Skip to content

bugfix: release calendar logic #1301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

bugfix: release calendar logic #1301

wants to merge 4 commits into from

Conversation

@transphorm
Copy link
Member

@transphorm transphorm commented Oct 17, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Chores
    • Enhanced internal release workflow security by implementing authenticated git operations for automated release branch creation and pushing.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 17, 2025
edited
Loading

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

The PR modifies the GitHub Actions release calendar workflow to enable authenticated git operations. It adds PAT-based authentication by sourcing a token from secrets.SELFXYZ_INTERNAL_REPO_PAT and configuring the git remote URL to use this token for pushes when creating release branches.

Changes

Cohort / File(s) Change Summary
Release Workflow Authentication
.github/workflows/release-calendar.yml		 Added GH_TOKEN environment variable sourced from secrets.SELFXYZ_INTERNAL_REPO_PAT in the "Create release branch from dev" step. Integrated git remote set-url configuration using PAT-based URL format for authenticated repository access.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant Git as Git Remote
    participant Repo as Repository
    
    rect rgb(245, 245, 245)
    Note over GH,Repo: Previous Flow (GITHUB_TOKEN)
    GH->>Git: git push (default token)
    Note over Git: May fail if insufficient permissions
    end
    
    rect rgb(240, 248, 255)
    Note over GH,Repo: New Flow (PAT Authentication)
    GH->>GH: Load GH_TOKEN from secrets.SELFXYZ_INTERNAL_REPO_PAT
    GH->>Git: git remote set-url origin<br/>(PAT-based URL)
    GH->>Git: git push (authenticated via PAT)
    Git->>Repo: Push release branch
    Repo-->>Git: ✓ Success
    end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Requires careful review of PAT token usage, conditional logic gating, and verification that authentication only triggers during release branch creation to avoid unnecessary token exposure.

Possibly related PRs

Suggested labels

codex

Poem

🔐 A token appears, secure and refined,
Git remotes configured, authentication aligned,
PAT-based pushes now flow with grace,
Release branches find their rightful place! 🚀

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title "bugfix: release calendar logic" is directly related to the changeset, as the changes are contained within .github/workflows/release-calendar.yml and address workflow execution logic. However, the title is quite broad and doesn't convey the specific nature of the fix—namely, the introduction of PAT-based authentication for authenticated git pushes in the release workflow. While the title accurately references the affected component, it lacks specificity about what aspect of the release calendar logic was fixed, making it somewhat generic for code history scanning purposes.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch justin/fix-release-calendar-logic
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14b7583 and 65e6b08.

📒 Files selected for processing (1)
  • .github/workflows/release-calendar.yml (1 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (AGENTS.md)

.github/workflows/**/*.{yml,yaml}: In GitHub workflows, use the shared composite actions in .github/actions for dependency caching instead of calling actions/cache directly
Use the cache-yarn composite action for Yarn dependency caching in workflows
Use the cache-bundler composite action for Ruby gems caching in workflows
Use the cache-gradle composite action for Gradle caching in workflows
Use the cache-pods composite action for CocoaPods caching in workflows

Files:

  • .github/workflows/release-calendar.yml
🔇 Additional comments (1)
.github/workflows/release-calendar.yml (1)

148-205: Verify GH_TOKEN usage consistency across PAT-authenticated steps.

The "Create dev to staging release PR" step (line 150) also uses secrets.SELFXYZ_INTERNAL_REPO_PAT for the gh pr create command. Ensure this token has appropriate permissions (contents: write, pull-requests: write) as declared in the workflow permissions. The GitHub token at line 312 in the production job should also be verified.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

cursor[bot]
cursor bot reviewed Oct 17, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on November 17

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

.github/workflows/release-calendar.yml
echo "Creating release branch ${BRANCH_NAME} from dev"
# Configure git to use the PAT for pushing
git remote set-url origin https://x-access-token:${GH_TOKEN}@github.com/selfxyz/self.git
Copy link

@cursor cursor bot Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Hardcoded Repository Path Causes Workflow Failures

The Create release branch from dev step hardcodes the repository path selfxyz/self in the git remote URL. This makes the workflow non-portable, causing it to fail if the repository is renamed, moved, or reused in a different repository.

Fix in Cursor Fix in Web

@transphorm
Copy link
Member Author

transphorm commented Oct 25, 2025

seems like opening pull requests works as expected.

example:
#1313

@transphorm transphorm closed this Oct 25, 2025
@transphorm transphorm deleted the justin/fix-release-calendar-logic branch October 26, 2025 20:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@transphorm