feat: dispatch version update to PTD on release#64
Conversation
Adds a notify-ptd job to the release workflow that sends a repository_dispatch event to posit-dev/ptd after a successful release. This triggers PTD to automatically create a PR updating the default team-operator chart version. Requires PTD_REPO_TOKEN secret with repo scope for posit-dev/ptd.
|
Claude finished @ian-flores's task —— View job PR Review: feat: dispatch version update to PTD on release
Review submitted with suggestions for:
|
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review Summary
The workflow addition looks good overall - it correctly depends on package-helm and will notify PTD on successful releases.
Security (Elevated Scrutiny)
✅ Credential handling: The PTD_REPO_TOKEN is properly referenced from secrets and passed via environment variable, not exposed in logs.
Suggestions
1. Redundant tag fetching (lines 119-130)
The checkout and tag fetching seem redundant since this workflow is triggered by tag pushes. Consider using ${{ github.ref_name }} directly instead of re-fetching all tags:
- name: Dispatch version update to PTD
env:
PTD_REPO_TOKEN: ${{ secrets.PTD_REPO_TOKEN }}
run: |
curl -X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $PTD_REPO_TOKEN" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/posit-dev/ptd/dispatches \
-d '{"event_type":"team-operator-release","client_payload":{"version":"${{ github.ref_name }}"}}'This would eliminate the checkout step entirely and make the job faster.
2. Error handling (lines 137-146)
The curl command should check for a successful response. If the dispatch fails silently, you won't know until you notice PTD wasn't updated.
Consider adding error handling:
response=$(curl -s -w "\n%{http_code}" -X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $PTD_REPO_TOKEN" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/posit-dev/ptd/dispatches \
-d '{"event_type":"team-operator-release","client_payload":{"version":"${{ github.ref_name }}"}}')
http_code=$(echo "$response" | tail -1)
if [ "$http_code" -ne 204 ]; then
echo "Failed to dispatch: HTTP $http_code"
echo "$response"
exit 1
fiThese are suggestions for improvement - the current implementation is functional.
.github/workflows/release.yml
Outdated
| env: | ||
| PTD_REPO_TOKEN: ${{ secrets.PTD_REPO_TOKEN }} | ||
| run: | | ||
| curl -X POST \ |
There was a problem hiding this comment.
I suggest using gh cli rather than curl here, example of gh workflow run at https://github.com/rstudio/academyContent/blob/9b774b4128660864ea1cd5b23a688845a5c2fd9d/.github/ci_update_tutorials.R#L36.
There was a problem hiding this comment.
Addressed in latest commit; thanks for flagging.
Address @statik's review feedback by replacing the curl-based repository_dispatch with gh workflow run. This is cleaner and consistent with other gh commands in the workflow.
2 participants
Summary
notify-ptdjob to the release workflowpackage-helmsucceeds, sends arepository_dispatchevent toposit-dev/ptdSetup Required
Add
PTD_REPO_TOKENsecret to this repo with a PAT that hasreposcope forposit-dev/ptd.Related
Test plan
PTD_REPO_TOKENsecretworkflow_dispatchor wait for next release