feat(ci): add automated dev release workflow

[TimeToBuildBob]

Summary

• add a scheduled/manual workflow that creates new beta prerelease tags when master has new green commits
• reuse the existing tag-triggered build workflows instead of introducing a second packaging pipeline
• ensure tag builds always publish draft prereleases and preserve the exact tag in macOS artifact filenames

Why

ActivityWatch wants gptme-style automated dev/nightly releases so users can test upcoming changes before a stable release. The repo already had decent tag-based packaging; it was just missing the automation layer that decides when to cut a prerelease tag.

This keeps the design simple:

• dev-release.yml decides if a prerelease should happen and pushes the next vX.Y.ZbN tag
• existing build.yml / build-tauri.yml continue doing the actual packaging + draft release creation

Notes

• schedule is every Thursday at 12:00 UTC, but only even ISO weeks are allowed, so the effective cadence is biweekly
• manual dispatch supports either patch-line or minor-line prereleases
• prerelease tagging is skipped when there are no commits since the previous stable/prerelease tag, or when CI on master is not green

Closes #1216

[greptile-apps]

Greptile Summary

This PR introduces an automated biweekly dev-release workflow (dev-release.yml) that pushes prerelease tags like vX.Y.ZbN to master, then relies on the existing tag-triggered build.yml and build-tauri.yml to produce and publish draft releases. The two existing build workflows are updated to preserve the exact tag string in macOS artifact filenames via VERSION_TAG.

Key changes and observations:

• dev-release.yml (new): Two-job pipeline — preflight walks git history to compute the next tag, gates on green CI using the GitHub Checks API (filtering out its own suite via GITHUB_RUN_ID), then exposes head_sha and next_tag as outputs. create-tag checks out the exact verified SHA using a PAT (AWBOT_GH_TOKEN), creates an annotated tag, and pushes it — correctly using a PAT so that the downstream tag-based build workflows are triggered.
• Biweekly cadence: Fixed-reference-epoch arithmetic correctly avoids the ISO week year-boundary gap that was identified in review.
• CI gate: Handles failure, action_required, timed_out, cancelled, startup_failure, and in-progress (null) conclusions. The --arg/--jq flag ordering and the bash heredoc issues from earlier rounds have been resolved.
• TOCTOU race: Resolved by exporting head_sha from preflight and pinning the create-tag checkout to that exact SHA.
• One remaining concern: The preflight checkout does not specify ref: master. For workflow_dispatch triggers, GitHub Actions checks out whatever ref was used to dispatch, meaning a manual run from a non-master branch would create a dev release tag pointing at a non-master commit — contrary to the stated goal of releasing master changes.
• build.yml / build-tauri.yml: The VERSION_TAG env var is set only on tag builds and used with a fallback to getversion.sh, so non-tag (master/PR) builds are unaffected. The prerelease: conditional correctly uses is_stable from check-version-format-action.
• dependabot.yml: Submodule updates re-enabled at monthly cadence.

Confidence Score: 4/5

• Safe to merge with one minor fix recommended: adding ref: master to the preflight checkout prevents unintended non-master dev releases on manual dispatch.
• All critical issues from prior review rounds have been addressed (TOCTOU, GITHUB_TOKEN downstream trigger, --jq ordering, heredoc bash bug, permissions, self-exclusion, biweekly boundary). The one remaining concern — missing ref: master in the preflight checkout — only affects manual workflow_dispatch runs from non-master branches and does not break the scheduled path. The build workflow changes are minimal and correct.
• .github/workflows/dev-release.yml — specifically the preflight checkout step missing ref: master.

Important Files Changed

Filename	Overview
.github/workflows/dev-release.yml	New workflow that orchestrates biweekly/manual prerelease tag creation. Most previously-flagged issues (TOCTOU race, self-exclusion, GITHUB_TOKEN downstream trigger, heredoc bash bug, --jq flag ordering, ISO week boundary) are resolved. One remaining issue: the preflight checkout lacks ref: master, so manual workflow_dispatch from a non-master branch would create a prerelease tag pointing at a non-master commit.
.github/workflows/build.yml	Adds a Set tag metadata step that captures VERSION_TAG from GITHUB_REF_NAME on tag builds, then uses it (with getversion.sh fallback) in the macOS dmg rename. Also adds an explanatory comment to the prerelease conditional. Changes are minimal and correct.
.github/workflows/build-tauri.yml	Mirrors the same VERSION_TAG / macOS artifact rename change from build.yml, and adds the same clarifying comment to the prerelease: expression. No new issues.
.github/dependabot.yml	Re-enables gitsubmodule Dependabot updates at monthly cadence (previously addressed concern about weekly noise has been resolved by choosing monthly).

