Files
2026-07-13 12:58:18 +08:00

336 lines
17 KiB
YAML

name: canary / publish
# Discoverable, one-click canary publisher. Surfaces in the Actions tab so any
# maintainer can publish a prerelease of the branch they're working on without
# learning the manual `canary/*` branch + dispatch dance.
#
# IMPORTANT: this workflow does NOT publish to npm itself. It ORCHESTRATES
# publish-release.yml, which holds the SINGLE npm OIDC trusted-publisher binding
# (see that file's header). Adding a second npm-publishing entry point would
# break OIDC for every @copilotkit/* package. The npm trusted publishers for
# the @copilotkit packages are bound to publish-release.yml + the `npm`
# environment.
#
# Why a separate orchestrator instead of a flag inside publish-release.yml:
# The `npm` GitHub Environment's deployment-branch policy is evaluated against
# the ref a run is TRIGGERED on — NOT against branches created mid-run. So
# publish-release.yml can only publish a canary when its run's ref already
# matches the policy (`canary/*`). Creating a branch inside a run triggered on
# `feature/*` does not change that run's ref, so it would still be rejected.
# This workflow therefore runs on any non-main branch, mirrors it to a
# short-lived `canary/<slug>` ref, dispatches publish-release.yml ON that ref
# (clearing the env gate), waits for it, then deletes the ref.
#
# Token: the branch create/delete and the cross-workflow dispatch use the
# devops-bot GitHub App token, NOT the default GITHUB_TOKEN. Events authenticated
# with GITHUB_TOKEN do not start new workflow runs (recursion prevention), so the
# delegated publish-release run would silently never fire.
on:
workflow_dispatch:
inputs:
scope:
description: "Package scope to publish a canary for. Regenerated from release.config.json — do NOT hand-edit (the release-scope-dropdown-sync CI guard enforces parity)."
required: true
type: choice
options:
- monorepo
- angular
- channels
- channels-discord
- channels-intelligence
- channels-slack
- channels-teams
- channels-telegram
- channels-whatsapp
suffix:
description: "Prerelease suffix (e.g. 'fix-user-issue'); blank = unix timestamp. Allowed: [a-zA-Z0-9._-]+. Reuse a suffix only if the base version moved, else the publish collides."
required: false
type: string
dry_run:
# NOTE: this orchestrator exposes `dry_run` (underscore, matching ag-ui's
# convention), but publish-release.yml's input is `dry-run` (hyphen).
# The dispatch step below maps `dry_run` → `-f dry-run=` accordingly.
description: "Dry run: build + detect but do NOT publish to npm. Useful for previewing what would ship."
required: false
default: false
type: boolean
concurrency:
# Serialize repeated dispatches on the same source branch FOR THE SAME SCOPE.
# Cross-branch ref races are independently prevented by making the canary ref
# unique per run (slug + github.run_id, see the slug step below).
# The scope is folded into the key so canaries for different scopes (e.g.
# `monorepo` vs `angular`) on the same branch run in independent lanes instead
# of queuing behind each other (cancel-in-progress: false).
group: canary-publish-${{ inputs.scope }}-${{ github.ref }}
cancel-in-progress: false
permissions:
# The job's own GITHUB_TOKEN does nothing privileged — every write goes through
# the App token minted below.
contents: read
jobs:
canary:
