Skip to content

ci: extract prepare-release workflow to release-tools#2496

Merged
ctron merged 1 commit into
guacsec:mainfrom
ctron:ci/extract_prepare_release_workflow_1
Jul 14, 2026
Merged

ci: extract prepare-release workflow to release-tools#2496
ctron merged 1 commit into
guacsec:mainfrom
ctron:ci/extract_prepare_release_workflow_1

Conversation

@ctron

@ctron ctron commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replaces the inline prepare-release workflow with a thin caller to the reusable workflow in guacsec/trustify-release-tools
  • Follows the same pattern as the backport workflow

Depends on: guacsec/trustify-release-tools PR being merged first.

Test plan

  • Merge release-tools PR first
  • Verify workflow appears and is triggerable in the Actions tab

🤖 Generated with Claude Code

Summary by Sourcery

Delegate the prepare-release GitHub Actions workflow to a reusable workflow in trustify-release-tools and generalize CycloneDX SBOM ingestion to support multiple JSON input sources.

Enhancements:

  • Introduce a JsonSource abstraction to allow SBOM ingestion from both raw JSON bytes and pre-parsed serde_json::Value, and refactor CyclonedxLoader to use it.

CI:

  • Replace the inline prepare-release workflow with a thin caller to the reusable workflow in guacsec/trustify-release-tools.

@sourcery-ai

sourcery-ai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Reviewer's Guide

This PR refactors the prepare-release GitHub Actions workflow to delegate to a reusable workflow in the trustify-release-tools repo and generalizes CycloneDX SBOM ingestion to accept multiple JSON input sources via a new JsonSource abstraction.

File-Level Changes

Change Details Files
Prepare-release GitHub Actions workflow is converted from an inline implementation to a thin caller of a reusable workflow in trustify-release-tools.
  • Remove all inline steps for permission checks, version bumping, artifact regeneration, branch creation, and PR opening from the prepare job.
  • Add reusable workflow invocation using the guacsec/trustify-release-tools prepare-release workflow with inherited secrets.
  • Pass existing bump and version-override inputs through to the reusable workflow.
.github/workflows/prepare-release.yaml
CycloneDX SBOM loader is refactored to support a generic JSON source abstraction instead of only raw byte slices.
  • Introduce a JsonSource trait that can deserialize any JSON-compatible input into a requested type.
  • Provide JsonSource implementations for raw byte slices and serde_json::Value.
  • Update CyclonedxLoader::load to take a JsonSource, use parse_json, and delegate ingestion logic to a new ingest method.
  • Switch logging in CyclonedxLoader from log::info! to tracing::info! for consistency with instrumentation.
  • Expose JsonSource via the service module for use by other ingestor components.
modules/ingestor/src/service/json.rs
modules/ingestor/src/service/mod.rs
modules/ingestor/src/service/sbom/cyclonedx.rs

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue, and left some high level feedback:

  • In the new prepare-release workflow that calls the reusable workflow, the previous if: github.repository_owner == 'guacsec' guard has been dropped; if this guard is still required, consider either re‑adding it here or ensuring the reusable workflow enforces the same restriction.
  • The JsonSource trait consumes self in parse_json, which means serde_json::Value must be owned and is moved on parse; if you expect to reuse or share values, consider changing the trait to take &self (or &mut self) and adjust the impls to avoid unnecessary moves.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- In the new `prepare-release` workflow that calls the reusable workflow, the previous `if: github.repository_owner == 'guacsec'` guard has been dropped; if this guard is still required, consider either re‑adding it here or ensuring the reusable workflow enforces the same restriction.
- The `JsonSource` trait consumes `self` in `parse_json`, which means `serde_json::Value` must be owned and is moved on parse; if you expect to reuse or share values, consider changing the trait to take `&self` (or `&mut self`) and adjust the impls to avoid unnecessary moves.

## Individual Comments

### Comment 1
<location path=".github/workflows/prepare-release.yaml" line_range="31" />
<code_context>
-
-          After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \
-            --base "${BASE}"
+    secrets: inherit
+    uses: guacsec/trustify-release-tools/.github/workflows/prepare-release.yaml@main
+    with:
</code_context>
<issue_to_address>
**🚨 issue (security):** Reconsider `secrets: inherit` when calling a reusable workflow from another repository

Because this reusable workflow lives in a different repository, `secrets: inherit` exposes all job secrets to it and increases the impact of a compromise in that repo. If it doesn’t genuinely need full access, prefer explicitly passing only the required secrets or using repo-specific tokens instead of inheriting everything.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.


After merging, follow [RELEASE.md](https://github.com/guacsec/trustify/blob/main/RELEASE.md) for tagging." \
--base "${BASE}"
secrets: inherit

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 issue (security): Reconsider secrets: inherit when calling a reusable workflow from another repository

Because this reusable workflow lives in a different repository, secrets: inherit exposes all job secrets to it and increases the impact of a compromise in that repo. If it doesn’t genuinely need full access, prefer explicitly passing only the required secrets or using repo-specific tokens instead of inheriting everything.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Assisted-by: Claude Code
@ctron ctron force-pushed the ci/extract_prepare_release_workflow_1 branch from 5f7d662 to 74970fe Compare July 14, 2026 09:38
@ctron ctron merged commit 401921a into guacsec:main Jul 14, 2026
5 checks passed
@github-project-automation github-project-automation Bot moved this to Done in Trustify Jul 14, 2026
@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.67%. Comparing base (3eba74d) to head (74970fe).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2496      +/-   ##
==========================================
+ Coverage   71.66%   71.67%   +0.01%     
==========================================
  Files         453      453              
  Lines       27517    27517              
  Branches    27517    27517              
==========================================
+ Hits        19719    19723       +4     
+ Misses       6667     6657      -10     
- Partials     1131     1137       +6     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

1 participant