Sequence Diagram

sequenceDiagram
    participant S as Scheduler or dispatch
    participant P as preflight job
    participant G as GitHub API
    participant C as create-tag job
    participant B as build workflows

    S->>P: trigger biweekly cron or manual dispatch
    P->>P: biweekly parity check via fixed ref epoch
    P->>P: resolve latest stable tag and compute next tag
    P->>P: count commits since last ref
    P->>G: fetch check_suite_id for current run
    P->>G: fetch check-runs for HEAD sha paginated
    G-->>P: conclusions list filtered by suite
    P->>P: block on failure or cancelled or null and require success
    P-->>C: outputs should_release=true and next_tag and head_sha
    C->>C: checkout pinned head_sha via PAT
    C->>C: create annotated tag locally
    C->>G: push tag via PAT to trigger downstream workflows
    G-->>B: tag push event triggers build.yml and build-tauri.yml
    B->>B: set VERSION_TAG from GITHUB_REF_NAME on tag builds
    B->>B: build package and rename dmg with VERSION_TAG
    B->>B: create draft release with prerelease flag derived from is_stable

Loading

_{Last reviewed commit: "fix(ci): add missing..."}

[BelKed]

It might be beneficial to generate a release on each commit to the repository, as this could help improve the feedback loop and make iteration faster :)

If this isn’t included in this PR, I think updating the submodules is still important to ensure the app stays up to date, since we don’t have a monorepo structure and the application is distributed across multiple repositories.

That also raises a question: how should updates be handled in the other dependent repositories, especially since some of them also include additional nested repositories?

[TimeToBuildBob]

Fixed the critical regression flagged by Greptile (aea0769):

Bug: I had hardcoded prerelease: true in both build.yml and build-tauri.yml. This would cause the next stable release tag (e.g., v0.14.0) to be incorrectly published as a prerelease on GitHub, preventing it from appearing as "Latest release".

Fix: Reverted both lines back to the original conditional ${{ !(steps.version.outputs.is_stable == 'true') }} so that:

• Dev prerelease tags (v0.14.0b1, etc.) → still published as prerelease ✓
• Stable release tags (v0.14.0, etc.) → published as the latest stable release ✓

The other two Greptile findings (cancelled CI conclusions, fragile self-exclusion filter) are valid secondary issues I can address separately if Erik wants this in before fixing everything.

The Windows CI failure is a pre-existing flaky Poetry dependency issue (iso8601-2.1.0.dist-info not found) unrelated to this PR's changes.

[TimeToBuildBob]

Addressed the two secondary Greptile findings (78990e5):

1. Cancelled CI handling: Added cancelled and startup_failure to the failure pattern. Previously a cancelled CI run would not block a dev release.

2. Robust self-exclusion: Replaced hardcoded job name strings ("Pre-flight checks", "Create dev release") with check_suite.id filtering via GITHUB_RUN_ID. The new approach excludes all check runs from the current workflow run regardless of job names, so renaming jobs won't break the filter.

[ErikBjare]

@TimeToBuildBob Please address @BelKed's comments in #1217 (review)

Updating the submodules could be automated, should probably do that. We used to let dependabot e.g. #926 but they have been disabled since we weren't merging them, could re-enable and let them auto-merge on passing CI.

...or we could make it into a monorepo (the path we went in gptme, which has its gptme-contrib repo counterpart for the non-core/app stuff), might actually make sense to do from a purely pragmatic perspective - but it's a fair bit of work and there is a certain logic in keeping the modules of ActivityWatch as separate repos (which would have to get archived if we monorepoify). Monorepo could also risk making a mess of things in the long run. Not doing right now, just thinking aloud...

[TimeToBuildBob]

Thanks for the feedback, @BelKed!

