feat(ci): additional Improvements

[grdsdev]

Summary

This PR implements Phase 5: Additional Improvements from the workflow improvement plan tracked in SDK-516.

Changes

1. Extract Release Command to Script

Problem: The release-tag workflow had a complex inline melos command that was hard to read, maintain, and debug.

Solution:

• Created .github/scripts/trigger-package-releases.sh script
• Extracted the complex melos exec command with proper error handling
• Added informative logging for each package processed
• Made the script self-documenting with comments
• Improved debugging with clear error messages

Benefits:

• Better code organization and maintainability
• Easier to test and debug release logic
• Clear separation between workflow orchestration and business logic
• Can be run locally for testing

2. Enhanced Error Handling for Release Workflows

Problem: When release workflows failed, it was hard to quickly identify what went wrong.

Solution:

release-tag.yml:

• Added step ID to track trigger success/failure
• Added workflow summary showing:
  • Overall status with visual indicators (✅/❌)
  • Commit message that triggered the workflow
  • Git ref being processed
• Summary helps quickly diagnose failures without digging through logs

release-publish.yml:

• Added step IDs for publish and release creation
• Added comprehensive workflow summary showing:
  • Pub.dev publishing status
  • GitHub release creation status
  • Overall package release status with celebration emoji
• Clear indication of which step failed

Benefits:

• Faster debugging and issue identification
• Better visibility into release pipeline status
• Improved developer experience

3. Dependency Vulnerability Scanning

Problem: No proactive monitoring of dependency vulnerabilities or outdated packages.

Solution:

• Created new dependency-scan.yml workflow
• Scheduled Scanning: Runs weekly on Mondays at 9:00 UTC
• PR Integration: Triggers on pubspec.yaml/pubspec.lock changes
• Manual Trigger: Can be run on-demand via workflow_dispatch
• Two-Phase Scanning:
  1. Outdated Dependencies: Uses dart pub outdated to check for available updates
  2. Security Audit: Checks for known vulnerabilities in dependencies
• Comprehensive Reporting:
  • Per-package reports for all packages in the monorepo
  • Formatted summaries in GitHub Actions UI
  • Artifacts uploaded with 30-day retention
• Non-Blocking: Uses continue-on-error to ensure complete scan even if some packages fail

Benefits:

• Proactive security monitoring
• Early detection of vulnerable dependencies
• Helps maintain up-to-date dependencies
• Compliance with security best practices
• Reduces security technical debt

Files Changed

New Files:

• .github/scripts/trigger-package-releases.sh - Release triggering script
• .github/workflows/dependency-scan.yml - Vulnerability scanning workflow

Modified Files:

• .github/workflows/release-tag.yml - Uses new script, added summaries
• .github/workflows/release-publish.yml - Added error handling and summaries

Technical Details

Script Implementation:

• Bash script with proper error handling (set -e)
• Validates required environment variables
• Processes packages in dependency order
• Clear logging for debugging
• Exit codes properly propagated

Workflow Summaries:

• Use $GITHUB_STEP_SUMMARY for formatted output
• Conditional rendering based on step outcomes
• Visual indicators for quick status assessment
• Always run (if: always()) to show results even on failure

Dependency Scanning:

• Runs against all packages in monorepo
• Generates markdown reports
• Integrates with GitHub Actions artifacts
• Scheduled for minimal disruption
• Can be triggered manually for immediate scans

Testing

This PR should be tested by:

• Verifying the trigger script works in a release scenario
• Checking that workflow summaries appear correctly
• Running the dependency scan workflow manually
• Verifying reports are uploaded as artifacts
• Ensuring release workflows still fail appropriately when steps fail

Related Issues

• Completes Phase 5 of SDK-516
• Related to PR ci: improve GitHub Actions workflows reliability and performance #1265 (Phases 1-3) and PR feat(ci): Phase 4 - Developer Experience Improvements #1266 (Phase 4)

Security Considerations

The dependency scan workflow:

• Uses contents: read permission (minimal access)
• Only writes to security-events and issues for reporting
• Does not automatically update dependencies (manual review required)
• Reports are uploaded as artifacts for review

🤖 Generated with Claude Code

[grdsdev]

🔔 Slack Notifications Added

Added comprehensive Slack notification system for release workflows, following the implementation pattern from supabase-js.

What's New

1. Reusable Slack Notification Workflow

Created .github/workflows/slack-notify.yml - a reusable workflow that:

• Sends formatted messages with rich Slack blocks
• Includes status indicators (✅ for success, ❌ for failure, ℹ️ for info)
• Displays:
  • Repository and workflow information
  • Branch and triggering actor
  • Commit details with SHA
  • Version and package information (when available)
• Provides action buttons:
  • "View Workflow Run" - Direct link to the GitHub Actions run
  • "View Commit" - Direct link to the commit

2. Release Publish Notifications

Updated release-publish.yml to send Slack notifications:

• Success notification: Sent when package is successfully published to pub.dev and GitHub release is created
• Failure notification: Sent when publishing fails
• Includes the package version in the notification

3. Release Tag Notifications

Updated release-tag.yml to send Slack notifications:

• Success notification: Sent when release tags are successfully created
• Failure notification: Sent when tag creation fails
• Helps track the start of the release pipeline

Configuration Required

To enable Slack notifications, the repository needs:

• Secret: SLACK_CLIENT_LIBS_WEBHOOK containing the Slack webhook URL
• This should point to the appropriate Slack channel for Flutter SDK notifications

Benefits

• Real-time visibility: Team is immediately notified of releases
• Failure awareness: Quick notification when releases fail
• Better collaboration: Centralized release notifications in Slack
• Consistent pattern: Matches supabase-js implementation

Example Notification

The Slack message will look like:

✅ Package Release - success

Repository: supabase/supabase-flutter
Workflow: Publish Packages
Branch: gotrue-v2.0.0
Triggered by: username

Commit: abc1234 - chore(release): publish packages
Version: gotrue-v2.0.0

[View Workflow Run] [View Commit]

---

Additional: Also added a badge for the dependency-scan workflow to the README.

[coveralls]

Pull Request Test Coverage Report for Build 19304934579

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 79.75%

---

Totals
Change from base Build 19299130655:	0.0%
Covered Lines:	3320
Relevant Lines:	4163

---

💛 - Coveralls

[github-actions]

This pull request has been inactive for 90 days.
It will be automatically closed in 14 days if there is no further activity.

If you plan to continue working on this PR, please leave a comment to keep it open.