Skip to content

feat: release automation configs #312

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
SoulPancake wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: release automation configs #312

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1952b87
feat: release automation configs
SoulPancake Mar 30, 2026
8cd7014
Merge branch 'main' into feat/release-automation
SoulPancake Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions .github/workflows/release-please.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: release-please

on:
push:
branches: [main]
workflow_dispatch:
inputs:
bump-type:
description: >
Version bump type. Select 'explicit' to supply an exact version via
the 'release-version' field below. Select 'auto' to let
conventional-commits determine the bump automatically.
required: false
type: choice
default: 'auto'
options:
- auto
- patch
- minor
- major
- explicit
release-version:
description: >
Explicit version to release (e.g. 1.2.3 or 1.4.0-beta.1).
required: false
type: string

jobs:
release:
uses: openfga/sdk-generator/.github/workflows/release-please.yml@main
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reusable workflow is referenced with @main. To reduce supply-chain risk and ensure reproducible releases, pin this to a specific commit SHA or a version tag of openfga/sdk-generator instead of a moving branch.

Suggested change
uses: openfga/sdk-generator/.github/workflows/release-please.yml@main
uses: openfga/sdk-generator/.github/workflows/release-please.yml@v0.4.0

Copilot uses AI. Check for mistakes.
with:
bump-type: ${{ inputs.bump-type || 'auto' }}
release-version: ${{ inputs.release-version || '' }}
Comment on lines +32 to +33
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow runs on both push and workflow_dispatch, but it references the inputs.* context in the reusable-workflow with: block. On non-workflow_dispatch events (e.g. push), inputs can be undefined and cause the workflow to fail to evaluate. Consider switching to github.event.inputs.* with defaults, or conditionally setting with: values based on github.event_name (e.g. hardcode bump-type: auto on push).

Suggested change
bump-type: ${{ inputs.bump-type || 'auto' }}
release-version: ${{ inputs.release-version || '' }}
bump-type: ${{ github.event_name == 'workflow_dispatch' && (github.event.inputs.bump-type || 'auto') || 'auto' }}
release-version: ${{ github.event_name == 'workflow_dispatch' && (github.event.inputs.release-version || '') || '' }}

Copilot uses AI. Check for mistakes.
secrets:
APP_ID: ${{ secrets.APP_ID }}
APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
Comment on lines +30 to +36

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 days ago

In general, to fix this issue you should explicitly declare a permissions block in the workflow (either at the root or per-job) that grants only the minimal scopes required for the job. This prevents the workflow from inheriting broader default GITHUB_TOKEN permissions from the repository or organization.

For this specific file, the safest and most compatible approach—without changing existing functionality—is to add a root-level permissions block that grants read-only access to repository contents, which is a common minimal baseline and aligns with the suggested “minimal starting point” in the warning. Because this workflow simply delegates to a reusable workflow via uses: openfga/sdk-generator/.github/workflows/release-please.yml@main and we cannot see its internals, we should not try to guess additional write scopes; if that reusable workflow needs more, it can (and should) request them itself. The change should be added near the top of .github/workflows/release-please.yml, for example immediately after the name: release-please line, so that it applies to all jobs defined in this workflow (including the release job).

No additional imports or methods are needed; only YAML configuration changes are required.

Suggested changeset 1
.github/workflows/release-please.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -1,5 +1,8 @@
 name: release-please
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
@@ -30,7 +33,7 @@
     uses: openfga/sdk-generator/.github/workflows/release-please.yml@main
     with:
       bump-type: ${{ inputs.bump-type || 'auto' }}
-      release-version: ${{ inputs.release-version || '' }}
+      release-version: ${{ inputs-release-version || '' }}
     secrets:
       APP_ID: ${{ secrets.APP_ID }}
       APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
EOF
@@ -1,5 +1,8 @@
name: release-please

permissions:
contents: read

on:
push:
branches: [main]
@@ -30,7 +33,7 @@
uses: openfga/sdk-generator/.github/workflows/release-please.yml@main
with:
bump-type: ${{ inputs.bump-type || 'auto' }}
release-version: ${{ inputs.release-version || '' }}
release-version: ${{ inputs-release-version || '' }}
secrets:
APP_ID: ${{ secrets.APP_ID }}
APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
Copilot is powered by AI and may make mistakes. Always verify output.
3 changes: 3 additions & 0 deletions .release-please-manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
".": "0.9.7"
}
103 changes: 103 additions & 0 deletions RELEASE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
# Release guide

