Releases: LerianStudio/github-actions-shared-workflows
Releases · LerianStudio/github-actions-shared-workflows
v1.21.1-beta.2
fix(slack): remove username and icon overrides to use app identity (#…
v1.21.1-beta.1
fix(release): pin composite refs to v1.21.0 (#178)
v1.21.0
v1.21.0-beta.4
fix(release): detect published release via git tag when backmerge plu…
v1.21.0-beta.3
fix(ci): use @develop ref for pr-description, sync backmerge-pr
v1.21.0-beta.2
fix(release): use @develop ref for backmerge-pr composite
v1.21.0-beta.1
feat(release): fallback to PR when backmerge push fails When the semantic-release backmerge plugin fails to push directly to develop (non-fast-forward), create a PR from main→develop instead of failing the entire release. The release tag and GitHub release are already published at this point. - Add continue-on-error to semantic-release step - If release published but step failed → create backmerge PR - If release not published and step failed → propagate error - Check for existing backmerge PR to avoid duplicates
v1.20.2
fix(release): merge develop into main (#174)
* refactor(pr-validation): modularize workflow into composites under src/validate/
Extract all inline business logic from pr-validation.yml into 7 reusable
composite actions under src/validate/. Add dry_run input, fix script injection
risks (use env vars instead of direct interpolation), fix notify ref for
external callers, and update conventions to prohibit workflow_dispatch on
reusable workflows due to injection risk.
* fix(pr-validation): address CodeRabbit and CodeQL review findings
- Fix code-injection: move needs.*.result and inputs.dry_run to env vars
in pr-checks-summary job (use process.env instead of ${{ }} interpolation)
- Wire MANAGE_TOKEN into auto-labeler job (was hardcoded to github.token)
- Include pr-changelog in Slack notification status and failed_jobs
- Handle empty git diff output in pr-size (CHANGED_LINES defaults to 0)
- Support all * wildcard patterns in pr-source-branch (not just /*)
- Fix broken markdown links in docs (add -workflow suffix)
- Fix docs examples to use @v1.2.3 placeholder instead of @v1.x.x
- Update jobs table with non-draft condition for all gated jobs
* fix(helm-update-chart): use VALUES_KEY for template file paths instead of COMP_NAME
The workflow was using COMP_NAME to build configmap/secret template paths
(e.g. templates/plugin-br-pix-indirect-btg-worker-inbound/configmap.yaml)
but the actual directory structure uses VALUES_KEY names
(e.g. templates/inbound/configmap.yaml).
This caused the if [ -f ] check to silently fail, resulting in detected
env vars never being injected into configmap/secret templates.
Changes:
- Use VALUES_KEY for CONFIGMAP_FILE and SECRET_FILE paths
- Update create_secret_template to take VALUES_KEY as single arg
- Add ::warning:: annotations when template files are not found
Closes #167
* fix(helm-update-chart): quote GITHUB_OUTPUT and GITHUB_STEP_SUMMARY references
Resolves SC2086 (double quote to prevent globbing) and SC2129 (group
redirects) shellcheck warnings flagged by the PR lint analysis.
* fix(helm-update-chart): resolve CodeQL medium findings
- Pin crazy-max/ghaction-import-gpg and mikefarah/yq to commit SHAs
- Move inputs.base_branch to env var to prevent code injection in step summary
- Add inline comment dismissing untrusted-checkout false positive
* docs(rules): enforce commit SHA pinning for third-party actions
Update all rules and commands (Claude, Cursor, AGENTS.md) to require
third-party actions to be pinned by commit SHA instead of mutable tags.
LerianStudio org actions remain pinned by release tag.
* refactor(pr-validation): extract pr-checks-summary composite and use branch refs for testing
* fix(pr-validation): add missing README and fix broken doc link
* refactor(pr-validation): optimize to 2-tier fail-fast model
Consolidate 9 parallel jobs into 4 with a 2-tier architecture:
- Tier 1 (blocking-checks): title, source-branch, description — no checkout, fail-fast
- Tier 2 (advisory-checks): metadata, size, labels, changelog — shared checkout, only runs if Tier 1 passes
Reduces runner cost (9 → 4 runners, 3 checkouts → 1) while providing
faster feedback on blocking validation failures.
