Skip to content

feat(release): migrate from release-please to release-plz #171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zeitlinger merged 10 commits into from
Apr 16, 2026
Merged

feat(release): migrate from release-please to release-plz #171

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
392b21e
feat(release): migrate from release-please to release-plz
zeitlinger Apr 13, 2026
acb8988
fix(release): quote $GITHUB_ENV to satisfy shellcheck SC2086
zeitlinger Apr 13, 2026
7c2b10b
fix(release): add mise_version to matrix, add PR footer
zeitlinger Apr 13, 2026
f74bd7e
fix(release): simplify pr_body template to stay within 100-char line …
zeitlinger Apr 13, 2026
ce3e258
fix(release): track mise version in renovate-tracked-deps
zeitlinger Apr 13, 2026
b0c2cf9
fix(renovate): extend mise matrix pattern to all workflow files
zeitlinger Apr 13, 2026
36ec393
fix(release): address CI failures and Copilot review comments
zeitlinger Apr 13, 2026
0badd3c
fix(release): disable mise cache instead of suppressing zizmor finding
zeitlinger Apr 13, 2026
22aacab
fix(release): address review comments on release-plz migration
zeitlinger Apr 16, 2026
2722a18
docs(release): add comments explaining release and release-pr jobs
zeitlinger Apr 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions .github/config/.release-please-manifest.json
View file
Open in desktop

This file was deleted.

11 changes: 0 additions & 11 deletions .github/config/release-please-config.json
View file
Open in desktop

This file was deleted.

5 changes: 5 additions & 0 deletions .github/renovate-tracked-deps.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@
"mise"
]
},
".github/workflows/release.yml": {
"regex": [
"mise"
]
},
".github/workflows/test.yml": {
"regex": [
"mise"
Expand Down
4 changes: 2 additions & 2 deletions .github/renovate.json5
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,8 @@
},
{
customType: "regex",
description: "Update mise per-platform sha256 hashes in test.yml matrix",
managerFilePatterns: ["/.github/workflows/test.yml/"],
description: "Update mise per-platform sha256 hashes in workflow matrix",
managerFilePatterns: ["/(^|/)\\.github/workflows/.+\\.ya?ml$/"],
datasourceTemplate: "github-release-attachments",
packageNameTemplate: "jdx/mise",
depNameTemplate: "mise",
Expand Down
23 changes: 0 additions & 23 deletions .github/workflows/release-please.yml
View file
Open in desktop

This file was deleted.

54 changes: 54 additions & 0 deletions .github/workflows/release-plz.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
name: Release-plz

on:
push:
branches:
- main

permissions: {}

jobs:
release:
# Runs on every push to main. If the release PR was just merged (i.e. Cargo.toml
# version was bumped), creates a git tag and a draft GitHub release. The release.yml
# workflow then picks up the tag, builds binaries, and publishes the release.
name: Release
runs-on: ubuntu-24.04
if: ${{ github.repository == 'grafana/flint' }}
permissions:
contents: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
Comment thread
martincostello marked this conversation as resolved.
- uses: release-plz/action@1528104d2ca23787631a1c1f022abb64b34c1e11 # v0.5
with:
command: release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

release-pr:
# Runs on every push to main. Keeps an open PR that bumps Cargo.toml version
# and updates CHANGELOG.md based on conventional commits since the last release.
# Merging this PR triggers the release job above.
name: Release PR
runs-on: ubuntu-24.04
if: ${{ github.repository == 'grafana/flint' }}
permissions:
contents: write
pull-requests: write
concurrency:
group: release-plz-pr-${{ github.ref }}
cancel-in-progress: false
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- uses: release-plz/action@1528104d2ca23787631a1c1f022abb64b34c1e11 # v0.5
with:
command: release-pr
Comment thread
martincostello marked this conversation as resolved.
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
110 changes: 96 additions & 14 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,45 +21,127 @@ jobs:
contents: write
id-token: write
attestations: write
env:
TAG: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.ref_name }}

strategy:
fail-fast: false
matrix:
include:
- target: x86_64-unknown-linux-gnu
runner: ubuntu-24.04
mise_version: v2026.4.10
mise_sha256: 84636e19a0e5001d7499f58ae5a868cec8f6ba4f52f9028680bb7cd802564229
- target: aarch64-unknown-linux-gnu
runner: ubuntu-24.04
build-tool: cross
mise_version: v2026.4.10
mise_sha256: 84636e19a0e5001d7499f58ae5a868cec8f6ba4f52f9028680bb7cd802564229
- target: x86_64-apple-darwin
runner: macos-15-intel
mise_version: v2026.4.10
mise_sha256: cd2c39806ba3dba475ab9c145376c467012200cf4eea098cbeb7e4febb4b0717
- target: aarch64-apple-darwin
runner: macos-latest
mise_version: v2026.4.10
mise_sha256: e09f5ae83369d3c6d44572e9f2de0bf9454718e23ccb41a4138f8f88d28cbb31
- target: x86_64-pc-windows-msvc
runner: windows-latest
mise_version: v2026.4.10
mise_sha256: 2df0ce5b1f42502a4895888a0fe7aae4cf6d1959d2dbb62f29204773cff3d457

steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.ref }}
ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
persist-credentials: false

- name: Build and upload
uses: taiki-e/upload-rust-binary-action@10c1cf6a3da113ad4e60018e386570529aa5f1d3 # v1.30.0
- name: Setup mise
uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
with:
bin: flint
target: ${{ matrix.target }}
archive: flint-$target
build-tool: ${{ matrix.build-tool }}
tar: unix
zip: windows
checksum: sha256
ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.tag) || github.ref }}
env:
GITHUB_TOKEN: ${{ github.token }}
version: ${{ matrix.mise_version }}
sha256: ${{ matrix.mise_sha256 }}
install_args: rust
cache: false

- name: Install cross
if: matrix.build-tool == 'cross'
uses: taiki-e/install-action@d0f23220b09a75c6db730f13bb37c4f8144b4382 # v2
with:
tool: cross

- name: Build
shell: bash
run: ${{ matrix.build-tool || 'cargo' }} build --release --target ${{ matrix.target }}

- name: Archive (non-Windows)
if: runner.os != 'Windows'
shell: bash
run: |
ARCHIVE="flint-${{ matrix.target }}.tar.gz"
tar czf "$ARCHIVE" -C "target/${{ matrix.target }}/release" flint
# macOS ships shasum; Linux ships sha256sum
if command -v sha256sum &>/dev/null; then
sha256sum "$ARCHIVE" > "$ARCHIVE.sha256"
else
shasum -a 256 "$ARCHIVE" > "$ARCHIVE.sha256"
fi
echo "ARCHIVE=$ARCHIVE" >> "$GITHUB_ENV"

- name: Archive (Windows)
if: runner.os == 'Windows'
shell: bash
run: |
ARCHIVE="flint-${{ matrix.target }}.zip"
7z a "$ARCHIVE" "./target/${{ matrix.target }}/release/flint.exe"
sha256sum "$ARCHIVE" > "$ARCHIVE.sha256"
echo "ARCHIVE=$ARCHIVE" >> "$GITHUB_ENV"

- name: Attest build provenance
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4
with:
subject-path: flint-${{ matrix.target }}.*
subject-path: ${{ env.ARCHIVE }}

- name: Upload to draft release
shell: bash
env:
GITHUB_TOKEN: ${{ github.token }}
run: |
# gh release upload uses GET /releases/tags/{tag}, which returns 404
# for draft releases. Use the list API to find the release instead.
RELEASE_ID=$(gh api "repos/${GITHUB_REPOSITORY}/releases" --paginate \
--jq ".[] | select(.tag_name == \"$TAG\") | .id" | head -1)
if [[ -z "$RELEASE_ID" ]]; then
echo "Error: no release found for tag $TAG" >&2
exit 1
fi
UPLOAD_URL=$(gh api "repos/${GITHUB_REPOSITORY}/releases/$RELEASE_ID" \
--jq '.upload_url' | sed 's/{?name,label}//')
for asset in "$ARCHIVE" "$ARCHIVE.sha256"; do
ASSET_NAME=$(basename "$asset")
# Delete pre-existing asset to support workflow re-runs
gh api "repos/${GITHUB_REPOSITORY}/releases/$RELEASE_ID/assets" \
--jq ".[] | select(.name == \"$ASSET_NAME\") | .id" \
| xargs -I{} gh api "repos/${GITHUB_REPOSITORY}/releases/assets/{}" -X DELETE \
|| true
curl --fail --silent --show-error \
-H "Authorization: Bearer $GITHUB_TOKEN" \
-H "Content-Type: application/octet-stream" \
"${UPLOAD_URL}?name=$ASSET_NAME" \
--data-binary "@$asset"
done

publish:
name: Publish release
needs: build
runs-on: ubuntu-24.04
permissions:
contents: write
env:
TAG: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.ref_name }}
steps:
- name: Publish draft release
env:
GITHUB_TOKEN: ${{ github.token }}
run: gh release edit "$TAG" --draft=false --repo "${GITHUB_REPOSITORY}"
8 changes: 8 additions & 0 deletions release-plz.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
[workspace]
git_release_draft = true
pr_body = """
{{ changelog }}

> [!IMPORTANT]
> Close and reopen this PR to trigger CI checks.
"""
Loading