runs-on: ubuntu-latest
# The delegated publish-release run can take up to ~40 min worst case
# (build ~20 + publish ~20); this orchestrator's ceiling must exceed it,
# otherwise a timeout-kill triggers ref cleanup mid-publish (yanking the
# canary ref out from under a still-running publish). publish-release.yml
# also carries a GLOBAL `concurrency: group: publish-release,
# cancel-in-progress: false`, so our delegated run can sit QUEUED behind
# an unrelated release for a long time before it even starts; the ceiling
# must budget that queue time on top of the ~40-min worst case.
timeout-minutes: 90
steps:
- name: Guard ref
# Canary publishes are for non-main BRANCHES only. Block main (use the
# stable release flow) and block non-branch refs such as tags (a tag
# dispatch would otherwise canary-publish from the tagged commit).
if: github.ref == 'refs/heads/main' || !startsWith(github.ref, 'refs/heads/')
# Pass github.ref via env (matches "Validate suffix" discipline) so the
# ref name is never interpolated into the shell — tag/branch names may
# contain shell metacharacters and direct ${{ }} interpolation here
# would be an expression-injection sink.
env:
REF: ${{ github.ref }}
run: |
echo "::error::Canary publishes are for non-main branches only (got '$REF'). To release from main, use the 'release / create-pr' workflow (stable-release.yml) → merge the release PR, or 'release / publish' with mode=stable for retries."
exit 1
- name: Validate suffix
if: inputs.suffix != ''
env:
SUFFIX: ${{ inputs.suffix }}
run: |
set -euo pipefail
# Validate BEFORE any side effect (token mint, ref creation) so a bad
# suffix can't leave an orphaned canary ref behind. Bash regex matches
# the WHOLE string (grep matches per line and would accept a multi-line
# value whose first line is valid).
if ! [[ "$SUFFIX" =~ ^[a-zA-Z0-9._-]+$ ]]; then
echo "::error::Invalid suffix '$SUFFIX'. Allowed: [a-zA-Z0-9._-]+ (blank = unix timestamp)."
exit 1
fi
- name: Mint devops-bot token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: 1108748
private-key: ${{ secrets.DEVOPS_BOT_PRIVATE_KEY }}
# Scoped permissions (v3+): contents=write for create/delete of the
# canary ref; actions=write to dispatch publish-release.yml and watch
# the delegated run. No other scopes are needed.
permission-contents: write
permission-actions: write
- name: Compute canary branch name
id: slug
env:
REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
# Byte-deterministic (LC_ALL=C) transform collapsing the source ref to a
# single path segment under canary/ so it matches the `canary/*`
# deployment-branch policy. tr -s collapses same-char runs (so no `..`),
# and the sed fully strips any leading/trailing `.`/`-` runs.
export LC_ALL=C
SLUG=$(printf '%s' "$REF_NAME" | tr '/' '-' | tr -c 'a-zA-Z0-9._-' '-' | tr -s '.-')
SLUG=$(printf '%s' "$SLUG" | sed -E 's/^[.-]+//; s/[.-]+$//')
if [ -z "$SLUG" ]; then
echo "::error::Could not derive a canary slug from ref '$REF_NAME'"
exit 1
fi
# Append run id AND attempt so every dispatch — including a re-run of
# this same orchestration — owns a UNIQUE canary ref. This prevents two
# dispatches whose source branches slugify to the same value (or a
# re-run reusing the run id) from racing one shared ref, and keeps run
# discovery below unambiguous (exactly one publish run per ref).
REF_SUFFIX="${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
echo "branch=canary/${SLUG}-${REF_SUFFIX}" >> "$GITHUB_OUTPUT"
echo "Canary branch: canary/${SLUG}-${REF_SUFFIX}"
