta.32` was unreleased.
  • README `Release` badge gets `?include_prereleases&sort=semver` so it tracks the latest beta correctly (bare badge was stuck on `v0.0.0-beta` because shields.io looks for stable releases).
  • `v0.0.0-beta.33` was cut manually off `main` while this PR was in flight.

Test plan

  • CI green on this PR
  • `ui-dist` artifact v7 upload → v8 download round-trips cleanly
  • After merge: the release workflow runs and cuts `v0.0.0-beta.34`
  • Release badge updates to reflect latest beta

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores

    • Updated CI/CD workflow infrastructure and action versions to maintain compatibility with the latest development tools and environments
  • New Features

    • Added automated beta release workflow that automatically generates and publishes new beta releases when code is pushed to the main branch
  • Documentation

    • Updated project release badge to display prerelease versions alongside stable releases with semantic version sorting

aksOps and others added 3 commits April 19, 2026 08:54
- actions/checkout v4 → v6
- actions/setup-go v5 → v6, go-version-file: go.mod (was hard-pinned 1.22)
- actions/setup-node v4 → v6, node 20 → 22 LTS (Node 20 deprecated on runners)
- actions/cache v4 → v5
- actions/upload-artifact v4 → v7
- actions/download-artifact v4 → v8

Go version is now driven by go.mod (currently 1.25.0) so bumping go.mod is
the single source of truth — no more drift between pipeline and code.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- New release.yml: every push to main finds the latest v0.0.0-beta.N tag,
  increments N, pushes the tag, and creates a prerelease with auto-
  generated notes. Concurrency-guarded so two rapid merges don't race.
- README Release badge adds ?include_prereleases&sort=semver — tracks
  the latest beta.N correctly (the bare badge was stuck on v0.0.0-beta
  because shields.io couldn't find a stable release).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Apr 19, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Updates CI workflow action versions and toolchain configurations, adds a new automated beta release workflow triggered on main branch pushes that computes and creates semantic beta tags, and updates the Release badge URL to include prereleases with semantic versioning.

Changes

Cohort / File(s) Summary
CI Workflow Updates
.github/workflows/ci.yml
Updated GitHub Actions to latest versions (checkout v4→v6, setup-node v4→v6, setup-go v5→v6, cache v4→v5, upload-artifact v4→v7, download-artifact v4→v8). Node.js version bumped from 20 to 22, Go version switched from hardcoded 1.22 to dynamic go-version-file: go.mod reference.
Release Automation
.github/workflows/release.yml
New workflow for automated beta releases on main branch pushes. Computes next beta tag (v0.0.0-beta.) by parsing existing tags semantically, creates and pushes git tag, then creates GitHub prerelease via gh CLI with generated release notes.
Documentation
README.md
Updated Release badge shields.io URL to include ?include_prereleases&sort=semver parameters for displaying prerelease versions with semantic sorting.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant Git as Git Repository
    participant API as GitHub API
    
    GHA->>Git: Checkout full history
    GHA->>Git: Query existing tags (v0.0.0-beta.*)
    GHA->>GHA: Sort tags semantically
    GHA->>GHA: Compute next beta tag
    GHA->>Git: Create new tag
    GHA->>Git: Push tag to remote
    GHA->>API: Create prerelease via gh CLI
    API-->>GHA: Prerelease created
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 Hop, hop, the actions dance anew,
From version old to version true,
A beta tag computes with care,
And releases float through the air!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main changes: CI action version updates, dynamic Go version from go.mod, auto-release workflow addition, and badge fix.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci-bump-actions

Comment @coderabbitai help to get the list of available commands and usage tips.

@aksOps aksOps changed the title ci: bump actions to latest + dynamic go version from go.mod ci: bump actions + dynamic go version + auto-release + badge fix Apr 19, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)

69-72: Avoid double-caching Go dependencies/build artifacts

Line 69 and Line 120 use actions/setup-go@v6, which enables caching by default. Keeping explicit actions/cache@v5 (Line 78 and Line 125) likely duplicates cache work and can slow CI.

