name: canary / publish # Discoverable, one-click canary publisher. Surfaces in the Actions tab so any # maintainer can publish a prerelease of the branch they're working on without # learning the manual `canary/*` branch + dispatch dance. # # IMPORTANT: this workflow does NOT publish to npm itself. It ORCHESTRATES # publish-release.yml, which holds the SINGLE npm OIDC trusted-publisher binding # (see that file's header). Adding a second npm-publishing entry point would # break OIDC for every @copilotkit/* package. The npm trusted publishers for # the @copilotkit packages are bound to publish-release.yml + the `npm` # environment. # # Why a separate orchestrator instead of a flag inside publish-release.yml: # The `npm` GitHub Environment's deployment-branch policy is evaluated against # the ref a run is TRIGGERED on — NOT against branches created mid-run. So # publish-release.yml can only publish a canary when its run's ref already # matches the policy (`canary/*`). Creating a branch inside a run triggered on # `feature/*` does not change that run's ref, so it would still be rejected. # This workflow therefore runs on any non-main branch, mirrors it to a # short-lived `canary/` ref, dispatches publish-release.yml ON that ref # (clearing the env gate), waits for it, then deletes the ref. # # Token: the branch create/delete and the cross-workflow dispatch use the # devops-bot GitHub App token, NOT the default GITHUB_TOKEN. Events authenticated # with GITHUB_TOKEN do not start new workflow runs (recursion prevention), so the # delegated publish-release run would silently never fire. on: workflow_dispatch: inputs: scope: description: "Package scope to publish a canary for. Regenerated from release.config.json — do NOT hand-edit (the release-scope-dropdown-sync CI guard enforces parity)." required: true type: choice options: - monorepo - angular - channels - channels-discord - channels-intelligence - channels-slack - channels-teams - channels-telegram - channels-whatsapp suffix: description: "Prerelease suffix (e.g. 'fix-user-issue'); blank = unix timestamp. Allowed: [a-zA-Z0-9._-]+. Reuse a suffix only if the base version moved, else the publish collides." required: false type: string dry_run: # NOTE: this orchestrator exposes `dry_run` (underscore, matching ag-ui's # convention), but publish-release.yml's input is `dry-run` (hyphen). # The dispatch step below maps `dry_run` → `-f dry-run=` accordingly. description: "Dry run: build + detect but do NOT publish to npm. Useful for previewing what would ship." required: false default: false type: boolean concurrency: # Serialize repeated dispatches on the same source branch FOR THE SAME SCOPE. # Cross-branch ref races are independently prevented by making the canary ref # unique per run (slug + github.run_id, see the slug step below). # The scope is folded into the key so canaries for different scopes (e.g. # `monorepo` vs `angular`) on the same branch run in independent lanes instead # of queuing behind each other (cancel-in-progress: false). group: canary-publish-${{ inputs.scope }}-${{ github.ref }} cancel-in-progress: false permissions: # The job's own GITHUB_TOKEN does nothing privileged — every write goes through # the App token minted below. contents: read jobs: canary: runs-on: ubuntu-latest # The delegated publish-release run can take up to ~40 min worst case # (build ~20 + publish ~20); this orchestrator's ceiling must exceed it, # otherwise a timeout-kill triggers ref cleanup mid-publish (yanking the # canary ref out from under a still-running publish). publish-release.yml # also carries a GLOBAL `concurrency: group: publish-release, # cancel-in-progress: false`, so our delegated run can sit QUEUED behind # an unrelated release for a long time before it even starts; the ceiling # must budget that queue time on top of the ~40-min worst case. timeout-minutes: 90 steps: - name: Guard ref # Canary publishes are for non-main BRANCHES only. Block main (use the # stable release flow) and block non-branch refs such as tags (a tag # dispatch would otherwise canary-publish from the tagged commit). if: github.ref == 'refs/heads/main' || !startsWith(github.ref, 'refs/heads/') # Pass github.ref via env (matches "Validate suffix" discipline) so the # ref name is never interpolated into the shell — tag/branch names may # contain shell metacharacters and direct ${{ }} interpolation here # would be an expression-injection sink. env: REF: ${{ github.ref }} run: | echo "::error::Canary publishes are for non-main branches only (got '$REF'). To release from main, use the 'release / create-pr' workflow (stable-release.yml) → merge the release PR, or 'release / publish' with mode=stable for retries." exit 1 - name: Validate suffix if: inputs.suffix != '' env: SUFFIX: ${{ inputs.suffix }} run: | set -euo pipefail # Validate BEFORE any side effect (token mint, ref creation) so a bad # suffix can't leave an orphaned canary ref behind. Bash regex matches # the WHOLE string (grep matches per line and would accept a multi-line # value whose first line is valid). if ! [[ "$SUFFIX" =~ ^[a-zA-Z0-9._-]+$ ]]; then echo "::error::Invalid suffix '$SUFFIX'. Allowed: [a-zA-Z0-9._-]+ (blank = unix timestamp)." exit 1 fi - name: Mint devops-bot token id: app-token uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: 1108748 private-key: ${{ secrets.DEVOPS_BOT_PRIVATE_KEY }} # Scoped permissions (v3+): contents=write for create/delete of the # canary ref; actions=write to dispatch publish-release.yml and watch # the delegated run. No other scopes are needed. permission-contents: write permission-actions: write - name: Compute canary branch name id: slug env: REF_NAME: ${{ github.ref_name }} run: | set -euo pipefail # Byte-deterministic (LC_ALL=C) transform collapsing the source ref to a # single path segment under canary/ so it matches the `canary/*` # deployment-branch policy. tr -s collapses same-char runs (so no `..`), # and the sed fully strips any leading/trailing `.`/`-` runs. export LC_ALL=C SLUG=$(printf '%s' "$REF_NAME" | tr '/' '-' | tr -c 'a-zA-Z0-9._-' '-' | tr -s '.-') SLUG=$(printf '%s' "$SLUG" | sed -E 's/^[.-]+//; s/[.-]+$//') if [ -z "$SLUG" ]; then echo "::error::Could not derive a canary slug from ref '$REF_NAME'" exit 1 fi # Append run id AND attempt so every dispatch — including a re-run of # this same orchestration — owns a UNIQUE canary ref. This prevents two # dispatches whose source branches slugify to the same value (or a # re-run reusing the run id) from racing one shared ref, and keeps run # discovery below unambiguous (exactly one publish run per ref). REF_SUFFIX="${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}" echo "branch=canary/${SLUG}-${REF_SUFFIX}" >> "$GITHUB_OUTPUT" echo "Canary branch: canary/${SLUG}-${REF_SUFFIX}" - name: Create or update canary ref env: GH_TOKEN: ${{ steps.app-token.outputs.token }} BRANCH: ${{ steps.slug.outputs.branch }} SHA: ${{ github.sha }} run: | set -euo pipefail # Point canary/ at the dispatched ref's HEAD. The ref is unique # per run AND attempt (slug + run_id + run_attempt — re-runs increment # the attempt), so the "already exists" arm is defense-in-depth and # should be unreachable in practice. Force-update only on that specific # error; any OTHER failure (auth, rate limit, 5xx) must surface, not be # silently retried. ERR=$(mktemp) if gh api --silent -X POST "repos/${GITHUB_REPOSITORY}/git/refs" \ -f ref="refs/heads/${BRANCH}" -f sha="$SHA" 2>"$ERR"; then echo "Created ${BRANCH} at ${SHA}" elif grep -qi "already exists" "$ERR"; then echo "Ref ${BRANCH} already exists; force-updating to ${SHA}" gh api --silent -X PATCH "repos/${GITHUB_REPOSITORY}/git/refs/heads/${BRANCH}" \ -f sha="$SHA" -F force=true else echo "::error::Failed to create canary ref ${BRANCH}:" cat "$ERR" >&2 exit 1 fi - name: Dispatch publish-release.yml on the canary ref and wait id: dispatch env: GH_TOKEN: ${{ steps.app-token.outputs.token }} BRANCH: ${{ steps.slug.outputs.branch }} SCOPE: ${{ inputs.scope }} SUFFIX: ${{ inputs.suffix }} DRY_RUN: ${{ inputs.dry_run }} run: | set -euo pipefail # (suffix already validated in the "Validate suffix" step above, before # the canary ref was created) # # Input name mapping: this orchestrator's `dry_run` (underscore) maps # to publish-release.yml's `dry-run` (hyphen). Keep both as-is — the # underscore matches ag-ui's convention; the hyphen matches cpk's # existing publish-release.yml signature. gh workflow run publish-release.yml \ --repo "$GITHUB_REPOSITORY" \ --ref "$BRANCH" \ -f mode=prerelease \ -f scope="$SCOPE" \ -f suffix="$SUFFIX" \ -f dry-run="$DRY_RUN" # The dispatch went through. If anything from here on fails BEFORE a run # is located, the cleanup step keeps the ref (a dispatched-but-unindexed # run may still need it). If the dispatch itself had failed, no run can # exist and the ref is safe to delete. echo "dispatched=true" >> "$GITHUB_OUTPUT" # Residual race: a cancellation landing in the instant between # `gh workflow run` succeeding above and this output write would route # cleanup down the "no run exists" path and delete the ref under a # queued run. Accepted risk — the delegated canary run fails visibly # at checkout and can simply be re-dispatched. # The canary ref is unique to this run+attempt, so there is exactly ONE # publish-release dispatch on it — no timestamp watermark needed (which # also sidesteps runner/server clock-skew). Poll until it indexes # (30 x 6s = 3 min tolerance for Actions indexing lag). --limit is # defensive headroom; the branch/workflow/event filters are