* fix(pr-changelog): remove comment logic — changelog is auto-generated
CHANGELOG.md is now generated by semantic-release, so the reminder
comment is unnecessary noise. Removed the comment step, github-token
and dry-run inputs from the composite.
* fix(pr-validation): default enforce_source_branches to true
The composite already auto-skips when the target branch is not in
target_branches_for_source_check (default: main), so enabling by
default is safe and avoids silent misconfiguration.
* fix(pr-description): validate real content instead of raw length
Rewrite pr-description composite to:
- Extract content under "## Description" heading and strip HTML comments
- Fail if description section is empty or below min-length
- Fail if no "Type of Change" checkbox is checked
- Remove github-token input (no API calls needed)
- Consolidate two github-script steps into one
Also pin amannn/action-semantic-pull-request to commit SHA in pr-title.
* feat(pr-metadata): auto-assign PR author instead of warning
Replace the warning-only assignee and linked issues checks with an
actionable auto-assign: if no assignee is set, assign the PR author
automatically. Bot accounts are skipped.
* fix(pr-size): skip label update when unchanged and remove XL comment
- Check current labels before removing/adding — skip entirely if the
correct size label is already set
- Only remove stale size labels that actually exist on the PR
- Remove the XL comment (generic noise on every sync)
* fix(pr-labels): pin actions/labeler to commit SHA
* refactor(pr-validation): remove changelog check and pin all actions by SHA
- Remove pr-changelog from workflow, summary, and inputs — CHANGELOG.md
is auto-generated by semantic-release
- Pin actions/github-script@v8 and actions/checkout@v6 to commit SHAs
across all validate composites
* fix(pr-checks-summary): use markdown tables grouped by tier
Display results as two tables (Blocking / Advisory) instead of flat
lines. Skipped checks now use ⏭️ instead of ⚠️ for clarity.
* fix(pr-validation): address CodeRabbit review findings
- Remove stale check_changelog references from docs and examples
- Remove pr-changelog from jobs table and pr-checks-summary README
- Fix related-workflow links to current doc naming
- Make missing "Type of Change" section an error, not a warning
- Add null-safety for pr.assignees in pr-metadata
- Add dry-run gate to pr-metadata auto-assign
- Fix yamllint inline-comment spacing in pr-labels
* fix(pr-validation): sync defaults, fix caller, update docs
- Align min_description_length default to 30 (matches composite)
- Remove stale check_changelog from self-pr-validation.yml
- Update metadata feature description in docs
- Validate min-length input against NaN in pr-description
* fix(pr-validation): pin composite refs to v1.19.1-beta.2
* fix(lint): enforce SHA pinning for externals, warnings for internals
fix(lint): enforce SHA pinning for externals, warnings for internals
* fix(pr-validation): pin composite refs to v1.20.0
* fix(pr-blocking-collect): add README and pin ref to v1.20.0
* fix(pr-blocking-collect): use branch ref for testing
* docs(pr-blocking-collect): fix terminology — step outputs, not job outputs
* fix(pr-validation): pin composite refs to v1.20.0 (#172)
* fix(pr-validation): pin composite refs to v1.20.0
* fix(pr-blocking-collect): add README and pin ref to v1.20.0
* fix(pr-blocking-collect): use branch ref for testing
* docs(pr-blocking-collect): fix terminology — step outputs, not job outputs
* feat(release): fallback to PR when backmerge push fails
When the semantic-release backmerge plugin fails to push directly to
develop (non-fast-forward), create a PR from main→develop instead of
failing the entire release. The release tag and GitHub release are
already published at this point.
- Add continue-on-error to semantic-release step
- If release published but step failed → create backmerge PR
- If release not published and step failed → propagate error
- Check for existing backmerge PR to avoid duplicates
* fix(pr-validation): pin composite refs to v1.20.1
* feat(release): extract backmerge fallback into reusable composite
Create src/config/backmerge-pr composite that creates a PR when the
semantic-release backmerge push fails (non-fast-forward). Checks for
existing open PRs to avoid duplicates. Replace inline shell in
release.yml with the composite call.
* fix(release): use @develop ref for backmerge-pr composite
* fix(backmerge-pr): use heredoc to avoid indentation in PR body
* fix(pr-description): validate checkboxes only, not description content
Simplify pr-description to only check:
- At least one "Type of Change" checkbox is marked
- At least one "Testing" checkbox is marked
Remove min-length content validation that was blocking PRs with valid
template usage (e.g., merge PRs with CodeRabbit summaries).
