Skip to content

ci: add Linear release sync workflow and refresh action pins#749

Closed
chybisov wants to merge 4 commits into
mainfrom
ci/linear-release-sync
Closed

ci: add Linear release sync workflow and refresh action pins#749
chybisov wants to merge 4 commits into
mainfrom
ci/linear-release-sync

Conversation

@chybisov
Copy link
Copy Markdown
Member

@chybisov chybisov commented May 27, 2026
edited
Loading

Which Linear task is linked to this PR?

Closes EMB-399

Why was it implemented this way?

Adds a new linear-release.yml workflow that feeds our published npm releases into the Linear "Widget" scheduled release pipeline, so issues flow Ready for Release → Done only when code actually ships to npm latest.

Design choices:

  • Separate workflow (not a job in publish.yaml), triggered via workflow_run on "Release & Publish Beta" and gated on conclusion == 'success'. This keeps it decoupled from the publish path while guaranteeing it only runs after packages are 100% on npm.
  • One Linear release per X.Y.Z: the tag's -alpha.N/-beta.N suffix is stripped so every prerelease and the final stable tag roll into a single release that progresses Alpha → Beta → Released. Each prerelease tag is attached as a link.
  • Only the stable tag completes the release (complete), which fires Linear's "On release completion → Done" automation. Alpha/beta only update --stage, so tickets stay Ready for Release until the stable ship.
  • Tag is resolved from git (git tag --points-at HEAD) because workflow_run.head_branch is unreliable for tag pushes.
  • Both actions pinned by commit SHA to match repo convention.

Also audited every action pin across .github/ and bumped the one that was behind: aws-actions/configure-aws-credentials v6.1.1 → v6.1.2. All others were already on the latest release SHA.

Note

workflow_run only triggers once this file is on main. The merge automation + release attach also require EMB PRs to be Linear-linked with a closing magic word and merged via squash/merge-commit (not rebase).

Visual showcase (Screenshots or Videos)

N/A — CI-only change.

Checklist before requesting a review

  • I have performed a self-review and testing of my code.
  • This pull request is focused and addresses a single problem.
  • If this PR modifies the Widget API or adds new features that require documentation, I have updated the documentation in the public-docs repository. (N/A — no Widget API change)

chybisov added 4 commits May 27, 2026 12:57
@chybisov
ci: add Linear release sync workflow
421e09a 
Syncs published npm releases into the Linear "Widget" release pipeline.
Runs after "Release & Publish Beta" succeeds (workflow_run gated on
conclusion == success), so issues are attached only once packages are on
npm. Each release runs `sync` to attach merged issues and link the tag;
alpha/beta tags advance the stage via `update`, while only the stable tag
runs `complete`, which fires Linear's "release completion -> Done"
automation.
@chybisov
ci: bump aws-actions/configure-aws-credentials to v6.1.2
dce6bda
@chybisov
ci: harden Linear release workflow and fix tag resolution
35b6d13 
Addresses review feedback on #749:
- Restrict the job to successful runs originating from this repo
  (head_repository guard) to address the workflow_run privilege-
  escalation warning; the upstream publish workflow is tag-push/dispatch
  only, so this can't be triggered by untrusted contributors.
- Append `|| true` to tag resolution so a no-tag HEAD (e.g. a
  workflow_dispatch publish) cleanly skips instead of failing under
  `set -eo pipefail`.
- Add a concurrency group keyed to the release commit.
- Rename linear-release.yml -> .yaml to match repo convention.
@chybisov
refactor(ci): compose release pipeline from reusable workflows
dbf19e8 
Split publish.yaml into an orchestrator that composes three single-purpose
reusable workflows: github-release, npm-publish, and linear-release. The
Linear sync now runs as a `needs: npm-publish` job instead of a separate
`workflow_run` workflow, which:
- gates precisely on npm publish success (a failed GitHub Release job no
  longer strands the Linear sync) — fixes the coarse-gating issue
- removes the `workflow_run` trigger flagged by Aikido
- takes the tag from `github.ref_name` instead of re-discovering it via
  `git tag --points-at`
- replaces the brittle workflow-name coupling with a direct file reference

Secrets are scoped per sub-workflow: only Linear receives the pipeline
access key; GitHub Release uses the auto GITHUB_TOKEN; npm publish uses
OIDC provenance (no token).
@chybisov chybisov mentioned this pull request May 29, 2026
Open
2 tasks
@chybisov
Copy link
Copy Markdown
Member Author

chybisov commented May 29, 2026

Folded into #753, which now targets main directly and carries this branch's commits (Linear release-sync workflow + action-pin refresh) plus the full Changesets migration. Closing in favor of the single combined PR.

The ci/linear-release-sync branch is left intact (not deleted) since its commits live on in #753's history.

@chybisov chybisov closed this May 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chybisov