applied # server-side so the matching run is never crowded out. RUN_ID="" ERR=$(mktemp) for i in $(seq 1 30); do sleep 6 RUN_ID=$(gh run list \ --repo "$GITHUB_REPOSITORY" \ --workflow=publish-release.yml \ --branch "$BRANCH" \ --event workflow_dispatch \ --limit 100 \ --json databaseId \ --jq 'sort_by(.databaseId) | last | .databaseId // empty' 2>"$ERR") || { RUN_ID="" echo "::warning::gh run list failed on attempt ${i}; will retry:" >&2 cat "$ERR" >&2 } if [ -n "$RUN_ID" ]; then break fi done if [ -z "$RUN_ID" ]; then echo "::error::Dispatched publish-release run never appeared on ${BRANCH}. Leaving the ref in place for debugging; delete it manually once resolved." exit 1 fi # Mark located BEFORE the watch so cleanup runs even if the publish # fails — but is skipped entirely if we never tracked a run (so we # never delete a ref a still-pending run may need). echo "located=true" >> "$GITHUB_OUTPUT" echo "run_id=${RUN_ID}" >> "$GITHUB_OUTPUT" RUN_URL=$(gh run view "$RUN_ID" --repo "$GITHUB_REPOSITORY" --json url --jq .url) echo "Delegated publish run: ${RUN_URL}" { echo "## Canary publish" echo "" echo "- **Scope:** \`${SCOPE}\`" echo "- **Source branch:** \`${GITHUB_REF_NAME}\`" echo "- **Delegated run:** ${RUN_URL}" } >> "$GITHUB_STEP_SUMMARY" # --exit-status propagates the publish run's failure to this job. gh run watch "$RUN_ID" --repo "$GITHUB_REPOSITORY" --exit-status # --exit-status catches failures, but a non-failure non-success conclusion # (e.g. skipped) exits 0 with nothing published. Require success explicitly. CONCLUSION=$(gh run view "$RUN_ID" --repo "$GITHUB_REPOSITORY" --json conclusion --jq .conclusion) if [ "$CONCLUSION" != "success" ]; then echo "::error::Delegated publish run concluded '$CONCLUSION' (expected 'success')." exit 1 fi - name: Mint cleanup token id: cleanup-token # The job ceiling (90 min) exceeds the 1-hour App-token TTL, so the # token minted at job start can be expired by cleanup time. Mint a # fresh one. Same condition as the delete step below. if: always() && steps.slug.outputs.branch != '' && (steps.dispatch.outputs.located == 'true' || steps.dispatch.outputs.dispatched != 'true') uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: 1108748 private-key: ${{ secrets.DEVOPS_BOT_PRIVATE_KEY }} permission-contents: write permission-actions: read - name: Delete canary ref # Three cases: # (a) Run was located (located=true) → delete the ref; the delegated # publish run has finished (success or fail) and no longer needs it. # Additionally gated below by a live status check on RUN_ID: on # cancellation/timeout (always() runs cleanup too) a still-queued # or running delegated run must keep its branch, since # checkout-by-SHA can fail once the ref is gone. # (b) Dispatch succeeded (dispatched=true) but the run was never located # within the poll window → KEEP the ref; a pending publish run may # still pick it up and would silently break if the ref vanished. # (c) The dispatch command itself failed or this step never ran # (dispatched != 'true') → no publish run can exist, so the ref is # safe to delete (and almost certainly was never created). # The `steps.slug.outputs.branch != ''` guard skips cleanup entirely when # the slug step never produced a branch name (a guard/suffix failure that # bailed before any ref was created). A DELETE on an empty path would # 404-gracefully anyway, but skipping avoids the spurious API call. if: always() && steps.slug.outputs.branch != '' && (steps.dispatch.outputs.located == 'true' || steps.dispatch.outputs.dispatched != 'true') env: GH_TOKEN: ${{ steps.cleanup-token.outputs.token }} BRANCH: ${{ steps.slug.outputs.branch }} RUN_ID: ${{ steps.dispatch.outputs.run_id }} run: | # Best-effort cleanup: never fail the job on a delete hiccup, but do # surface a real error instead of masking every failure as "gone". set -uo pipefail # If we tracked a delegated run, only delete the ref once that run has # completed. always() brings us here on cancellation/timeout too — a # still-queued run would fail checkout if its branch (and thus the # commit's reachability) disappears from under it. if [ -n "${RUN_ID}" ]; then STATUS=$(gh run view "$RUN_ID" --repo "$GITHUB_REPOSITORY" --json status --jq .status 2>/dev/null || echo unknown) if [ "$STATUS" != "completed" ]; then echo "::warning::Delegated run $RUN_ID status is '$STATUS' (not completed); keeping ${BRANCH} — delete it manually once the run finishes." exit 0 fi fi ERR=$(mktemp) if gh api --silent -X DELETE "repos/${GITHUB_REPOSITORY}/git/refs/heads/${BRANCH}" 2>"$ERR"; then echo "Deleted ${BRANCH}" elif grep -qiE "not found|does not exist" "$ERR"; then echo "Branch ${BRANCH} already gone" else echo "::warning::Failed to delete canary ref ${BRANCH} (manual cleanup may be needed):" cat "$ERR" >&2 fi