Skip to content

Agalles/create deploy workflow trigger#7093

Open
AmyLGalles wants to merge 4 commits into
mainfrom
agalles/create-deploy-workflow-trigger
Open

Agalles/create deploy workflow trigger#7093
AmyLGalles wants to merge 4 commits into
mainfrom
agalles/create-deploy-workflow-trigger

Conversation

@AmyLGalles

@AmyLGalles AmyLGalles commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

🎟️ Tracking

Creating a workflow trigger for deploy release github workflow
https://github.com/bitwarden/deploy/pull/211

📔 Objective

📸 Screenshots

@AmyLGalles AmyLGalles added ai-review Request a Claude code review hold do not merge yet labels Jun 23, 2026
@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Code Review Summary

Scope: 1 file changed (+11 / −274) — .github/workflows/github-release.yml

This PR replaces the in-repo GitHub Release creation pipeline (artifact download, version parsing, Jira release notes, gh release create, etc.) with a single step that triggers the release via bitwarden/gh-actions/trigger-actions@main, delegating the actual work to the bitwarden/deploy repo. The reduced scope and the trimmed permissions: block (now only id-token: write) are appropriate for a thin trigger workflow.

Findings

Severity Location Summary
❓ QUESTION github-release.yml:22-23 Branch-protection guard (release only from main/release/*) was removed — confirm it's enforced downstream in the deploy repo.
🔵 SUGGESTED github-release.yml:28-29 Use inputs.<name> instead of github.event.inputs.<name> to match repo convention.

Observations (non-blocking)

  • The name: of the workflow remains "Create GitHub Release" and the job is now deploy / "Trigger publish via deploy repo" — slight purpose/label mismatch, but harmless.
  • .github/scripts/jira-get-release-notes/ appears to no longer be referenced by any workflow after this change. If the deploy repo now owns release-note generation, consider cleaning up the now-orphaned script in a follow-up (assuming it isn't intentionally retained).
  • trigger-actions@main is pinned to a moving ref, consistent with the existing convention for bitwarden/gh-actions/* actions in this repo — not a new concern introduced here.

Verdict

A clean, well-scoped migration. No blocking issues. The branch-protection question is the only item worth an explicit confirmation before merge.

Comment thread .github/workflows/github-release.yml Outdated
@AmyLGalles AmyLGalles marked this pull request as ready for review June 23, 2026 19:57
@AmyLGalles AmyLGalles requested a review from a team as a code owner June 23, 2026 19:57
@AmyLGalles AmyLGalles added app:password-manager Bitwarden Password Manager app context app:authenticator Bitwarden Authenticator app context and removed hold do not merge yet labels Jun 30, 2026
@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.24%. Comparing base (7124ccb) to head (bc36cf6).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #7093      +/-   ##
==========================================
- Coverage   86.80%   86.24%   -0.57%     
==========================================
  Files         911      927      +16     
  Lines       65392    66120     +728     
  Branches     9353     9383      +30     
==========================================
+ Hits        56762    57022     +260     
- Misses       5405     5862     +457     
- Partials     3225     3236      +11     
Flag Coverage Δ
app-data 17.26% <ø> (ø)
app-ui-auth-tools 19.02% <ø> (+0.18%) ⬆️
app-ui-platform 16.92% <ø> (ø)
app-ui-vault 28.23% <ø> (-0.12%) ⬇️
authenticator 6.15% <ø> (ø)
lib-core-network-bridge 4.04% <ø> (ø)
lib-data-ui 1.13% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Comment on lines +28 to +29
artifact_run_id: ${{ github.event.inputs.artifact-run-id }}
release_ticket_id: ${{ github.event.inputs.release-ticket-id }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 SUGGESTED: For workflow_dispatch inputs, the rest of this repo's workflows use the shorter inputs.<name> context rather than github.event.inputs.<name> (see build.yml, _version.yml, release-branch.yml). Consider aligning for consistency:

Suggested change
artifact_run_id: ${{ github.event.inputs.artifact-run-id }}
release_ticket_id: ${{ github.event.inputs.release-ticket-id }}
artifact_run_id: ${{ inputs.artifact-run-id }}
release_ticket_id: ${{ inputs.release-ticket-id }}

Comment on lines +22 to +23
- name: Trigger publish
uses: bitwarden/gh-actions/trigger-actions@main

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QUESTION: The previous version of this workflow enforced a branch-protection guard before creating a release — it rejected the run unless the artifact's headBranch was main or matched release/* ("Releases must be created from protected branches"). That check is removed here. Is that guard now enforced downstream in bitwarden/gh-actions/trigger-actions / the release-android task in the deploy repo? Just want to confirm we're not dropping the protection that releases only originate from protected branches.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ai-review Request a Claude code review app:authenticator Bitwarden Authenticator app context app:password-manager Bitwarden Password Manager app context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant