chore: migrate to release-please with independent release lines

[goldmedal]

Summary

• Replace manual release workflows (stable-release.yml, pypi-publish.yml, wren-pypi-publish.yml) with release-please-driven automation
• Each component gets its own independent release line: ibis-server, mcp-server, wren-core-py, wren
• Add RC (pre-release) workflow with auto-incrementing <component>-v<version>-rc.N tags
• Reusable publish workflows: Docker multi-arch for ibis-server, PyPI (trusted publishing) for wren-core-py and wren, version verify for mcp-server

Files

File	Action
release-please-config.json	New — 4 components, separate PRs, component-in-tag
.release-please-manifest.json	New — current versions for all components
.github/workflows/release-please.yml	New — push-to-main orchestrator
.github/workflows/rc-release.yml	New — manual RC dispatch
.github/workflows/publish-ibis-server.yml	New — multi-arch Docker build
.github/workflows/publish-wren-core-py.yml	New — multi-platform wheel builds + PyPI
.github/workflows/publish-wren.yml	New — sdist + wheel → PyPI
.github/workflows/publish-mcp-server.yml	New — version verification
wren/pyproject.toml	Modified — static version for release-please
stable-release.yml	Deleted
pypi-publish.yml	Deleted
wren-pypi-publish.yml	Deleted

Test plan

• Merge to main → verify release-please creates 0 Release PRs (no new feat/fix commits)
• Push a feat(wren): ... commit → verify release-please creates a Release PR for wren only
• Merge the Release PR → verify GitHub Release + tag wren-v0.3.0 + PyPI publish
• Run RC workflow for ibis-server → verify pre-release tag + Docker image
• Confirm build-image.yml continues working for SHA-tagged continuous builds

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Reusable automated publish workflows for multiple components and an RC pre-release flow

• Chores

  • Automated multi-architecture container builds and digest-based manifest publishing
  • Conditional PyPI/TestPyPI publish targets and coordinated release triggering

• Documentation

  • Added comprehensive release process guidance and release-please configuration

• Style

  • Set explicit package release version to 0.2.0

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• ✅ Review completed - (🔄 Check again to review again)

📝 Walkthrough

Walkthrough

Adds Release Please-driven release automation with reusable publish workflows for ibis-server, mcp-server, wren-core-py, and wren; adds RC orchestration and release manifest/config; removes legacy stable-release and old wren PyPI workflows; pins wren package version and adds RELEASING.md.

Changes

Cohort / File(s)	Summary
Release Please config .release-please-manifest.json, release-please-config.json	Add manifest and release-please configuration mapping four components and initial versions; enable separate PRs per component.
IBIS server publish workflow .github/workflows/publish-ibis-server.yml	New reusable workflow: multi-arch build/push to GHCR, reads mcp-server/pyproject.toml, produces per-arch digest artifacts, and creates multi-arch manifest.
MCP server validation workflow .github/workflows/publish-mcp-server.yml	New reusable workflow: validates mcp-server package version against provided input (accepts RC base-version semantics).
Wren core Python publish (reworked) .github/workflows/publish-wren-core-py.yml	Converted to workflow_call; checks out inputs.tag_name, injects inputs.version into wren-core-py manifests before build/publish steps.
Wren PyPI publish (new) .github/workflows/publish-wren.yml	New reusable workflow: sets wren version, builds sdist/wheel from wren/, uploads artifact, and publishes to PyPI/TestPyPI based on pypi_target.
RC orchestration .github/workflows/rc-release.yml	Manual RC workflow: computes/increments RC versions, creates git tag & prerelease, outputs version/tag_name/pypi_version, and invokes component publish workflows (marks ibis as prerelease).
Automated release pipeline .github/workflows/release-please.yml	Runs release-please on main and conditionally invokes component publish workflows with computed version/tag outputs and narrowed permissions per job.
Removed legacy workflows .github/workflows/stable-release.yml, .github/workflows/wren-pypi-publish.yml	Remove legacy stable-release pipeline and previous wren PyPI publish workflow.
Package metadata change wren/pyproject.toml	Replace dynamic Hatch-based version extraction with static version = "0.2.0".
Docs RELEASING.md	Add release process docs describing release-please usage, RC flow, component mapping, and publish workflow wiring.

