Skip to content

feat: release automation configs #362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
SoulPancake wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: release automation configs #362

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
341b99a
feat: release automation config
SoulPancake Mar 30, 2026
f0a7f4d
Merge branch 'main' into feat/release-automation
SoulPancake Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions .github/workflows/release-please.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: release-please

on:
push:
branches: [main]
workflow_dispatch:
inputs:
bump-type:
description: >
Version bump type. Select 'explicit' to supply an exact version via
the 'release-version' field below. Select 'auto' to let
conventional-commits determine the bump automatically.
required: false
type: choice
default: 'auto'
options:
- auto
- patch
- minor
- major
- explicit
release-version:
description: >
Explicit version to release (e.g. 1.2.3 or 1.4.0-beta.1).
required: false
type: string

jobs:
release:
uses: openfga/sdk-generator/.github/workflows/release-please.yml@main
with:
bump-type: ${{ inputs.bump-type || 'auto' }}
release-version: ${{ inputs.release-version || '' }}
secrets:
APP_ID: ${{ secrets.APP_ID }}
APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
Comment on lines +30 to +36

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 5 days ago

In general, fix this by adding an explicit permissions: block that grants only the scopes needed for the workflow to operate, either at the workflow root (applies to all jobs) or under the specific job. Because this workflow solely delegates to a reusable workflow that likely performs release operations (tagging, creating GitHub releases, etc.), we should start from a safe minimal set and then allow contents write access so releases and tags can be created while keeping other scopes at their default (none).

The best minimally invasive fix is to add a permissions: block at the top level, just after the on: trigger, to constrain the GITHUB_TOKEN for all jobs in this workflow (there is only one job, release). A conservative configuration for a release workflow is:

permissions:
  contents: write

This assumes the reusable workflow needs to create/update releases or tags (which is standard for release-please). If the project later finds this is too strong, they can refine it further, but this is the smallest reasonable change that addresses the CodeQL warning and maintains expected behavior. Concretely, edit .github/workflows/release-please.yml to insert the permissions: block between the on: section (ending at line 26–27) and the jobs: section (line 28). No additional imports or dependencies are required.

Suggested changeset 1
.github/workflows/release-please.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -25,6 +25,9 @@
         required: false
         type: string
 
+permissions:
+  contents: write
+
 jobs:
   release:
     uses: openfga/sdk-generator/.github/workflows/release-please.yml@main
EOF
@@ -25,6 +25,9 @@
required: false
type: string

permissions:
contents: write

jobs:
release:
uses: openfga/sdk-generator/.github/workflows/release-please.yml@main
Copilot is powered by AI and may make mistakes. Always verify output.
3 changes: 3 additions & 0 deletions .release-please-manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
".": "0.9.3"
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.release-please-manifest.json is set to 0.9.3, but the repo’s current version appears to be 0.9.4 (e.g., package.json and CHANGELOG.md reference v0.9.4). This mismatch can cause release-please to compute the next version incorrectly or generate a no-op/incorrect release PR. Align the manifest version with the current released version/tag.

Suggested change
".": "0.9.3"
".": "0.9.4"

Copilot uses AI. Check for mistakes.
}
103 changes: 103 additions & 0 deletions RELEASE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
# Release guide

This project uses [release-please](https://github.com/googleapis/release-please) via a
`workflow_dispatch`-triggered GitHub Actions workflow. This document explains how to cut
a release and what to watch out for.
Comment on lines +3 to +5
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This guide states releases use a workflow_dispatch-triggered workflow, but .github/workflows/release-please.yml is also configured to run on push to main. Please align the documentation with the actual workflow triggers (or remove the push trigger if manual dispatch is intended).

Copilot uses AI. Check for mistakes.

---

## Versioning rules for this project

We are pre-1.0.0. Semver conventions are relaxed:

| Change type | Bump | Example |
|--- |--- |--- |
| Breaking change | **Minor** (`0.x.0`) | `0.9.0` → `0.10.0` |
| Everything else | **Patch** (`0.0.x`) | `0.9.3` → `0.9.4` |

Major bumps (`1.0.0`) are reserved for a deliberate stable-API graduation decision — not for
routine breaking changes.

---

## Cutting a release

1. Go to **Actions → release-please** and click **Run workflow**.
2. Choose a bump type:
- `patch` — bugfixes, docs, small changes
- `minor` — breaking changes (see above)
- `explicit` — you specify the exact version string (e.g. `0.10.0` or `0.10.0-beta.1`)
3. The workflow creates a release PR. Review it, then merge.
4. The GitHub Release and tag are created automatically on merge.

> **Note — release-please only understands `auto` or an explicit version string.**
> The `patch`, `minor`, and `major` options in the workflow dropdown are conveniences
> implemented in the workflow. The workflow reads the current manifest version, computes
> the next version (e.g. `0.9.3` + patch = `0.9.4`), and passes that computed string
> to release-please as an explicit `Release-As:` commit — exactly the same as choosing
> `explicit` and typing it yourself. There is no native patch/minor/major mode in
> release-please. This is why `explicit` is always the safest option when in doubt —
> you are just skipping the arithmetic step.

---

## When to use `explicit`

Use `explicit` and type the version yourself in any of these situations:

**After a beta or non-conventional tag.**
If the previous release was something like `0.9.3-beta.1`, release-please tracks the
base semver (`0.9.3`) but cannot reliably decide whether the next release should be
`0.9.3`, `0.9.4`, or `0.10.0`. It will often guess wrong.

The rule of thumb: **if the last tag had a pre-release suffix, always use `explicit` for
the next release.**

**After a manually created tag.**
Any tag created outside of the release-please workflow (e.g. hotfixes, manual git tags)
is invisible to release-please's version logic. Use `explicit` to anchor the next version
correctly.

**When you want a beta.**
Release-please does not increment pre-release suffixes automatically. Use `explicit` for
every beta, incrementing the suffix manually:
```
0.10.0-beta.1 → explicit: 0.10.0-beta.2 → explicit: 0.10.0
```

---

## What goes in the changelog

Commit messages must follow [Conventional Commits](https://www.conventionalcommits.org/)
for release-please to group them correctly:

```
feat: add support for batch check → Added
fix: correct retry logic for transient errors → Fixed
docs: update API reference → Documentation
perf: cache DNS lookups → Changed
refactor: extract auth helper → (hidden)
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Conventional Commits examples indicate refactor: commits are hidden from the changelog, but release-please-config.json configures refactor with hidden: false (it will be published under “Changed”). Please align the guide with the config (either update this section or set the refactor section to hidden).

Suggested change
refactor: extract auth helper → (hidden)
refactor: extract auth helper → Changed

Copilot uses AI. Check for mistakes.
chore: bump dependencies → (hidden)
```

---

## Troubleshooting

**"Invalid previous_tag parameter" error.**
The manifest version does not have a corresponding GitHub Release object. Reset the
manifest to the last valid tag:
```bash
echo '{ ".": "0.x.y" }' > .release-please-manifest.json
git commit -am "chore: reset manifest to v0.x.y"
git push origin main
```

**Duplicate release PRs.**
Close all stale ones. The workflow auto-closes stale open PRs on each dispatch, but
merged duplicates need manual labelling with `autorelease: tagged`.

**Changelog shows everything ungrouped.**
Make sure `changelog-type` in `release-please-config.json` is set to `"default"`, not
`"github"`.
2 changes: 1 addition & 1 deletion constants/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
/**
* Version of the OpenFGA JavaScript SDK.
*/
const SdkVersion = "0.9.4";
const SdkVersion = "0.9.4"; // x-release-please-version

/**
* User agent used in HTTP requests.
Expand Down
28 changes: 28 additions & 0 deletions release-please-config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
"release-type": "node",
"packages": {
".": {
"include-component-in-tag": false,
"changelog-path": "CHANGELOG.md",
"changelog-type": "default",
"bump-minor-pre-major": true,
"bump-patch-for-minor-pre-major": true,
"changelog-sections": [
{ "type": "feat", "section": "Added", "hidden": false },
{ "type": "fix", "section": "Fixed", "hidden": false },
{ "type": "perf", "section": "Changed", "hidden": false },
{ "type": "refactor", "section": "Changed", "hidden": false },
{ "type": "revert", "section": "Removed", "hidden": false },
{ "type": "docs", "section": "Documentation", "hidden": false },
{ "type": "test", "section": "Tests", "hidden": true },
{ "type": "ci", "section": "CI", "hidden": true },
{ "type": "chore", "section": "Miscellaneous", "hidden": true }
],
"extra-files": [
{ "type": "json", "path": "package.json", "jsonpath": "$.version" },
{ "type": "generic", "path": "constants/index.ts" }
]
}
}
}
Loading