- name: Create or update canary ref
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
BRANCH: ${{ steps.slug.outputs.branch }}
SHA: ${{ github.sha }}
run: |
set -euo pipefail
# Point canary/<slug> at the dispatched ref's HEAD. The ref is unique
# per run AND attempt (slug + run_id + run_attempt — re-runs increment
# the attempt), so the "already exists" arm is defense-in-depth and
# should be unreachable in practice. Force-update only on that specific
# error; any OTHER failure (auth, rate limit, 5xx) must surface, not be
# silently retried.
ERR=$(mktemp)
if gh api --silent -X POST "repos/${GITHUB_REPOSITORY}/git/refs" \
-f ref="refs/heads/${BRANCH}" -f sha="$SHA" 2>"$ERR"; then
echo "Created ${BRANCH} at ${SHA}"
elif grep -qi "already exists" "$ERR"; then
echo "Ref ${BRANCH} already exists; force-updating to ${SHA}"
gh api --silent -X PATCH "repos/${GITHUB_REPOSITORY}/git/refs/heads/${BRANCH}" \
-f sha="$SHA" -F force=true
else
echo "::error::Failed to create canary ref ${BRANCH}:"
cat "$ERR" >&2
exit 1
fi
- name: Dispatch publish-release.yml on the canary ref and wait
id: dispatch
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
BRANCH: ${{ steps.slug.outputs.branch }}
SCOPE: ${{ inputs.scope }}
SUFFIX: ${{ inputs.suffix }}
DRY_RUN: ${{ inputs.dry_run }}
run: |
set -euo pipefail
# (suffix already validated in the "Validate suffix" step above, before
# the canary ref was created)
#
# Input name mapping: this orchestrator's `dry_run` (underscore) maps
# to publish-release.yml's `dry-run` (hyphen). Keep both as-is — the
# underscore matches ag-ui's convention; the hyphen matches cpk's
# existing publish-release.yml signature.
gh workflow run publish-release.yml \
--repo "$GITHUB_REPOSITORY" \
--ref "$BRANCH" \
-f mode=prerelease \
-f scope="$SCOPE" \
-f suffix="$SUFFIX" \
-f dry-run="$DRY_RUN"
# The dispatch went through. If anything from here on fails BEFORE a run
# is located, the cleanup step keeps the ref (a dispatched-but-unindexed
# run may still need it). If the dispatch itself had failed, no run can
# exist and the ref is safe to delete.
echo "dispatched=true" >> "$GITHUB_OUTPUT"
# Residual race: a cancellation landing in the instant between
# `gh workflow run` succeeding above and this output write would route
# cleanup down the "no run exists" path and delete the ref under a
# queued run. Accepted risk — the delegated canary run fails visibly
# at checkout and can simply be re-dispatched.
# The canary ref is unique to this run+attempt, so there is exactly ONE
# publish-release dispatch on it — no timestamp watermark needed (which
# also sidesteps runner/server clock-skew). Poll until it indexes
# (30 x 6s = 3 min tolerance for Actions indexing lag). --limit is
# defensive headroom; the branch/workflow/event filters are applied
# server-side so the matching run is never crowded out.
RUN_ID=""
ERR=$(mktemp)
for i in $(seq 1 30); do
sleep 6
RUN_ID=$(gh run list \
--repo "$GITHUB_REPOSITORY" \
--workflow=publish-release.yml \
--branch "$BRANCH" \
--event workflow_dispatch \
--limit 100 \
--json databaseId \
--jq 'sort_by(.databaseId) | last | .databaseId // empty' 2>"$ERR") || {
RUN_ID=""
echo "::warning::gh run list failed on attempt ${i}; will retry:" >&2
cat "$ERR" >&2
}
if [ -n "$RUN_ID" ]; then
break
fi
done
if [ -z "$RUN_ID" ]; then
echo "::error::Dispatched publish-release run never appeared on ${BRANCH}. Leaving the ref in place for debugging; delete it manually once resolved."
exit 1
fi
# Mark located BEFORE the watch so cleanup runs even if the publish
# fails — but is skipped entirely if we never tracked a run (so we
# never delete a ref a still-pending run may need).
echo "located=true" >> "$GITHUB_OUTPUT"
echo "run_id=${RUN_ID}" >> "$GITHUB_OUTPUT"
RUN_URL=$(gh run view "$RUN_ID" --repo "$GITHUB_REPOSITORY" --json url --jq .url)
echo "Delegated publish run: ${RUN_URL}"
{
echo "## Canary publish"
echo ""
echo "- **Scope:** \`${SCOPE}\`"
echo "- **Source branch:** \`${GITHUB_REF_NAME}\`"
echo "- **Delegated run:** ${RUN_URL}"
} >> "$GITHUB_STEP_SUMMARY"