* fix(pr-description): simplify to empty body check only
* fix(ci): use @develop ref for pr-description, sync backmerge-pr
---------
Co-authored-by: Gandalf <gandalf@lerian.studio>
v1.20.1
fix(release): merge develop into main (#173)
* refactor(pr-validation): modularize workflow into composites under src/validate/
Extract all inline business logic from pr-validation.yml into 7 reusable
composite actions under src/validate/. Add dry_run input, fix script injection
risks (use env vars instead of direct interpolation), fix notify ref for
external callers, and update conventions to prohibit workflow_dispatch on
reusable workflows due to injection risk.
* fix(pr-validation): address CodeRabbit and CodeQL review findings
- Fix code-injection: move needs.*.result and inputs.dry_run to env vars
in pr-checks-summary job (use process.env instead of ${{ }} interpolation)
- Wire MANAGE_TOKEN into auto-labeler job (was hardcoded to github.token)
- Include pr-changelog in Slack notification status and failed_jobs
- Handle empty git diff output in pr-size (CHANGED_LINES defaults to 0)
- Support all * wildcard patterns in pr-source-branch (not just /*)
- Fix broken markdown links in docs (add -workflow suffix)
- Fix docs examples to use @v1.2.3 placeholder instead of @v1.x.x
- Update jobs table with non-draft condition for all gated jobs
* fix(helm-update-chart): use VALUES_KEY for template file paths instead of COMP_NAME
The workflow was using COMP_NAME to build configmap/secret template paths
(e.g. templates/plugin-br-pix-indirect-btg-worker-inbound/configmap.yaml)
but the actual directory structure uses VALUES_KEY names
(e.g. templates/inbound/configmap.yaml).
This caused the if [ -f ] check to silently fail, resulting in detected
env vars never being injected into configmap/secret templates.
Changes:
- Use VALUES_KEY for CONFIGMAP_FILE and SECRET_FILE paths
- Update create_secret_template to take VALUES_KEY as single arg
- Add ::warning:: annotations when template files are not found
Closes #167
* fix(helm-update-chart): quote GITHUB_OUTPUT and GITHUB_STEP_SUMMARY references
Resolves SC2086 (double quote to prevent globbing) and SC2129 (group
redirects) shellcheck warnings flagged by the PR lint analysis.
* fix(helm-update-chart): resolve CodeQL medium findings
- Pin crazy-max/ghaction-import-gpg and mikefarah/yq to commit SHAs
- Move inputs.base_branch to env var to prevent code injection in step summary
- Add inline comment dismissing untrusted-checkout false positive
* docs(rules): enforce commit SHA pinning for third-party actions
Update all rules and commands (Claude, Cursor, AGENTS.md) to require
third-party actions to be pinned by commit SHA instead of mutable tags.
LerianStudio org actions remain pinned by release tag.
* refactor(pr-validation): extract pr-checks-summary composite and use branch refs for testing
* fix(pr-validation): add missing README and fix broken doc link
* refactor(pr-validation): optimize to 2-tier fail-fast model
Consolidate 9 parallel jobs into 4 with a 2-tier architecture:
- Tier 1 (blocking-checks): title, source-branch, description — no checkout, fail-fast
- Tier 2 (advisory-checks): metadata, size, labels, changelog — shared checkout, only runs if Tier 1 passes
Reduces runner cost (9 → 4 runners, 3 checkouts → 1) while providing
faster feedback on blocking validation failures.
* fix(pr-changelog): remove comment logic — changelog is auto-generated
CHANGELOG.md is now generated by semantic-release, so the reminder
comment is unnecessary noise. Removed the comment step, github-token
and dry-run inputs from the composite.
* fix(pr-validation): default enforce_source_branches to true
The composite already auto-skips when the target branch is not in
target_branches_for_source_check (default: main), so enabling by
default is safe and avoids silent misconfiguration.
* fix(pr-description): validate real content instead of raw length
Rewrite pr-description composite to:
- Extract content under "## Description" heading and strip HTML comments
- Fail if description section is empty or below min-length
- Fail if no "Type of Change" checkbox is checked
- Remove github-token input (no API calls needed)
- Consolidate two github-script steps into one
Also pin amannn/action-semantic-pull-request to commit SHA in pr-title.
* feat(pr-metadata): auto-assign PR author instead of warning
Replace the warning-only assignee and linked issues checks with an
actionable auto-assign: if no assignee is set, assign the PR author
automatically. Bot accounts are skipped.
* fix(pr-size): skip label update when unchanged and remove XL comment
- Check current labels before removing/adding — skip entirely if the
correct size label is already set
- Only remove stale size labels that actually exist on the PR
- Remove the XL comment (generic noise on every sync)
* fix(pr-labels): pin actions/labeler to commit SHA
* refactor(pr-validation): remove changelog check and pin all actions by SHA
- Remove pr-changelog from workflow, summary, and inputs — CHANGELOG.md
is auto-generated by semantic-release
- Pin actions/github-script@v8 and actions/checkout@v6 to commit SHAs
across all validate composites
* fix(pr-checks-summary): use markdown tables grouped by tier
Display results as two tables (Blocking / Advisory) instead of flat
lines. Skipped checks now use ⏭️ instead of ⚠️ for clarity.
* fix(pr-validation): address CodeRabbit review findings
- Remove stale check_changelog references from docs and examples
- Remove pr-changelog from jobs table and pr-checks-summary README
- Fix related-workflow links to current doc naming
- Make missing "Type of Change" section an error, not a warning
- Add null-safety for pr.assignees in pr-metadata
- Add dry-run gate to pr-metadata auto-assign
- Fix yamllint inline-comment spacing in pr-labels
* fix(pr-validation): sync defaults, fix caller, update docs
- Align min_description_length default to 30 (matches composite)
- Remove stale check_changelog from self-pr-validation.yml
- Update metadata feature description in docs
- Validate min-length input against NaN in pr-description
* fix(pr-validation): pin composite refs to v1.19.1-beta.2
* fix(lint): enforce SHA pinning for externals, warnings for internals
fix(lint): enforce SHA pinning for externals, warnings for internals
* fix(pr-validation): pin composite refs to v1.20.0 (#172)
* fix(pr-validation): pin composite refs to v1.20.0
* fix(pr-blocking-collect): add README and pin ref to v1.20.0
* fix(pr-blocking-collect): use branch ref for testing
* docs(pr-blocking-collect): fix terminology — step outputs, not job outputs
---------
Co-authored-by: Gandalf <gandalf@lerian.studio>
v1.20.0
refactor(release): merge develop into main (#171)
* refactor(pr-validation): modularize workflow into composites under src/validate/
Extract all inline business logic from pr-validation.yml into 7 reusable
composite actions under src/validate/. Add dry_run input, fix script injection
risks (use env vars instead of direct interpolation), fix notify ref for
external callers, and update conventions to prohibit workflow_dispatch on
reusable workflows due to injection risk.
* fix(pr-validation): address CodeRabbit and CodeQL review findings
- Fix code-injection: move needs.*.result and inputs.dry_run to env vars
in pr-checks-summary job (use process.env instead of ${{ }} interpolation)
- Wire MANAGE_TOKEN into auto-labeler job (was hardcoded to github.token)
- Include pr-changelog in Slack notification status and failed_jobs
- Handle empty git diff output in pr-size (CHANGED_LINES defaults to 0)
- Support all * wildcard patterns in pr-source-branch (not just /*)
- Fix broken markdown links in docs (add -workflow suffix)
- Fix docs examples to use @v1.2.3 placeholder instead of @v1.x.x
- Update jobs table with non-draft condition for all gated jobs
* fix(helm-update-chart): use VALUES_KEY for template file paths instead of COMP_NAME
The workflow was using COMP_NAME to build configmap/secret template paths
(e.g. templates/plugin-br-pix-indirect-btg-worker-inbound/configmap.yaml)
but the actual directory structure uses VALUES_KEY names
(e.g. templates/inbound/configmap.yaml).
This caused the if [ -f ] check to silently fail, resulting in detected
env vars never being injected into configmap/secret templates.