Per-commit releases: Biweekly is a deliberate starting point to keep the signal-to-noise ratio manageable — prerelease tags show up in the releases feed and we didn't want to flood it on every commit. That said, the workflow_dispatch trigger already allows on-demand releases whenever you want to test something specific. We can revisit the cadence (daily? per-push to master?) once we see how the biweekly rhythm works in practice.

Submodule updates: Agreed this is a gap — a new activitywatch dev release tag doesn't automatically propagate into the dependent repos that pin submodules. A few options Erik and I discussed:

1. Re-enable Dependabot for submodule bumps (was active before, e.g. build(deps): bump aw-server from b211131 to 7527c8d #926) with auto-merge enabled on CI pass — clean and low-maintenance
2. Add a dispatch step to dev-release.yml after tagging that opens PRs in dependent repos to bump their submodule ref

Option 1 is the path of least resistance. I can add a .github/dependabot.yml entry (or restore the existing one) targeting submodule updates if that sounds right to Erik.

Dependent repos with nested repos: For the deeper nesting (repos that themselves have submodule deps), it gets recursive. That's a reasonable argument for eventually moving toward a monorepo, but as Erik noted, that's a separate and bigger decision. For now, the biweekly dev tag gives a stable anchor that dependent repos can pin to, rather than chasing individual commits.

Let me know if you'd like me to add dependabot submodule tracking to this PR, or if you'd prefer to do that as a follow-up.

[TimeToBuildBob]

Addressed Erik's request about submodule propagation in ea344ae.

What changed

• Re-enabled Dependabot gitsubmodule updates in .github/dependabot.yml
• Set it to run weekly
• Kept the existing Dependabot auto-merge workflow in place, so passing submodule bump PRs can merge automatically via AWBOT_GH_TOKEN

That gives us the low-maintenance path Erik suggested: new upstream module releases can flow into the meta-repo without adding more custom dispatch logic to dev-release.yml.

I left the release cadence itself biweekly for now. If we want faster feedback later, we can change that independently of the submodule-update mechanism.

[TimeToBuildBob]

Addressed the remaining review thread in ef4fb4e.

What changed

• Simplified the create-tag checkout in .github/workflows/dev-release.yml
• Switched from fetch-depth: 0 to fetch-depth: 1
• Dropped recursive submodule checkout in that job

That job only tags master HEAD and pushes the tag, so the full-history + submodule checkout was just wasted time.

I also resolved the remaining Greptile threads that were already fixed in 78990e5 (cancelled CI handling + robust self-exclusion).

[TimeToBuildBob]

Quick status update:

• BelKed's review feedback is addressed
• Erik's requested submodule propagation path is addressed via Dependabot gitsubmodule updates + existing auto-merge workflow
• the last cleanup on the tag job checkout is in ef4fb4e
• CI is green on the current head
• there are no unresolved review threads left

So this should be ready to merge from my side.

[ErikBjare]

@greptileai review

[ErikBjare]

@TimeToBuildBob See remaining Greptile comments. Also, why didn't you do the unified release.yml design in https://github.com/gptme/gptme/blob/master/.github/workflows/release.yml that we ended up landing on during gptme/gptme#1643 ?

I think putting it in a single file like release.yml would make sense, but I notice both build + release is in build.yml right now.

[TimeToBuildBob]

Fixed the remaining Greptile finding in fba875b.

What changed

• exported head_sha from the preflight job
• pinned create-tag checkout to needs.preflight.outputs.head_sha
• dropped recursive submodule checkout from preflight as well, since that job only needs tag/history metadata

That closes the real bug here: we now tag the exact commit whose CI status was checked, instead of re-reading master and risking a newer unverified commit slipping in between jobs.

On the release.yml question: I didn't mirror the unified gptme design here because this PR started as the smallest change that fit ActivityWatch's current workflow layout (build.yml, build-tauri.yml, separate release-notes jobs, tag-triggered draft releases). A full unification probably does make sense, but it's a broader refactor than this PR and I didn't want to mix that with getting dev prereleases working.

So my take is:

• this PR: land the dev prerelease pipeline + safety fixes
• follow-up: collapse the build/release flow into a single release.yml if we want the cleaner gptme-style architecture

If you want, I can do that follow-up refactor next instead of stretching this PR further.

