Skip to content

chore: add CI preflight gate and pin action SHAs#26

Open
jflowers wants to merge 1 commit into
unbound-force:mainfrom
jflowers:opsx/ci-release-preflight
Open

chore: add CI preflight gate and pin action SHAs#26
jflowers wants to merge 1 commit into
unbound-force:mainfrom
jflowers:opsx/ci-release-preflight

Conversation

@jflowers

@jflowers jflowers commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Replace the tag-push release trigger with a workflow_dispatch preflight
gate and pin all GitHub Actions to commit SHAs.

Summary

  • Switch release trigger from push: tags: ['v*'] to workflow_dispatch
    with a tag input
  • Add preflight job with 8 validation steps: branch, tag format, uniqueness,
    semver ordering, CI status, unreleased commits, tag creation, signing secrets
  • Pin all action references to full commit SHAs (checkout v6.0.3, setup-go
    v6.4.0, goreleaser-action v7.2.2)
  • Rename CI job from test to Build and Test (org convention)
  • Add permissions: and concurrency: blocks to CI workflow
  • Scope release workflow permissions per-job (deny-by-default)
  • Update constitution to reflect new release trigger

Breaking Change

Releases can no longer be triggered by pushing a tag. Use:

  • GitHub Actions UI: Actions -> Release -> Run workflow -> enter tag
  • CLI: gh workflow run release.yml -f tag=vX.Y.Z

Fixes: #15

Assisted-by: OpenCode (claude-opus-4-6)

@jflowers jflowers moved this to In Review 👀 in Unbound Force Planning Jun 16, 2026
@jflowers
chore: add CI preflight gate and pin action SHAs
023276d 
- Switch release trigger from push-tag to workflow_dispatch
  with preflight validation (branch, tag format, uniqueness,
  semver ordering, CI status, unreleased commits)
- Pin all action references to full commit SHAs
- Rename CI job to "Build and Test" (org convention)
- Add permissions and concurrency blocks to CI workflow
- Scope release workflow permissions per-job
- Update constitution to reflect new release trigger
- Include OpenSpec artifacts and retrospective learnings

Fixes: unbound-force#15

Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: Jay Flowers <jay.flowers@gmail.com>
@jflowers jflowers force-pushed the opsx/ci-release-preflight branch from fc6df19 to 023276d Compare June 16, 2026 16:38
@jflowers jflowers self-assigned this Jun 16, 2026
gxmiranda
gxmiranda approved these changes Jun 18, 2026
View reviewed changes

@gxmiranda gxmiranda left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean CI/CD hardening change. SHA pins independently verified against GitHub API (all 3 match claimed versions). Shell injection patterns are correct — all untrusted inputs use env bindings, no ${{ }} in run blocks. Permissions follow deny-by-default with per-job scoping. Preflight validation covers branch, tag format, uniqueness, semver ordering, CI status, and unreleased commits with idempotent re-run support. Constitution updated to reflect new trigger.

This review was generated by /review-pr (AI-assisted).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gxmiranda gxmiranda gxmiranda approved these changes

@marcusburghardt marcusburghardt Awaiting requested review from marcusburghardt

Assignees

@jflowers jflowers

Labels

None yet

Projects

Unbound Force Planning
Status: In Review 👀

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore: add CI gate before release + pin action versions to commit SHAs

2 participants

@jflowers @gxmiranda