Changes:
- Use VALUES_KEY for CONFIGMAP_FILE and SECRET_FILE paths
- Update create_secret_template to take VALUES_KEY as single arg
- Add ::warning:: annotations when template files are not found
Closes #167
* fix(helm-update-chart): quote GITHUB_OUTPUT and GITHUB_STEP_SUMMARY references
Resolves SC2086 (double quote to prevent globbing) and SC2129 (group
redirects) shellcheck warnings flagged by the PR lint analysis.
* fix(helm-update-chart): resolve CodeQL medium findings
- Pin crazy-max/ghaction-import-gpg and mikefarah/yq to commit SHAs
- Move inputs.base_branch to env var to prevent code injection in step summary
- Add inline comment dismissing untrusted-checkout false positive
* docs(rules): enforce commit SHA pinning for third-party actions
Update all rules and commands (Claude, Cursor, AGENTS.md) to require
third-party actions to be pinned by commit SHA instead of mutable tags.
LerianStudio org actions remain pinned by release tag.
* refactor(pr-validation): extract pr-checks-summary composite and use branch refs for testing
* fix(pr-validation): add missing README and fix broken doc link
* refactor(pr-validation): optimize to 2-tier fail-fast model
Consolidate 9 parallel jobs into 4 with a 2-tier architecture:
- Tier 1 (blocking-checks): title, source-branch, description — no checkout, fail-fast
- Tier 2 (advisory-checks): metadata, size, labels, changelog — shared checkout, only runs if Tier 1 passes
Reduces runner cost (9 → 4 runners, 3 checkouts → 1) while providing
faster feedback on blocking validation failures.
* fix(pr-changelog): remove comment logic — changelog is auto-generated
CHANGELOG.md is now generated by semantic-release, so the reminder
comment is unnecessary noise. Removed the comment step, github-token
and dry-run inputs from the composite.
* fix(pr-validation): default enforce_source_branches to true
The composite already auto-skips when the target branch is not in
target_branches_for_source_check (default: main), so enabling by
default is safe and avoids silent misconfiguration.
* fix(pr-description): validate real content instead of raw length
Rewrite pr-description composite to:
- Extract content under "## Description" heading and strip HTML comments
- Fail if description section is empty or below min-length
- Fail if no "Type of Change" checkbox is checked
- Remove github-token input (no API calls needed)
- Consolidate two github-script steps into one
Also pin amannn/action-semantic-pull-request to commit SHA in pr-title.
* feat(pr-metadata): auto-assign PR author instead of warning
Replace the warning-only assignee and linked issues checks with an
actionable auto-assign: if no assignee is set, assign the PR author
automatically. Bot accounts are skipped.
* fix(pr-size): skip label update when unchanged and remove XL comment
- Check current labels before removing/adding — skip entirely if the
correct size label is already set
- Only remove stale size labels that actually exist on the PR
- Remove the XL comment (generic noise on every sync)
* fix(pr-labels): pin actions/labeler to commit SHA
* refactor(pr-validation): remove changelog check and pin all actions by SHA
- Remove pr-changelog from workflow, summary, and inputs — CHANGELOG.md
is auto-generated by semantic-release
- Pin actions/github-script@v8 and actions/checkout@v6 to commit SHAs
across all validate composites
* fix(pr-checks-summary): use markdown tables grouped by tier
Display results as two tables (Blocking / Advisory) instead of flat
lines. Skipped checks now use ⏭️ instead of ⚠️ for clarity.
* fix(pr-validation): address CodeRabbit review findings
- Remove stale check_changelog references from docs and examples
- Remove pr-changelog from jobs table and pr-checks-summary README
- Fix related-workflow links to current doc naming
- Make missing "Type of Change" section an error, not a warning
- Add null-safety for pr.assignees in pr-metadata
- Add dry-run gate to pr-metadata auto-assign
- Fix yamllint inline-comment spacing in pr-labels
* fix(pr-validation): sync defaults, fix caller, update docs
- Align min_description_length default to 30 (matches composite)
- Remove stale check_changelog from self-pr-validation.yml
- Update metadata feature description in docs
- Validate min-length input against NaN in pr-description
* fix(pr-validation): pin composite refs to v1.19.1-beta.2
* fix(lint): enforce SHA pinning for externals, warnings for internals
fix(lint): enforce SHA pinning for externals, warnings for internals
---------
Co-authored-by: Gandalf <gandalf@lerian.studio>