Sequence Diagram(s)

sequenceDiagram
    participant RP as Release-Please Action
    participant GH as GitHub Actions Controller
    participant Repo as Repository (checkout / tag)
    participant Publish as Publish Workflow (ibis/mcp/wren)
    participant GHCR as GitHub Container Registry
    participant PyPI as PyPI/TestPyPI

    RP->>GH: on main push -> emit per-component outputs (release_created, version, tag_name)
    GH->>Publish: conditional workflow_call(inputs: version, tag_name, pypi_target, prerelease)
    Publish->>Repo: checkout at tag_name / read or inject version files
    Publish->>GHCR: build per-arch images and push per-arch digests
    Publish->>GHCR: create multi-arch manifest list from digests and push tags
    Publish->>PyPI: build and publish Python distributions when applicable
    Publish->>GH: upload artifacts and report status

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• feat(mcp-server): add version management and release flow #1428: modifies ibis-server image build/release flow and mcp-server version propagation.
• chore: add PyPI publishing infrastructure for wren-core-py #1496: adds wren-core-py packaging and CI publish infrastructure related to this PR.
• chore(wren): prepare v0.1.0 for PyPI publishing #1505: touches wren packaging/publishing and workflow changes overlapping PyPI logic.

Suggested labels

python, ibis

Suggested reviewers

• douenergy
• wwwy3y3

Poem

🐇 I hopped through tags and CI bright,

I nudged the versions into sight,
RCs counted, manifests spun,
Images pushed and wheels begun—
A rabbit cheers: releases, done!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and accurately describes the main objective: migrating from manual release workflows to release-please with independent release lines for multiple components.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (1)

.github/workflows/rc-release.yml (1)

20-24: Scope permissions to least privilege per job.

Current workflow-level permissions grant packages: write and id-token: write to all jobs. Prefer minimal default permissions and elevate only where required.

Proposed refactor

 permissions:
-  contents: write
-  packages: write
-  id-token: write
+  contents: read
 
 jobs:
   create-rc:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write

Also applies to: 26-27

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/rc-release.yml around lines 20 - 24, Workflow-level
permissions are too broad; change the top-level permissions block to the minimal
default (e.g., set contents: read or remove workflow-level packages/id-token
entries) and move elevated permissions to the specific job(s) that actually need
them: grant packages: write only on the job that publishes packages and grant
id-token: write only on the job that performs OIDC/auth. Update the permissions
keys 'contents', 'packages', and 'id-token' accordingly so workflow-level
permissions are least-privilege and per-job permissions provide the elevated
rights where required.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/publish-ibis-server.yml:
- Around line 6-18: The workflow currently reuses the `version` input
(ibis-server release) as the MCP image version; change it so MCP_SERVER_VERSION
is not derived from `version`: add a new input (e.g., `mcp_version`) to the
workflow inputs and use that to populate MCP_SERVER_VERSION, or alternatively
check out the repository and read the version from `mcp-server/pyproject.toml`
(parse the version field) after checkout; update any references that set
MCP_SERVER_VERSION (instead of using `version`) to use the new `mcp_version`
input or the parsed pyproject value so ibis-server and mcp-server releases can
diverge.

In @.github/workflows/publish-wren-core-py.yml:
- Around line 14-18: The workflow's pypi_target input currently treats any value
other than "testpypi" as live PyPI; add explicit validation for the pypi_target
input (the input named pypi_target) and fail the workflow for any value not
equal to "pypi" or "testpypi." Implement this by adding an early validation
step/job (e.g., a small shell step in the publish job or a separate pre-check
job) that checks the pypi_target value and exits non‑zero with a clear error if
it is not exactly "pypi" or "testpypi"; update both occurrences referenced in
the workflow (the pypi_target input block and the publish logic used later) so
publishing cannot proceed with an invalid value.
- Around line 32-49: The Set version step uses non-portable sed -i calls to
rewrite version in wren-core-py/Cargo.toml and wren-core-py/pyproject.toml which
fail on macOS and Windows; replace the sed lines in the "Set version" step with
a cross-platform Python in-place edit (e.g., a short python -c one-liner or
script) that reads each file, replaces the version line pattern, and writes back
atomically, and apply the exact same replacement in the build-sdist job so both
jobs update Cargo.toml and pyproject.toml using the Python-based updater rather
than sed.

In @.github/workflows/publish-wren.yml:
- Around line 14-18: Add an explicit validation step for the workflow input
pypi_target that rejects any value not equal to "pypi" or "testpypi": create a
step (e.g., name: validate-pypi-target) that reads the pypi_target input
(inputs.pypi_target or github.event.inputs.pypi_target depending on invocation),
checks membership against the allowed set ["pypi","testpypi"], and exits with a
non-zero status and clear error message if the value is invalid so the publish
step never runs; then reference the validated value in the publish logic that
constructs the upload URL.

In @.github/workflows/rc-release.yml:
- Around line 25-27: The create-rc job races when computing rc.N and immediately
creating the tag; serialize runs per component by adding a concurrency/group
constraint scoped to each component so only one workflow run can
compute-and-create an RC for a given component at a time: update the create-rc
job to use GitHub Actions concurrency with a group key that includes the
component identifier (referencing the create-rc job and the steps that compute
rc.N and create the tag) so concurrent manual runs for the same component are
queued instead of racing.
- Around line 15-18: The workflow currently trusts the rc_version input as-is;
add explicit validation before any step that constructs the release/tag (the
rc_version input and the step that creates the release tag) by introducing an
early job/step that checks if rc_version is empty or matches a strict RC semver
regex (e.g. ^\d+\.\d+\.\d+-rc\.\d+$), and fail the run with a clear message when
it doesn't match; implement the check as a shell step that reads
inputs.rc_version (or env.RC_VERSION) and exits non-zero on invalid input so
downstream steps that create the tag/release never run with a malformed value.

---

Nitpick comments:
In @.github/workflows/rc-release.yml:
- Around line 20-24: Workflow-level permissions are too broad; change the
top-level permissions block to the minimal default (e.g., set contents: read or
remove workflow-level packages/id-token entries) and move elevated permissions
to the specific job(s) that actually need them: grant packages: write only on
the job that publishes packages and grant id-token: write only on the job that
performs OIDC/auth. Update the permissions keys 'contents', 'packages', and
'id-token' accordingly so workflow-level permissions are least-privilege and
per-job permissions provide the elevated rights where required.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b426fa1b-6ad2-43d8-91c7-853acfc95501

📥 Commits

Reviewing files that changed from the base of the PR and between 8f20a33 and f6d550b.

📒 Files selected for processing (11)

• .github/workflows/publish-ibis-server.yml
• .github/workflows/publish-mcp-server.yml
• .github/workflows/publish-wren-core-py.yml
• .github/workflows/publish-wren.yml
• .github/workflows/rc-release.yml
• .github/workflows/release-please.yml
• .github/workflows/stable-release.yml
• .github/workflows/wren-pypi-publish.yml
• .release-please-manifest.json
• release-please-config.json
• wren/pyproject.toml

💤 Files with no reviewable changes (2)

• .github/workflows/wren-pypi-publish.yml
• .github/workflows/stable-release.yml

[coderabbitai]

🧹 Nitpick comments (2)

RELEASING.md (2)

79-83: Add language specifier to code block.

For better markdown best practices and syntax highlighting, add a language specifier to this fenced code block. Since this is a commit message example, you can use text or commit.

📝 Proposed fix

-```
+```text
 feat(wren): prepare stable release
 
 Release-As: 1.0.0

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @RELEASING.md around lines 79 - 83, Add a language specifier to the fenced
code block that contains the commit example ("feat(wren): prepare stable
release" and "Release-As: 1.0.0") by changing the opening fence from totext (or commit) so the block becomes text and enables proper Markdown
syntax highlighting.

</details>

---

`97-101`: **Add language specifier to code block.**

For better markdown best practices and syntax highlighting, add a language specifier to this fenced code block. Since this is a commit message example, you can use `text` or `commit`.



<details>
<summary>📝 Proposed fix</summary>

```diff
-```
+```text
 feat(wren)!: redesign query engine
 
 BREAKING CHANGE: WrenEngine constructor signature changed
 ```
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @RELEASING.md around lines 97 - 101, Update the fenced code block that
contains the commit example (the lines starting with "feat(wren)!: redesign
query engine" and "BREAKING CHANGE: WrenEngine constructor signature changed")
to include a language specifier (e.g., change totext or ```commit) so
Markdown rendering and syntax highlighting work correctly; locate the code block
in RELEASING.md and prefix the opening backticks with the chosen specifier.

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @RELEASING.md:

• Around line 79-83: Add a language specifier to the fenced code block that
  contains the commit example ("feat(wren): prepare stable release" and
  "Release-As: 1.0.0") by changing the opening fence from totext (or
  commit) so the block becomes text and enables proper Markdown syntax
  highlighting.
• Around line 97-101: Update the fenced code block that contains the commit
  example (the lines starting with "feat(wren)!: redesign query engine" and
  "BREAKING CHANGE: WrenEngine constructor signature changed") to include a
  language specifier (e.g., change totext or ```commit) so Markdown
  rendering and syntax highlighting work correctly; locate the code block in
  RELEASING.md and prefix the opening backticks with the chosen specifier.

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: defaults

**Review profile**: CHILL

**Plan**: Pro

**Run ID**: `84105c67-4d99-488a-b0eb-d34afa567ead`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between f6d550beda9a25a0e50c3db2ed85a813620f1363 and 9103b728eaab2569b620ef10907a4c5c5744e3c9.

</details>

<details>
<summary>📒 Files selected for processing (1)</summary>

* `RELEASING.md`

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[coderabbitai]

♻️ Duplicate comments (2)

.github/workflows/rc-release.yml (1)

53-59: ⚠️ Potential issue | 🟠 Major

Tighten rc_version validation to the manifest base version.

Line 54 validates shape only. A wrong-base override (e.g., not matching BASE_VERSION) still passes and can create unintended RC tags for the component.

✅ Suggested fix

           if [ -n "$RC_VERSION_INPUT" ]; then
-            if ! [[ "$RC_VERSION_INPUT" =~ ^[0-9]+\.[0-9]+\.[0-9]+-rc\.[1-9][0-9]*$ ]]; then
-              echo "::error::Invalid rc_version format: $RC_VERSION_INPUT (expected: X.Y.Z-rc.N)"
+            if ! [[ "$RC_VERSION_INPUT" =~ ^${BASE_VERSION}-rc\.[1-9][0-9]*$ ]]; then
+              echo "::error::Invalid rc_version: $RC_VERSION_INPUT (expected: ${BASE_VERSION}-rc.N)"
               exit 1
             fi
             VERSION="$RC_VERSION_INPUT"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/rc-release.yml around lines 53 - 59, The current RC
version check only enforces the shape of RC_VERSION_INPUT; update the validation
to also ensure its base version matches BASE_VERSION by extracting the base
X.Y.Z from RC_VERSION_INPUT (e.g., via regex capturing group) and comparing it
to BASE_VERSION before assigning VERSION; if they differ, emit an error like
"Invalid rc_version base: base (expected: $BASE_VERSION)" and exit 1. Use the
existing variables RC_VERSION_INPUT and BASE_VERSION and keep the shape check
(^[0-9]+\.[0-9]+\.[0-9]+-rc\.[1-9][0-9]*$) then derive the base portion and
compare. Ensure VERSION is only set when both shape and base match.

.github/workflows/publish-wren-core-py.yml (1)

14-18: ⚠️ Potential issue | 🟠 Major

Fail closed on invalid pypi_target values.

pypi_target is free-form, and Line 122 falls through to the live PyPI endpoint for any value other than testpypi. This can publish to production on typos.

🔒 Suggested fix

   publish:
     name: Publish to ${{ inputs.pypi_target }}
     needs: [build-wheels, build-sdist]
     runs-on: ubuntu-latest
@@
     steps:
+      - name: Validate publish target
+        run: |
+          case "${{ inputs.pypi_target }}" in
+            pypi|testpypi) ;;
+            *)
+              echo "::error::pypi_target must be 'pypi' or 'testpypi'"
+              exit 1
+              ;;
+          esac
       - name: Download all artifacts
         uses: actions/download-artifact@v4

Also applies to: 109-110, 119-123

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-wren-core-py.yml around lines 14 - 18, The
workflow currently treats any pypi_target other than "testpypi" as live PyPI;
change it to fail closed by validating pypi_target before selecting the
repository: either restrict the input by replacing the free-form input with an
options list containing only "pypi" and "testpypi" (input name: pypi_target) or
add an explicit validation step that checks the pypi_target value (the
conditional that currently compares to "testpypi") and exits with an error if
the value is not exactly "pypi" or "testpypi"; only after validation set the
repository URL for publishing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/publish-wren-core-py.yml:
- Around line 14-18: The workflow currently treats any pypi_target other than
"testpypi" as live PyPI; change it to fail closed by validating pypi_target
before selecting the repository: either restrict the input by replacing the
free-form input with an options list containing only "pypi" and "testpypi"
(input name: pypi_target) or add an explicit validation step that checks the
pypi_target value (the conditional that currently compares to "testpypi") and
exits with an error if the value is not exactly "pypi" or "testpypi"; only after
validation set the repository URL for publishing.