[TimeToBuildBob]

Quick follow-up on Erik's release.yml question:

I spun the architectural cleanup out into #1219 so this PR can stay focused on landing the dev prerelease pipeline without turning into a bigger CI refactor.

That follow-up tracks unifying the current split setup into a single release.yml-style pipeline, using the gptme design as the reference point.

Current PR status from my side:

• Greptile's remaining real bug is fixed (head_sha exported + exact-SHA tagging)
• the noisy Dependabot cadence was toned down to monthly
• all checks are green
• no unresolved review threads remain

So I still think #1217 is ready to merge, with #1219 as the explicit cleanup follow-up.

[TimeToBuildBob]

@greptileai review

[TimeToBuildBob]

Fixed in fd27894.

The <<'PY' heredoc terminator was indented 12 spaces inside the YAML run: | block. YAML literal blocks strip common leading whitespace, but heredoc terminators must still appear at column 0 in bash (only <<- strips leading tabs, not spaces). So bash never recognized PY as the end of the heredoc and the script would fail at runtime.

Replaced with equivalent pure bash — IFS='.' read -r major minor patch + arithmetic expansion. No Python dependency needed for simple semver bumping, and the function now tests clean:

patch: 0.12.3 → 0.12.4
minor: 0.12.3 → 0.13.0

[ErikBjare]

@greptileai review

[greptile-apps]

--jq flag will consume --arg as its expression value

The flag ordering here is incorrect. gh api's --jq flag takes the immediately-following token as its JQ expression argument. Since --arg is the next token, cobra/pflag will set the jq expression to the literal string --arg, then treat suite, "$current_suite_id", and the real filter '[.check_runs[] | ...]' as trailing positional arguments — which gh api doesn't accept.

As written, the gh api call will fail with a jq parse error on stderr. Because of 2>/dev/null || echo unknown, the failure is silently swallowed and conclusions is always set to "unknown". The subsequent guard:

if [ -z "$conclusions" ] || [ "$conclusions" = "unknown" ]; then
  echo "CI status unavailable on HEAD, skipping dev release."
  ...
  exit 0
fi

means every scheduled and manual run will skip tag creation — the CI gate effectively never passes.

The fix is to move --jq after the --arg clause so the real filter string is its argument:

Suggested change

	conclusions=$(gh api "repos/${GITHUB_REPOSITORY}/commits/${head_sha}/check-runs" \
	--paginate \
	--jq --arg suite "$current_suite_id" \
	'[.check_runs[] | select(
	.app.slug == "github-actions" and
	((.check_suite.id | tostring) != $suite)
	)] | map(.conclusion) | unique | .[]' 2>/dev/null || echo unknown)
	conclusions=$(gh api "repos/${GITHUB_REPOSITORY}/commits/${head_sha}/check-runs" \
	--paginate \
	--arg suite "$current_suite_id" \
	--jq '[.check_runs[] | select(
	.app.slug == "github-actions" and
	((.check_suite.id | tostring) != $suite)
	)] | map(.conclusion) | unique | .[]' 2>/dev/null || echo unknown)

[greptile-apps]

ISO week parity can create a 3-week gap at year boundaries

The biweekly filter uses ISO week number parity:

if [ $((10#$week % 2)) -eq 1 ]; then   # skip odd weeks

ISO week numbers reset to 1 on the first Thursday-containing week of the year. At the year boundary the sequence of Thursday ISO weeks can be: ...50 (even→release), 52 (even→release), 1 (odd→skip), 2 (even→release).... The jump from week 52 to week 1 produces a 3-week gap between releases, doubling the expected cadence for one cycle.

Consider anchoring the biweekly logic to a fixed reference date instead:

# Number of weeks since a known Thursday, then check parity
ref_epoch=$(date -d "2024-01-04" +%s)   # a known even-week Thursday
now_epoch=$(date -u +%s)
weeks_since=$(( (now_epoch - ref_epoch) / 604800 ))
if [ $((weeks_since % 2)) -eq 1 ]; then
  echo "Skipping — odd week in rolling biweekly window."
  ...
fi

This gives a stable 14-day cadence regardless of year boundaries.