# --exit-status propagates the publish run's failure to this job.
gh run watch "$RUN_ID" --repo "$GITHUB_REPOSITORY" --exit-status
# --exit-status catches failures, but a non-failure non-success conclusion
# (e.g. skipped) exits 0 with nothing published. Require success explicitly.
CONCLUSION=$(gh run view "$RUN_ID" --repo "$GITHUB_REPOSITORY" --json conclusion --jq .conclusion)
if [ "$CONCLUSION" != "success" ]; then
echo "::error::Delegated publish run concluded '$CONCLUSION' (expected 'success')."
exit 1
fi
- name: Mint cleanup token
id: cleanup-token
# The job ceiling (90 min) exceeds the 1-hour App-token TTL, so the
# token minted at job start can be expired by cleanup time. Mint a
# fresh one. Same condition as the delete step below.
if: always() && steps.slug.outputs.branch != '' && (steps.dispatch.outputs.located == 'true' || steps.dispatch.outputs.dispatched != 'true')
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: 1108748
private-key: ${{ secrets.DEVOPS_BOT_PRIVATE_KEY }}
permission-contents: write
permission-actions: read
- name: Delete canary ref
# Three cases:
# (a) Run was located (located=true) → delete the ref; the delegated
# publish run has finished (success or fail) and no longer needs it.
# Additionally gated below by a live status check on RUN_ID: on
# cancellation/timeout (always() runs cleanup too) a still-queued
# or running delegated run must keep its branch, since
# checkout-by-SHA can fail once the ref is gone.
# (b) Dispatch succeeded (dispatched=true) but the run was never located
# within the poll window → KEEP the ref; a pending publish run may
# still pick it up and would silently break if the ref vanished.
# (c) The dispatch command itself failed or this step never ran
# (dispatched != 'true') → no publish run can exist, so the ref is
# safe to delete (and almost certainly was never created).
# The `steps.slug.outputs.branch != ''` guard skips cleanup entirely when
# the slug step never produced a branch name (a guard/suffix failure that
# bailed before any ref was created). A DELETE on an empty path would
# 404-gracefully anyway, but skipping avoids the spurious API call.
if: always() && steps.slug.outputs.branch != '' && (steps.dispatch.outputs.located == 'true' || steps.dispatch.outputs.dispatched != 'true')
env:
GH_TOKEN: ${{ steps.cleanup-token.outputs.token }}
BRANCH: ${{ steps.slug.outputs.branch }}
RUN_ID: ${{ steps.dispatch.outputs.run_id }}
run: |
# Best-effort cleanup: never fail the job on a delete hiccup, but do
# surface a real error instead of masking every failure as "gone".
set -uo pipefail
# If we tracked a delegated run, only delete the ref once that run has
# completed. always() brings us here on cancellation/timeout too — a
# still-queued run would fail checkout if its branch (and thus the
# commit's reachability) disappears from under it.
if [ -n "${RUN_ID}" ]; then
STATUS=$(gh run view "$RUN_ID" --repo "$GITHUB_REPOSITORY" --json status --jq .status 2>/dev/null || echo unknown)
if [ "$STATUS" != "completed" ]; then
echo "::warning::Delegated run $RUN_ID status is '$STATUS' (not completed); keeping ${BRANCH} — delete it manually once the run finishes."
exit 0
fi
fi
ERR=$(mktemp)
if gh api --silent -X DELETE "repos/${GITHUB_REPOSITORY}/git/refs/heads/${BRANCH}" 2>"$ERR"; then
echo "Deleted ${BRANCH}"
elif grep -qiE "not found|does not exist" "$ERR"; then
echo "Branch ${BRANCH} already gone"
else
echo "::warning::Failed to delete canary ref ${BRANCH} (manual cleanup may be needed):"
cat "$ERR" >&2
fi