♻️ Suggested minimal fix (keep your custom cache keys)
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
+          cache: false
...
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
+          cache: false

Also applies to: 78-87, 120-123, 125-131

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 69 - 72, The workflow currently
double-caches Go artifacts by using actions/setup-go@v6 (which enables caching
by default) together with explicit actions/cache@v5 steps; pick one approach:
either remove the explicit actions/cache@v5 steps (the custom cache steps) or
disable setup-go's built-in cache by adding cache: "false" to the
actions/setup-go@v6 steps, and preserve your custom cache keys if you keep
actions/cache@v5; update the steps referencing actions/setup-go@v6 and
actions/cache@v5 accordingly so caching is only handled once.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 12-14: The workflow-level concurrency group "release-main" causes
newer queued runs to replace older pending runs; to ensure every main push
produces a release, make the concurrency key unique per run (e.g. change group
to include a run-specific expression like release-${{ github.sha }} or
release-${{ github.run_id }}) while keeping cancel-in-progress as needed; update
the concurrency block (symbols: concurrency, group, cancel-in-progress) so each
push has its own group and won't be skipped.
- Line 21: Replace the mutable action reference "actions/checkout@v6" with a
pinned full commit SHA for the actions/checkout step in the release workflow;
locate the "uses: actions/checkout@v6" entry in the release.yml and update it to
"uses: actions/checkout@<full-commit-sha>" (the latest verified commit for
actions/checkout) so the workflow that has contents: write permission is not
using a mutable tag.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 69-72: The workflow currently double-caches Go artifacts by using
actions/setup-go@v6 (which enables caching by default) together with explicit
actions/cache@v5 steps; pick one approach: either remove the explicit
actions/cache@v5 steps (the custom cache steps) or disable setup-go's built-in
cache by adding cache: "false" to the actions/setup-go@v6 steps, and preserve
your custom cache keys if you keep actions/cache@v5; update the steps
referencing actions/setup-go@v6 and actions/cache@v5 accordingly so caching is
only handled once.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 11df5269-ea22-4cca-afa6-c350ea2ed88e

📥 Commits

Reviewing files that changed from the base of the PR and between 353243d and b799bff.

📒 Files selected for processing (3)
  • .github/workflows/ci.yml
  • .github/workflows/release.yml
  • README.md

Comment on lines +12 to +14
concurrency:
group: release-main
cancel-in-progress: false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Fixed concurrency group can skip releases for intermediate pushes

Line 13 uses a single workflow-level concurrency key. With GitHub Actions concurrency semantics, older pending runs in the same group are replaced by newer queued runs, so not every main push will get a prerelease.

In GitHub Actions workflow-level concurrency, does a new queued run replace an existing pending run in the same concurrency group when cancel-in-progress is false?
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 12 - 14, The workflow-level
concurrency group "release-main" causes newer queued runs to replace older
pending runs; to ensure every main push produces a release, make the concurrency
key unique per run (e.g. change group to include a run-specific expression like
release-${{ github.sha }} or release-${{ github.run_id }}) while keeping
cancel-in-progress as needed; update the concurrency block (symbols:
concurrency, group, cancel-in-progress) so each push has its own group and won't
be skipped.

name: auto-tag + release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Verify mutable action refs in workflow files
fd -p '.github/workflows/*.yml' | xargs rg -nP 'uses:\s*[^@]+@v[0-9]+'
# Expected after hardening: no matches

Repository: RandomCodeSpace/docsiq

Length of output: 332


🏁 Script executed:

cat -n .github/workflows/release.yml | head -30

Repository: RandomCodeSpace/docsiq

Length of output: 874


🏁 Script executed:

cat -n .github/workflows/release.yml

Repository: RandomCodeSpace/docsiq

Length of output: 1701


Pin action to a commit SHA in this write-scoped workflow

Line 21 uses a mutable major tag (actions/checkout@v6) in a workflow with contents: write permissions (line 10). Pinning to a full commit SHA reduces supply-chain risk.

🔒 Suggested hardening
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@dcd71f646680f2efd8db4ead08a20234aee33c24
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v6
- uses: actions/checkout@dcd71f646680f2efd8db4ead08a20234aee33c24
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 21, Replace the mutable action
reference "actions/checkout@v6" with a pinned full commit SHA for the
actions/checkout step in the release workflow; locate the "uses:
actions/checkout@v6" entry in the release.yml and update it to "uses:
actions/checkout@<full-commit-sha>" (the latest verified commit for
actions/checkout) so the workflow that has contents: write permission is not
using a mutable tag.

@aksOps aksOps merged commit 4c1cf16 into main Apr 22, 2026
9 checks passed
@aksOps aksOps deleted the ci-bump-actions branch April 22, 2026 23:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant