fix auto release workflow logic for release v2.7.0

[transphorm]

Summary by CodeRabbit

• Chores
  • Updated release process to create production PRs directly from staging to main, removing the separate release branch step.
  • Adjusted status checks, PR titles, and body text to reflect the staging → main flow.
  • Ensured new commits to staging automatically appear in the production PR.
  • Enforced that only PRs originating from staging can be merged into main; others are blocked.
• Notes
  • No user-facing changes.

[coderabbitai]

Walkthrough

The PR updates two GitHub Actions workflows: one now blocks PRs to main unless sourced from staging; the other reworks the release process to create/update production PRs directly from staging to main, removing release-branch creation and updating messages, checks, and PR body/title accordingly.

Changes

Cohort / File(s)	Summary of changes
Protection: Block non-staging PRs to main .github/workflows/block-non-dev-to-main.yml	Renamed workflow to reference staging; changed condition to block PRs to main unless head is staging; updated echo/refusal messages from “dev” to “staging”.
Release pipeline: staging → main .github/workflows/release-calendar.yml	Removed creation of a release branch from staging; adjusted logic to create/update PRs with head set to staging targeting main; updated step names, checks, outputs, and PR body/title to reflect direct staging→main flow.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub
  participant RC as Workflow: release-calendar
  participant Repo as Repo (branches)

  Dev->>Repo: Push commits to staging
  GH-->>RC: Trigger on schedule/dispatch
  RC->>Repo: Check for open PR (head=staging, base=main)
  alt PR exists
    RC->>Repo: Update PR body/title to reflect latest staging
  else No PR
    RC->>Repo: Create PR (head=staging → base=main)
  end
  note over RC,Repo: No release branch is created

Loading

sequenceDiagram
  autonumber
  actor User as Contributor
  participant GH as GitHub
  participant BL as Workflow: block-non-staging-to-main

  User->>GH: Open PR to main (head != staging)
  GH-->>BL: Trigger on PR to main
  BL->>GH: Fail check with message: only staging → main allowed
  User->>GH: Open PR to main (head = staging)
  GH-->>BL: Pass check

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add release calendar workflow for automated PRs #1217 — Also modifies release-calendar’s staging→main PR creation logic, overlapping with this direct-PR approach.
• staging: update release calendar logic (#1256) #1257 — Touches release-calendar.yml and alters PR head/branch strategy, contrasting with this removal of release branches.
• update release calendar logic #1256 — Adjusts production/staging PR creation relying on explicit release branches, directly intersecting with this branchless approach.

Suggested labels

codex

Poem

Staging sails to main’s bright shore,
No side release branches anymore.
Guards at main ask, “From staging, friend?”
Else turn you back to fix and send.
Pipelines hum, the path made clean—
One steady flow to ship the dream. 🚢✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The current title “fix auto release workflow logic for release v2.7.0” is only broadly related to the changes, as it generically refers to release workflow fixes and includes a version number, but it doesn’t clearly convey the primary update of switching to a direct staging-to-main release flow and blocking non-staging PRs.	Please update the title to more specifically reflect the core change, for example “Update release workflow to create PRs directly from staging to main,” removing the version number and emphasizing the staging-to-main flow.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch justin/fix-staging-to-main-release-pr-allow-main-prs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/release-calendar.yml (2)

359-359: Mitigate moving-target risk: create production PRs as draft

Since the PR auto-updates with new staging commits, consider opening it as a draft to avoid approvals becoming stale mid-flight.

 gh pr create \
   --base main \
-  --head staging \
+  --head staging \
+  --draft \
   --title "${TITLE}" \
   --label release \
   --label automated \
   --label production \
   --body-file pr_body.md

---

377-382: Avoid duplicate PRs from race conditions: add workflow concurrency

Two runs can race between “list” and “create.” Add a concurrency group to serialize production PR creation.