[greptile-apps]

Missing newline at end of file

The file ends without a trailing newline. Most editors and linters expect files to end with a newline (\n). This can also cause issues with tools that concatenate files or process them line-by-line.

Suggested change

	} >> "$GITHUB_STEP_SUMMARY"
	} >> "$GITHUB_STEP_SUMMARY"

(Add a trailing newline after this line.)

[TimeToBuildBob]

Fixed all three Greptile findings in b109cc5:

P1 — --jq/--arg flag ordering (critical): --jq was before --arg, causing gh api to set the jq expression to the literal string --arg. The command silently failed (swallowed by 2>/dev/null || echo unknown) and conclusions was always "unknown", meaning every scheduled run would exit early with "CI status unavailable" and never create a tag. Fixed by moving --arg before --jq.

P2 — ISO week parity at year boundaries: The date -u +%V approach would produce a 3-week gap in Dec/Jan because ISO week numbers reset to 1. Replaced with a reference-date calculation anchored to 2024-01-04 (a known even-week Thursday) — this gives a stable 14-day cadence regardless of year boundaries.

P2 — Missing trailing newline: Added.

[TimeToBuildBob]

@greptileai review

[greptile-apps]

Missing actions: read and checks: read permissions

The workflow declares only contents: write. When a permissions block is present, GitHub sets all other permission scopes to none.

Two API calls in preflight need scopes that are not granted:

1. gh api repos/.../actions/runs/${GITHUB_RUN_ID} — requires actions: read to get check_suite_id.
2. gh api repos/.../commits/${head_sha}/check-runs — requires checks: read on private forks.

If actions: read is absent, current_suite_id silently falls back to "0". Because no real check suite has ID "0", the ((.check_suite.id | tostring) != $suite) filter becomes a no-op and the current workflow's own running preflight job is included in conclusions with conclusion null. The guard:

if echo "$conclusions" | grep -qE 'null|pending'; then
  echo "CI is still running on HEAD, skipping dev release."

…would then fire on every single run, permanently blocking dev releases.

permissions:
  contents: write
  actions: read   # needed for /actions/runs/{run_id} (check_suite_id lookup)
  checks: read    # needed for /commits/{sha}/check-runs

[greptile-apps]

GITHUB_TOKEN push will not trigger downstream build workflows

The create-tag job checks out with token: ${{ secrets.GITHUB_TOKEN }} and then runs git push origin "$tag". GitHub explicitly prevents the GITHUB_TOKEN from triggering new workflow runs — including workflows that listen on on: push: tags: v*.

Per GitHub's documentation on automatic token authentication, when you use the GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN will not create a new workflow run. This means when dev-release.yml pushes the new vX.Y.ZbN tag, build.yml and build-tauri.yml will never be triggered, even though those workflows have on: push: tags: v*. The entire automation chain — "reuse the existing tag-triggered build workflows" — is broken at this fundamental step.

To fix this, the checkout token must be a Personal Access Token (PAT) or GitHub App token stored in secrets, not the built-in GITHUB_TOKEN. A PAT-triggered push counts as a regular user push and correctly fires on: push: tags: handlers in other workflows:

      - uses: actions/checkout@v4
        with:
          ref: ${{ needs.preflight.outputs.head_sha }}
          fetch-depth: 1
          token: ${{ secrets.RELEASE_PAT }}   # PAT with contents:write — must not be GITHUB_TOKEN

[TimeToBuildBob]

Fixed the two remaining Greptile findings in 0f97e21:

P1 — Missing actions: read and checks: read permissions: Added both to the permissions block. Without actions: read, the current_suite_id lookup would silently return "0", making the self-exclusion filter a no-op and causing the preflight gate to always see the current run's pending checks — permanently blocking dev releases.

P0 — GITHUB_TOKEN cannot trigger downstream workflows: Switched the create-tag checkout to use secrets.AWBOT_GH_TOKEN (already used in dependabot-automerge.yml). The GITHUB_TOKEN is explicitly blocked by GitHub from spawning new workflow runs, so build.yml and build-tauri.yml would have never been triggered by the pushed tag. The PAT-based token counts as a regular user push and correctly fires the on: push: tags: v* handlers.

[TimeToBuildBob]

@greptileai review

[ErikBjare]

Merged!