This project uses [release-please](https://github.com/googleapis/release-please) via a
`workflow_dispatch`-triggered GitHub Actions workflow. This document explains how to cut
a release and what to watch out for.
Comment on lines +3 to +5
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The guide says releases use a workflow_dispatch-triggered workflow, but .github/workflows/release-please.yml also runs on push to main. Either update this documentation to describe the push behavior, or remove the push trigger if the intent is manual-only releases.

Copilot uses AI. Check for mistakes.

---

## Versioning rules for this project

We are pre-1.0.0. Semver conventions are relaxed:

| Change type | Bump | Example |
|--- |--- |--- |
| Breaking change | **Minor** (`0.x.0`) | `0.9.0` → `0.10.0` |
| Everything else | **Patch** (`0.0.x`) | `0.9.7` → `0.9.8` |

Major bumps (`1.0.0`) are reserved for a deliberate stable-API graduation decision — not for
routine breaking changes.

---

## Cutting a release

1. Go to **Actions → release-please** and click **Run workflow**.
2. Choose a bump type:
- `patch` — bugfixes, docs, small changes
- `minor` — breaking changes (see above)
- `explicit` — you specify the exact version string (e.g. `0.10.0` or `0.10.0-beta.1`)
3. The workflow creates a release PR. Review it, then merge.
4. The GitHub Release and tag are created automatically on merge.

Comment on lines +31 to +32
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section claims “The GitHub Release and tag are created automatically on merge,” but the existing pipeline creates releases via .github/workflows/main.yaml and currently marks them as draft: true. Please clarify whether the release should be drafted vs published automatically, and which workflow is the source of truth to avoid duplicate/conflicting release creation.

Suggested change
4. The GitHub Release and tag are created automatically on merge.
4. On merge, `.github/workflows/main.yaml` automatically creates a **draft** GitHub Release and tag. This workflow is the single source of truth for creating GitHub Releases and tags; do not enable release creation in the release-please workflow to avoid duplicates.
5. When you are ready to publish, go to **Releases**, review the draft release created by `.github/workflows/main.yaml`, and click **Publish release**.

Copilot uses AI. Check for mistakes.
> **Note — release-please only understands `auto` or an explicit version string.**
> The `patch`, `minor`, and `major` options in the workflow dropdown are conveniences
> implemented in the workflow. The workflow reads the current manifest version, computes
> the next version (e.g. `0.9.7` + patch = `0.9.8`), and passes that computed string
> to release-please as an explicit `Release-As:` commit — exactly the same as choosing
> `explicit` and typing it yourself. There is no native patch/minor/major mode in
> release-please. This is why `explicit` is always the safest option when in doubt —
> you are just skipping the arithmetic step.

---

## When to use `explicit`

Use `explicit` and type the version yourself in any of these situations:

**After a beta or non-conventional tag.**
If the previous release was something like `0.9.7-beta.1`, release-please tracks the
base semver (`0.9.7`) but cannot reliably decide whether the next release should be
`0.9.7`, `0.9.8`, or `0.10.0`. It will often guess wrong.

The rule of thumb: **if the last tag had a pre-release suffix, always use `explicit` for
the next release.**

**After a manually created tag.**
Any tag created outside of the release-please workflow (e.g. hotfixes, manual git tags)
is invisible to release-please's version logic. Use `explicit` to anchor the next version
correctly.

**When you want a beta.**
Release-please does not increment pre-release suffixes automatically. Use `explicit` for
every beta, incrementing the suffix manually:
```
0.10.0-beta.1 → explicit: 0.10.0-beta.2 → explicit: 0.10.0
```

---

## What goes in the changelog

Commit messages must follow [Conventional Commits](https://www.conventionalcommits.org/)
for release-please to group them correctly:

```
feat: add support for batch check → Added
fix: correct retry logic for transient errors → Fixed
docs: update API reference → Documentation
perf: cache DNS lookups → Changed
refactor: extract auth helper → (hidden)
chore: bump dependencies → (hidden)
```

---

## Troubleshooting

**"Invalid previous_tag parameter" error.**
The manifest version does not have a corresponding GitHub Release object. Reset the
manifest to the last valid tag:
```bash
echo '{ ".": "0.x.y" }' > .release-please-manifest.json
git commit -am "chore: reset manifest to v0.x.y"
git push origin main
```

**Duplicate release PRs.**
Close all stale ones. The workflow auto-closes stale open PRs on each dispatch, but
merged duplicates need manual labelling with `autorelease: tagged`.

**Changelog shows everything ungrouped.**
Make sure `changelog-type` in `release-please-config.json` is set to `"default"`, not
`"github"`.
2 changes: 1 addition & 1 deletion build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ plugins {
apply from: 'publish.gradle'

group = 'dev.openfga'
version = '0.9.7'
version = '0.9.7' // x-release-please-version

repositories {
mavenCentral()
Expand Down
28 changes: 28 additions & 0 deletions release-please-config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
"release-type": "simple",
"packages": {
".": {
"include-component-in-tag": false,
"changelog-path": "CHANGELOG.md",
"changelog-type": "default",
"bump-minor-pre-major": true,
"bump-patch-for-minor-pre-major": true,
"changelog-sections": [
{ "type": "feat", "section": "Added", "hidden": false },
{ "type": "fix", "section": "Fixed", "hidden": false },
{ "type": "perf", "section": "Changed", "hidden": false },
{ "type": "refactor", "section": "Changed", "hidden": false },
{ "type": "revert", "section": "Removed", "hidden": false },
{ "type": "docs", "section": "Documentation", "hidden": false },
{ "type": "test", "section": "Tests", "hidden": true },
{ "type": "ci", "section": "CI", "hidden": true },
{ "type": "chore", "section": "Miscellaneous", "hidden": true }
],
"extra-files": [
{ "type": "generic", "path": "build.gradle" },
{ "type": "generic", "path": "src/main/java/dev/openfga/sdk/constants/FgaConstants.java" }
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extra-files only lists build.gradle and FgaConstants.java, but this repo hard-codes the current version in other files (e.g. publish.gradle and multiple README.md dependency snippets). With the current config, release-please will bump only a subset, leaving inconsistent versions and potentially incorrect published metadata. Either add the other versioned files to extra-files or refactor them to derive from a single source of truth (e.g. project.version).

Suggested change
{ "type": "generic", "path": "src/main/java/dev/openfga/sdk/constants/FgaConstants.java" }
{ "type": "generic", "path": "src/main/java/dev/openfga/sdk/constants/FgaConstants.java" },
{ "type": "generic", "path": "publish.gradle" },
{ "type": "generic", "path": "README.md" }

Copilot uses AI. Check for mistakes.
]
}
}
}
2 changes: 1 addition & 1 deletion src/main/java/dev/openfga/sdk/constants/FgaConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
public final class FgaConstants {

/** Version of the OpenFGA Java SDK. */
public static final String SDK_VERSION = "0.9.7";
public static final String SDK_VERSION = "0.9.7"; // x-release-please-version
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FgaConstants.java is marked as auto-generated (and is listed in .openapi-generator/FILES). Editing generated sources directly is likely to be overwritten on the next regeneration; the x-release-please-version marker should be added in the generator templates (sdk-generator repo) or moved to a non-generated source so it remains stable across regenerations.

Suggested change
public static final String SDK_VERSION = "0.9.7"; // x-release-please-version
public static final String SDK_VERSION = "0.9.7";

Copilot uses AI. Check for mistakes.

/** User agent used in HTTP requests. */
public static final String USER_AGENT = "openfga-sdk java/" + SDK_VERSION;
Expand Down
Loading