At workflow top-level:

concurrency:
  group: release-calendar-production
  cancel-in-progress: false

Optionally scope by day to allow staging job concurrently:

concurrency:
  group: release-calendar-${{ github.workflow }}-${{ github.job }}
  cancel-in-progress: false

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cd6ffd6 and 560f4a7.

📒 Files selected for processing (2)

• .github/workflows/block-non-dev-to-main.yml (2 hunks)
• .github/workflows/release-calendar.yml (4 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (AGENTS.md)

.github/workflows/**/*.{yml,yaml}: In GitHub workflows, use the shared composite actions in .github/actions for dependency caching instead of calling actions/cache directly
Use the cache-yarn composite action for Yarn dependency caching in workflows
Use the cache-bundler composite action for Ruby gems caching in workflows
Use the cache-gradle composite action for Gradle caching in workflows
Use the cache-pods composite action for CocoaPods caching in workflows

Files:

• .github/workflows/block-non-dev-to-main.yml
• .github/workflows/release-calendar.yml

🪛 actionlint (1.7.7)

.github/workflows/block-non-dev-to-main.yml

12-12: "github.head_ref" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions for more details

(expression)

🔇 Additional comments (2)

.github/workflows/release-calendar.yml (2)

6-9: Docs match new flow (staging → main).

Comment updates accurately reflect the new process.

Also applies to: 12-12, 17-17

---

291-293: Existing PR check is correct for direct staging → main flow

Querying --base main --head staging prevents duplicate PRs from this repo’s staging branch.

If you sometimes open PRs from forks, confirm you don’t need user:staging in the head filter.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Harden PR source check: avoid inlining untrusted github.head_ref in shell

Using ${{ github.head_ref }} directly inside the script risks shell injection. Prefer step-level if or pass via env var and quote.

Option A (recommended): use step-level condition to fail cleanly

-      - name: Block PRs not from staging
-        run: |
-          if [[ "${{ github.head_ref }}" != "staging" ]]; then
-            echo "You can only merge from staging to main."
-            exit 1
-          fi
+      - name: Block PRs not from staging
+        if: ${{ github.event.pull_request.head.ref != 'staging' }}
+        run: |
+          echo "You can only merge from staging to main."
+          exit 1

Option B: pass through environment and enforce bash

-      - name: Block PRs not from staging
-        run: |
-          if [[ "${{ github.head_ref }}" != "staging" ]]; then
-            echo "You can only merge from staging to main."
-            exit 1
-          fi
+      - name: Block PRs not from staging
+        env:
+          HEAD_REF: ${{ github.head_ref }}
+        shell: bash
+        run: |
+          if [[ "$HEAD_REF" != "staging" ]]; then
+            echo "You can only merge from staging to main."
+            exit 1
+          fi

Based on static analysis hints

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Block PRs not from staging
	run: |
	if [[ "${{ github.head_ref }}" != "dev" ]]; then
	echo "You can only merge from dev to main."
	if [[ "${{ github.head_ref }}" != "staging" ]]; then
	echo "You can only merge from staging to main."
	exit 1
	- name: Block PRs not from staging
	if: ${{ github.event.pull_request.head.ref != 'staging' }}
	run: |
	echo "You can only merge from staging to main."
	exit 1

🧰 Tools

🪛 actionlint (1.7.7)

12-12: "github.head_ref" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions for more details

(expression)

🤖 Prompt for AI Agents

.github/workflows/block-non-dev-to-main.yml around lines 11-15: the workflow
inlines the untrusted github.head_ref into a shell block which can lead to shell
injection; replace this by using a step-level condition (preferred) that checks
github.head_ref != 'staging' to fail the job without running a shell, or if you
must run a script, pass github.head_ref into the step via an env variable and
reference it safely (e.g., ENV_VAR="${{ github.head_ref }}" then use
double-quoted "$ENV_VAR") and ensure the step uses bash (shell: bash) so quoting
is respected; update the step to either use if: ${{ github.head_ref != 'staging'
}} with a clear error message or move the check into a bash script that reads a
quoted env var.