In @.github/workflows/rc-release.yml:
- Around line 53-59: The current RC version check only enforces the shape of
RC_VERSION_INPUT; update the validation to also ensure its base version matches
BASE_VERSION by extracting the base X.Y.Z from RC_VERSION_INPUT (e.g., via regex
capturing group) and comparing it to BASE_VERSION before assigning VERSION; if
they differ, emit an error like "Invalid rc_version base: base (expected:
$BASE_VERSION)" and exit 1. Use the existing variables RC_VERSION_INPUT and
BASE_VERSION and keep the shape check (^[0-9]+\.[0-9]+\.[0-9]+-rc\.[1-9][0-9]*$)
then derive the base portion and compare. Ensure VERSION is only set when both
shape and base match.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8be48a37-505c-4409-906b-1bea6a636350

📥 Commits

Reviewing files that changed from the base of the PR and between 9103b72 and 0bf4794.

📒 Files selected for processing (4)

• .github/workflows/publish-ibis-server.yml
• .github/workflows/publish-wren-core-py.yml
• .github/workflows/publish-wren.yml
• .github/workflows/rc-release.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/publish-wren.yml

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/rc-release.yml:
- Around line 89-95: Move the "Create GitHub pre-release" step (the
softprops/action-gh-release invocation using tag_name: ${{
steps.rc.outputs.tag_name }}, name: "${{ inputs.component }} ${{
steps.rc.outputs.version }}", prerelease: true, generate_release_notes: true)
out of its current location and into a final job that runs after the chosen
publish job(s) succeed; make that job depend_on the publish job(s) (the selected
PyPI or Docker publisher) so the prerelease is only created when the downstream
publication step completes successfully, and ensure the final job's conditional
matches the publish path selected so the prerelease isn't created for failed or
skipped publishers.
- Around line 36-38: Add a branch-guard step to the workflow so RCs can only be
cut from main: before the tagging/“create RC” step, check the dispatched ref
(github.ref or workflow_dispatch input) and fail early unless it equals
refs/heads/main; ensure this check runs after the actions/checkout@v4 step (or
replace its ref usage) so the action cannot proceed to create tags from a
non-main branch. Reference the workflow_dispatch trigger and the
actions/checkout@v4 usage when adding the new “Ensure main branch” step.
- Around line 53-55: The regex is loose because BASE_VERSION (e.g., 0.25.0) is
interpolated unescaped; replace the single regex check with a two-step
validation: first verify the prefix using a string comparison like [[
"$RC_VERSION_INPUT" == "$BASE_VERSION"-rc.* ]] (or use parameter expansion to
check startswith), then validate only the numeric suffix by stripping the prefix
(e.g., suffix=${RC_VERSION_INPUT#"$BASE_VERSION"-rc.}) and checking suffix
against the numeric regex ^[1-9][0-9]*$; update the check around
RC_VERSION_INPUT/BASE_VERSION accordingly and keep the existing error message
when validation fails.
- Around line 20-23: Change the workflow-level permissions to minimize blast
radius: set the top-level permissions mapping to only "contents: read" instead
of "contents: write / packages: write / id-token: write", and move the stronger
permissions ("contents: write" and any needed "packages: write" or "id-token:
write") into the specific job that needs them (the create-rc job). Update the
create-rc job's permissions block to explicitly grant "contents: write" (and any
other minimal rights it requires) so other jobs keep their current,
tightly-scoped permissions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8b475e30-4dd6-4b77-8438-8d6b0253f096

📥 Commits

Reviewing files that changed from the base of the PR and between 0bf4794 and 8960df6.

📒 Files selected for processing (1)

• .github/workflows/rc-release.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/rc-release.yml:
- Around line 142-143: The current job "if:" condition gates pre-release
creation only against 'failure' but not cancelled runs; update the condition on
the job (the if: expression referencing needs and needs.*.result) to also reject
any 'cancelled' results—e.g., add a check like !contains(needs.*.result,
'cancelled') alongside the existing !contains(..., 'failure') so pre-release
creation only proceeds when all dependent jobs succeeded (and none were
cancelled).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fbaa27d2-9406-47ef-b37b-b3508cbee8d4

📥 Commits

Reviewing files that changed from the base of the PR and between 8960df6 and 69b6b07.

📒 Files selected for processing (1)

• .github/workflows/rc-release.yml