ADFA-4085: Decouple plugin-api release from weekly-release workflow

[Daniel-ADFA]

No description provided.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0fa29099-9402-4b87-821f-8305b06bca60

📥 Commits

Reviewing files that changed from the base of the PR and between 486b470 and e86f597.

📒 Files selected for processing (2)

• .github/workflows/release-plugin-api.yml
• .github/workflows/weekly-release.yml

---

📝 Walkthrough

• New workflow: .github/workflows/release-plugin-api.yml

  • Adds a manually-triggered (workflow_dispatch) GitHub Actions workflow to build plugin-api and plugin-builder JARs using flox + Gradle.
  • Stages artifacts under .release/, generates sha256sum checksums, deletes any existing plugin-api-latest release, and (re)creates plugin-api-latest targeting the current commit SHA with UTC build timestamp in release notes.
  • Workflow sets repository permissions (contents: read at the workflow level, contents: write for the job), runs on self-hosted runners, and disables in-progress cancellation for the concurrency group release-plugin-api.

• Weekly workflow updates: .github/workflows/weekly-release.yml

  • Removes the release-plugin-api job from the weekly-release workflow, decoupling plugin-API publication from the weekly release flow.
  • release-codeonthego now depends only on prepare and pull-apk.
  • Adds persist-credentials: false to actions/checkout in prepare, pull-apk, and finalize jobs.
  • Multiple steps updated to run under flox via explicit shell invocation (flox activate -d flox/base -- bash -eo pipefail ...).
  • finalize job now checks out ref: main before performing Jira closure and updating NEXT_RELEASE_VERSION repo variable.

• CI environment: flox/base/.flox/env/manifest.toml

  • Installs GitHub CLI in the flox base environment (gh.pkg-path = "gh").

Risks and best-practice violations

• Manual trigger risk: Releasing plugin-api requires manual invocation; artifacts can lag or diverge from code. Consider adding path/tag triggers or scheduled automation.
• Branch mismatch: finalize (and release-plugin-api) check out main or the commit SHA explicitly; if releases should originate from stage or other branches this may produce inconsistent artifacts or metadata.
• Release overwrite / no history: The workflow deletes and recreates plugin-api-latest on each run, losing prior release history and artifacts. Prefer versioned releases or retain previous artifacts to improve traceability and rollback.
• Unsafe release deletion: Deleting an existing release before ensuring successful creation can leave no release if creation fails. Add safeguards or transactional steps.
• Decoupling drift: Separating plugin-API from weekly releases increases risk of unsynchronized plugin and application versions. Document coordination procedures or add compatibility gating.
• Self-hosted runner dependency: Relying on self-hosted runners introduces availability and security concerns; ensure monitoring, capacity planning, and maintenance policies.
• Persist-credentials change: Setting persist-credentials: false limits in-job GitHub token availability and may break steps expecting repo write access unless credentials are re-established; verify required steps still function.
• Fragile flox invocations: Repeated explicit flox activate bash invocations are verbose and tightly coupled to flox CLI behavior; consider consolidating environment setup into a reusable step or composite action.

Walkthrough

Adds a manual release-plugin-api workflow that builds plugin JARs via flox+Gradle, stages artifacts with sha256 checksums, and recreates a plugin-api-latest release using gh. Removes the release-plugin-api job from the weekly release workflow and adds gh to the flox base environment manifest.

Changes

Plugin API Release Workflow Separation

Layer / File(s)	Summary
Flox environment prerequisite for gh CLI flox/base/.flox/env/manifest.toml	Adds gh.pkg-path = "gh" to the [install] section so the gh CLI is available in flox environments.
New standalone plugin-api release workflow .github/workflows/release-plugin-api.yml	Manual workflow_dispatch job (self-hosted) with job-scoped contents: write; checks out main, builds :plugin-api:createPluginApiJar and plugin-builder via flox-activated Gradle, stages artifacts in .release/ as plugin-api.jar and gradle-plugin.jar, generates checksums.txt, and uses gh with GH_TOKEN to delete/create plugin-api-latest targeting current commit SHA and upload artifacts.
Weekly release workflow refactoring .github/workflows/weekly-release.yml	Removes the release-plugin-api job; narrows release-codeonthego needs to prepare and pull-apk; adds persist-credentials: false to checkouts; updates selected steps to run under flox-backed bash -eo pipefail shells; adds actions/checkout@v4 (ref: main) to the finalize job.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• appdevforall/CodeOnTheGo#1290: Prior updates to .github/workflows/weekly-release.yml that introduced or modified the release-plugin-api job and workflow structure.

