feat: add CI/CD release pipeline with GitHub Actions #44
Description
Summary
The repo currently has no GitHub Actions workflows (.github/workflows/ does not exist). Releasing is done manually via task release which runs npx semantic-release --no-ci locally. This has several problems:
- No automated validation on PRs (broken YAML, invalid substitution syntax, missing files)
- Releases depend on a developer's local environment having
npx/semantic-releaseinstalled - No gate between merge and release — anyone merging to
mainmust manually triggertask release - Pre-commit hooks only run if the developer has them installed locally
.releasercreferencesgo.mod/go.sumassets that don't exist in this repo (likely copy-paste from another project)
Proposed Workflows
1. PR Validation (pr-validate.yaml)
Triggered on pull requests to main:
on:
pull_request:
branches: [main]Jobs:
-
lint-yaml — Validate all YAML files for syntax errors
# yamllint or similar find apps/ infra/ cicd/ -name "*.yaml" -exec yamllint {} +
-
validate-kustomize — Ensure every component has a valid
kustomization.yamland all referenced resources exist# For each component directory: # 1. Check kustomization.yaml exists # 2. Extract resource refs and verify files exist # 3. Run kustomize build (dry-run)
-
validate-substitution-syntax — Catch broken
${VAR:=default}or${VAR:default}patterns# Grep for invalid patterns: # ${VAR:=...} (colon-equals) # ${VAR:...} without dash (colon without dash, excluding :-) grep -rPn '\$\{[A-Z0-9_]+:(?!-)' apps/ infra/ cicd/ && exit 1 || exit 0
-
validate-structure — Check each component follows the standard anatomy
# Every directory under apps/, infra/, cicd/ must have: # - kustomization.yaml # - requirements.yaml (with Namespace + source) # - release.yaml
-
pre-commit — Run all pre-commit hooks in CI
pip install pre-commit pre-commit run --all-files
-
detect-api-deprecations — Flag deprecated Flux API versions
# Warn (not fail) on helm.toolkit.fluxcd.io/v2beta1 # Warn on source.toolkit.fluxcd.io/v1beta2 grep -rn "v2beta1\|v1beta2" apps/ infra/ cicd/ && echo "::warning::Deprecated API versions found"
2. Release (release.yaml)
Triggered on push to main:
on:
push:
branches: [main]Jobs:
- semantic-release — Automated version bump, changelog, GitHub release, git tag
steps: - uses: actions/checkout@v4 with: persist-credentials: false - uses: actions/setup-node@v4 with: node-version: 22 - run: npm install semantic-release @semantic-release/commit-analyzer @semantic-release/release-notes-generator @semantic-release/changelog @semantic-release/github @semantic-release/git - run: npx semantic-release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3. Renovate Automerge (optional, renovate-automerge.yaml)
Auto-merge Renovate PRs that pass validation, since version bumps in this repo are low-risk (consumers pin to tags).
.releaserc Cleanup
The current .releaserc needs fixes:
"plugins": [
...
["@semantic-release/github", {
- "assets": ["dist/**/*.{go,mod,sum}", "docs/**/*.{pdf,md}"]
+ "assets": ["docs/**/*.{pdf,md}"]
}],
["@semantic-release/git", {
- "assets": ["CHANGELOG.md", "go.mod", "go.sum"],
+ "assets": ["CHANGELOG.md"],
"message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
}]
]- Remove
go.mod/go.sumreferences — this is a YAML/Kustomize repo, not a Go project - Remove
dist/**/*.{go,mod,sum}from GitHub assets
Taskfile Updates
Update task release to work with CI instead of against it:
- Remove
--no-ciflag (let semantic-release detect CI properly) - Keep local
task releaseas a fallback but document that the primary release path is GitHub Actions - The
checkdependency inreleasetask is undefined — define it or remove it
Acceptance Criteria
-
.github/workflows/pr-validate.yamlwith YAML lint, kustomize validation, substitution syntax check, pre-commit, structure check -
.github/workflows/release.yamlwith semantic-release on push to main -
.releaserccleaned up (remove Go artifacts) -
task releaseupdated for optional local use -
.pre-commit-config.yamlcheck forcheck-jsonschemaworks in CI (GitHub Actions schema validation)