Skip to content

ci: harden PAS release environment#22

Merged
altaywtf merged 2 commits into
mainfrom
fix/release-environment-hardening
May 8, 2026
Merged

ci: harden PAS release environment#22
altaywtf merged 2 commits into
mainfrom
fix/release-environment-hardening

Conversation

@altaywtf
Copy link
Copy Markdown
Member

@altaywtf altaywtf commented May 8, 2026

Summary

Changed

  • Move package publishing behind the protected release environment
  • Use putio-release-bot for release writes and version bump commits

Risks

  • Release jobs depend on PUTIO_RELEASE_BOT_APP_ID and PUTIO_RELEASE_BOT_PRIVATE_KEY being present in the release Environment

Verification

  • actionlint passes locally for the touched workflow
  • CI will verify the branch

Complexity

  • Neutral: release identity wiring is explicit but follows the shared put.io pattern

Copilot AI review requested due to automatic review settings May 8, 2026 21:39
@altaywtf altaywtf merged commit 40c4b00 into main May 8, 2026
6 checks passed
@altaywtf altaywtf deleted the fix/release-environment-hardening branch May 8, 2026 21:40
Copilot AI reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the release/publishing pipeline by moving npm publishing and GitHub write operations behind a protected GitHub Actions Environment, and by switching release-side writes (commits/tags/releases) to a GitHub App identity (putio-release-bot) instead of the default token.

Changes:

  • Documented the protected release Environment requirements and where release secrets/vars should live.
  • Updated the release workflow job to run in the release Environment and to use a GitHub App token for checkout and semantic-release.
  • Adjusted the release job tooling setup to use actions/setup-node + Corepack + pnpm install.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
CONTRIBUTING.md Adds release publishing guidance describing the protected release Environment and required secrets/vars.
.github/workflows/ci.yml Moves release publishing behind the release Environment and uses a GitHub App token for release writes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/ci.yml
Comment on lines 76 to 78
contents: write
issues: write
pull-requests: write
Comment thread .github/workflows/ci.yml
Comment on lines 90 to +97
- name: Check out repository
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
token: ${{ steps.release-bot.outputs.token }}

- name: Set up Vite+
uses: voidzero-dev/setup-vp@v1
- name: Set up Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@altaywtf