Suggested reviewers

• hal-eisen-adfa
• jatezzz

Poem

🐰 I hopped into CI with eager paws,
Built jars at night and checked their laws,
Checksums hummed as files took flight,
gh wrote a release under moonlight,
A tiny hop for code—CI applause!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to assess whether the description relates to the changeset.	Add a description explaining the purpose of decoupling the plugin-api release workflow and why this change improves the release process.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: decoupling the plugin-api release workflow into a separate GitHub Actions workflow, which is the primary objective of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ADFA-4085-update

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-plugin-api.yml:
- Around line 20-21: Pin the checkout action to a full commit SHA instead of
actions/checkout@v4 and disable credentials by setting persist-credentials:
false (update the actions/checkout usage), and make the release target use the
actual checked-out commit rather than GITHUB_SHA by either checking out ref:
$GITHUB_SHA or changing the gh release command to target the checked-out commit
(e.g., git rev-parse HEAD) so the ref used by gh release create --target
"$GITHUB_SHA" matches the commit you checked out; update references to
actions/checkout@v4, persist-credentials, ref: main, and gh release create
--target "$GITHUB_SHA" accordingly.
- Line 22: The workflow hard-pins the checkout to "ref: main" while the release
command uses $GITHUB_SHA as --target, causing provenance mismatch; update the
actions/checkout step (the block using actions/checkout@... with "ref: main") to
checkout the exact commit used for the release by replacing the hard-coded ref
with the workflow runtime SHA (use the same value used by gh release, e.g.
github.sha / $GITHUB_SHA) and ensure fetch-depth is sufficient (e.g. 0) so the
checked-out commit and tags are available for gh release create --target to
accurately reflect build provenance.

In @.github/workflows/weekly-release.yml:
- Line 291: The finalize job runs the command shown by the shell line "flox
activate -d flox/base -- bash -eo pipefail {0}" but does not check out the
repository first, so add an actions/checkout@v4 step immediately before the step
that runs the flox activate shell command; locate the job or step containing the
exact shell string and insert a preceding step with uses: actions/checkout@v4
(and appropriate with/checkout parameters if needed) so flox/base and repo files
are present when the flox activate command executes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 960696da-ff0b-45ff-b202-b48d344a8e86

📥 Commits

Reviewing files that changed from the base of the PR and between ffba855 and c7521f0.

⛔ Files ignored due to path filters (1)

• flox/base/.flox/env/manifest.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• .github/workflows/release-plugin-api.yml
• .github/workflows/weekly-release.yml
• flox/base/.flox/env/manifest.toml

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release-plugin-api.yml (1)

50-50: ⚡ Quick win

Replace fixed delay with bounded polling before recreate.

A hard wait can still flake on GitHub-side propagation. Prefer a short bounded poll that confirms deletion before gh release create.

Suggested patch

           if gh release view plugin-api-latest >/dev/null 2>&1; then
             gh release delete plugin-api-latest --cleanup-tag --yes
-            sleep 10
+            for i in {1..30}; do
+              if ! gh release view plugin-api-latest >/dev/null 2>&1; then
+                break
+              fi
+              sleep 1
+            done
+            if gh release view plugin-api-latest >/dev/null 2>&1; then
+              echo "::error::Timed out waiting for plugin-api-latest deletion to propagate"
+              exit 1
+            fi
           fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-plugin-api.yml at line 50, Replace the hard-coded
sleep 10 in the release step with a bounded polling loop that verifies the
previous release is actually deleted before running gh release create;
specifically, poll using gh release view (or gh api
/repos/:owner/:repo/releases/tags/:tag) in a loop with a short interval (e.g.,
2s) and a total timeout (e.g., 60s), exit early when the release is confirmed
gone, and fail the job after the timeout so gh release create only runs when
deletion is observed. This change targets the workflow step containing the
literal "sleep 10" and the subsequent "gh release create" command.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/weekly-release.yml:
- Around line 266-269: The finalize job's checkout step uses actions/checkout@v4
unpinned and omits persist-credentials: false; update the checkout step in the
finalize job (and other jobs with the same pattern) to pin the action to a
specific commit SHA instead of the floating tag (replace actions/checkout@v4
with actions/checkout@<commit-sha>) and add persist-credentials: false under the
with: block to prevent credential persistence and avoid exposure to upstream
changes.

---

Nitpick comments:
In @.github/workflows/release-plugin-api.yml:
- Line 50: Replace the hard-coded sleep 10 in the release step with a bounded
polling loop that verifies the previous release is actually deleted before
running gh release create; specifically, poll using gh release view (or gh api
/repos/:owner/:repo/releases/tags/:tag) in a loop with a short interval (e.g.,
2s) and a total timeout (e.g., 60s), exit early when the release is confirmed
gone, and fail the job after the timeout so gh release create only runs when
deletion is observed. This change targets the workflow step containing the
literal "sleep 10" and the subsequent "gh release create" command.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c2404687-06e0-4478-8025-85a5ac99b28a

📥 Commits

Reviewing files that changed from the base of the PR and between c7521f0 and 486b470.

📒 Files selected for processing (2)

• .github/workflows/release-plugin-api.yml
• .github/workflows/weekly-release.yml