fix release calendar logic gh token

[transphorm]

Summary by CodeRabbit

• New Features

  • Added manual trigger capability for selective release workflow execution.

• Improvements

  • Enhanced release scheduling with execution guards.
  • Added pre-flight checks for existing pull requests before creation.
  • Improved branch creation logic with reuse and error handling.
  • Enhanced label management for release categorization.

[coderabbitai]

Walkthrough

This PR refactors .github/workflows/release-calendar.yml to enforce stricter permission scoping per-job, add manual workflow dispatch triggering with selective execution, implement scheduling guards (Friday/Sunday), and enhance branch/PR creation logic with existence checks and dynamically generated PR bodies via embedded Python.

Changes

Cohort / File(s)

Summary

Release Calendar Workflow Restructuring \.github/workflows/release-calendar\.yml

Moves permissions blocks from top-level to per-job scope for release_to_staging and release_to_production jobs. Replaces github.token with secrets.GITHUB_TOKEN across all steps. Adds workflow_dispatch with conditional routing based on inputs.job_to_run. Introduces Friday/Sunday guard logic with early exits via continue-on-error and outputs. Adds pre-flight checks for existing PRs and branches; reuses local branches and validates remote branch presence before pushing. Replaces static PR body templates with dynamic generation via Python scripting. Adds explicit label creation (release, automated, staging, production) with force-creation behavior. Extends production flow with staging_not_ahead and existing_pr readiness checks.

Sequence Diagram(s)

sequenceDiagram
    participant Trigger as GitHub Event
    participant Dispatch as Dispatch Logic
    participant Guard as Schedule Guard<br/>(Fri/Sun)
    participant Staging as Staging Job
    participant Production as Production Job
    
    Trigger->>Dispatch: workflow_dispatch OR schedule
    Dispatch->>Dispatch: Check inputs.job_to_run
    
    alt Manual Dispatch
        Dispatch->>Staging: Route to staging/production<br/>based on input
        Dispatch->>Production: 
    else Scheduled Event
        Dispatch->>Guard: Evaluate day-of-week
        Guard->>Staging: Proceed if Fri/Sun
        Guard->>Staging: Skip & exit if not
        Guard->>Production: Proceed if Fri/Sun
        Guard->>Production: Skip & exit if not
    end
    
    Note over Staging: Check branch/PR exists<br/>Reuse or create branch<br/>Push with validation<br/>Generate PR body (Python)<br/>Create PR & apply labels
    Note over Production: Verify staging not ahead<br/>Check existing PR<br/>Generate PR body (Python)<br/>Create PR & apply labels

Loading

sequenceDiagram
    participant Job as Release Job
    participant Git as Git/Local
    participant Remote as Remote Repo
    participant GH as GitHub API<br/>(secrets.GITHUB_TOKEN)
    
    Job->>Git: Check local branch exists
    alt Branch exists locally
        Job->>Git: Reuse branch
    else Branch missing
        Job->>Git: Create new branch
    end
    
    Job->>Remote: Check remote branch present
    alt Remote branch exists
        Job->>Job: Skip push (already present)
    else Remote missing
        Job->>Git: Push branch to remote
        Git->>Remote: Upload branch
    end
    
    Job->>Job: Generate pr_body.md<br/>(inline Python)
    Job->>GH: Query existing PRs
    alt PR already exists
        Job->>Job: Log PR exists, exit
    else No PR found
        Job->>GH: Create new PR
        GH->>GH: Apply labels<br/>(force-create)
        Job->>Job: Log success
    end

Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Areas requiring extra attention:

• Token replacement logic: Verify all instances of github.token are correctly replaced with secrets.GITHUB_TOKEN and confirm secrets are properly scoped per-job; audit any places where the old token may still be referenced.
• Permission scoping accuracy: Validate that moving contents, pull-requests, and issues permissions to per-job level doesn't break API calls in shared steps or initialization phases.
• Guard condition exit behavior: Review the Friday/Sunday guard logic and continue-on-error flow to ensure early exits don't mask real failures or cause incomplete state.
• Dynamic PR body generation (Python): Carefully inspect the embedded Python script that generates pr_body.md for injection vulnerabilities, proper escaping of special characters, and correct variable interpolation from workflow context.
• Existing PR/branch checks: Validate the queries used to detect existing PRs and remote branches are robust and won't fail silently if GitHub API rate limits or transient errors occur.
• Label creation force behavior: Confirm that force-creating labels doesn't have unintended side effects (e.g., overwriting existing label descriptions or colors).

Possibly Related PRs

• Add release calendar workflow for automated PRs #1217: Implements similar automated release enhancements with Python-generated PR body content and scheduling guards in the same workflow.
• fix auto release workflow logic for release v2.7.0 #1260: Changes release-branch and PR creation logic in release-calendar.yml, including head/branch handling and PR creation control flow.
• fix prod release token error #1322: Modifies GH_TOKEN usage in the same workflow steps, changing token sources for release PR creation.

Suggested Labels

codex

Poem

🔐 Permissions now scoped per-job, tighter controls align,
Guard gates Friday and Sunday, scheduling kept in line,
Dynamic PR bodies bloom from Python's careful hand,
Labels auto-created, automation's growing band,
Branches checked and reused—less redundant work to do.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "fix release calendar logic gh token" is partially related to the changeset. It accurately refers to real aspects of the changes—the pull request does modify the release calendar workflow and involves fixing GitHub token usage by replacing github.token with secrets.GITHUB_TOKEN. However, the title doesn't capture the full scope of the changes, which include significant workflow restructuring (moving permissions to per-job scope), new features (workflow_dispatch manual triggering, scheduling guards, PR existence checks), dynamic PR body generation, and enhanced error handling. The title provides enough specificity that a reviewer scanning history would recognize it pertains to the release calendar and token-related fixes, but it understates the comprehensive nature of the refactoring involved.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch justin/fix-release-calendar-logic-gh-token

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c1d929b and 82489ed.

📒 Files selected for processing (1)

• .github/workflows/release-calendar.yml (8 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (AGENTS.md)

.github/workflows/**/*.{yml,yaml}: In GitHub workflows, use the shared composite actions in .github/actions for dependency caching instead of calling actions/cache directly
Use the cache-yarn composite action for Yarn dependency caching in workflows
Use the cache-bundler composite action for Ruby gems caching in workflows
Use the cache-gradle composite action for Gradle caching in workflows
Use the cache-pods composite action for CocoaPods caching in workflows

Files:

• .github/workflows/release-calendar.yml

🧠 Learnings (1)

📚 Learning: 2025-09-22T11:10:57.879Z

Learnt from: CR
Repo: selfxyz/self PR: 0
File: app/AGENTS.md:0-0
Timestamp: 2025-09-22T11:10:57.879Z
Learning: Generate build artifacts successfully after PR creation

Applied to files:

• .github/workflows/release-calendar.yml

🔇 Additional comments (4)

.github/workflows/release-calendar.yml (4)

49-76: Schedule guard logic is sound.

The day-of-week checks correctly map to your cron triggers (Friday DOW=5, Sunday DOW=7), and the workflow_dispatch logic properly selects which job to run via inputs.job_to_run.

Also applies to: 228-255

---

44-47: Per-job permissions and token usage are correctly scoped.

Moving permissions to per-job scope and consistently using secrets.GITHUB_TOKEN is good security practice. The permission set (contents, pull-requests, issues) aligns well with the operations performed.

Also applies to: 223-226, 88-88, 115-115, 159-159, 267-267, 312-312, 325-325

---

125-154: Branch creation logic with existence checks is well-structured.

The step correctly handles both local and remote branch states, skipping unnecessary operations and providing clear error/success messaging.

---

84-105: PR and label management is properly guarded.

Existence checks prevent duplicate releases, and the force flag on label creation ensures idempotency across multiple runs.

Also applies to: 289-297, 309-320

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Detect and update existing release branch before creating PR

When a release/staging-* branch already exists on the remote but no PR is open (for example, a previous run created the branch and the PR was closed), the new logic skips git push and proceeds to gh pr create. Because gh pr create --head ${BRANCH_NAME} uses whatever commit is already on GitHub, the workflow will create a fresh PR that references the stale branch contents instead of the current origin/dev snapshot. The previous implementation failed the job in this situation, making the staleness obvious. The job should either update the remote branch (fast-forward or force) or abort with an explicit error when the branch already exists, rather than silently reusing outdated code.

Useful? React with 👍 / 👎.