Implement draft release#57
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe placeholder workflow now automates Java 17 Maven release drafting, including version calculation, tag validation, metadata updates, optional release PR creation, and draft release creation. Maven publishing is configured to wait for published artifacts, and the changelog lists versions 1.0.0 through 1.3.0. ChangesJava release automation
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant GitHubActions
participant MavenProject
participant GitHubAPI
GitHubActions->>MavenProject: Read project.version
GitHubActions->>GitHubAPI: Check computed tag
GitHubActions->>MavenProject: Update pom.xml and CHANGELOG.md
GitHubActions->>GitHubAPI: Open release PR
GitHubActions->>GitHubAPI: Create draft release with notes
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
.github/workflows/draft-release.yml (1)
18-20: 🩺 Stability & Availability | 🔵 Trivial | ⚖️ Poor tradeoffTOCTOU race between tag-exists check and draft release creation.
With
cancel-in-progress: falseand a workflow-level concurrency group, two simultaneous dispatch runs could both pass theabort-if-tag-existscheck (line 52) and both proceed to create a draft release (line 84) for the same tag. Consider serializing runs withcancel-in-progress: trueor using a deployment lock to prevent overlapping release runs.Also applies to: 84-89
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/draft-release.yml around lines 18 - 20, Prevent overlapping draft-release workflow runs from racing between the tag-existence check and release creation: update the workflow-level concurrency configuration to cancel an in-progress run when a newer run starts, or otherwise add a deployment lock covering the check and draft release creation steps. Preserve the existing workflow concurrency group and ensure only one run can proceed for a tag at a time.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/draft-release.yml:
- Around line 67-72: Add a workflow step before “Prepend new section to
CHANGELOG.md” that creates an empty CHANGELOG.md only when the file is absent,
using a shell existence check; keep the existing prepend action and
release-notes condition unchanged.
- Around line 63-65: Prevent shell injection in the Maven version bump step by
assigning steps.bump.outputs.next to an environment variable and referencing
that variable in the run command instead of interpolating the output directly.
Update the “Bump version in pom.xml” step while preserving its existing
condition and Maven options.
- Line 47: Replace every mutable `@master` reference for railsware/github-actions
steps in the release workflow, including compute-next-semver and the other five
release actions, with their reviewed, immutable commit SHAs; preserve each
action and its configuration while ensuring all six uses are pinned
consistently.
---
Nitpick comments:
In @.github/workflows/draft-release.yml:
- Around line 18-20: Prevent overlapping draft-release workflow runs from racing
between the tag-existence check and release creation: update the workflow-level
concurrency configuration to cancel an in-progress run when a newer run starts,
or otherwise add a deployment lock covering the check and draft release creation
steps. Preserve the existing workflow concurrency group and ensure only one run
can proceed for a tag at a time.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 42b8f5f7-f218-46c6-b5e0-5287d2b34e3e
📒 Files selected for processing (2)
.github/workflows/draft-release.ymlCHANGELOG.md
|
|
||
| - name: Compute next version | ||
| id: bump | ||
| uses: railsware/github-actions/compute-next-semver@master |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Fetch the latest commit SHA for each railsware action branch.
for action in compute-next-semver abort-if-tag-exists generate-release-notes prepend-changelog open-sdk-release-pr create-draft-github-release; do
echo "=== $action ==="
gh api repos/railsware/github-actions/commits --jq ".[].sha" 2>/dev/null | head -1
doneRepository: mailtrap/mailtrap-java
Length of output: 583
🏁 Script executed:
#!/bin/bash
set -euo pipefail
file=".github/workflows/draft-release.yml"
echo "== relevant lines =="
nl -ba "$file" | sed -n '1,140p' | rg 'railsware/github-actions|uses:|`@master`|@'
echo
echo "== full action references =="
rg -n 'railsware/github-actions|uses:' "$file"Repository: mailtrap/mailtrap-java
Length of output: 217
🏁 Script executed:
#!/bin/bash
set -euo pipefail
file=".github/workflows/draft-release.yml"
echo "== railsware/github-actions references =="
grep -nE 'railsware/github-actions|uses:' "$file" || true
echo
echo "== surrounding context =="
sed -n '35,95p' "$file"Repository: mailtrap/mailtrap-java
Length of output: 2825
Pin all railsware/github-actions steps to commit SHAs. The six release steps still use mutable @master refs, so a compromise of that repo could run arbitrary code here with write permissions.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/draft-release.yml at line 47, Replace every mutable
`@master` reference for railsware/github-actions steps in the release workflow,
including compute-next-semver and the other five release actions, with their
reviewed, immutable commit SHAs; preserve each action and its configuration
while ensuring all six uses are pinned consistently.
Source: Linters/SAST tools
| - name: Bump version in pom.xml | ||
| if: steps.notes.outputs.release_notes != '' | ||
| run: mvn versions:set -DnewVersion=${{ steps.bump.outputs.next }} -DgenerateBackupPoms=false |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Prevent shell injection via environment variable on the Maven version bump.
steps.bump.outputs.next is interpolated directly into the run command. If the upstream compute-next-semver action (pinned to @master) ever produces unexpected output, shell metacharacters in that value would execute arbitrary commands. Pass the value through an environment variable instead.
🔒️ Proposed fix
- name: Bump version in pom.xml
if: steps.notes.outputs.release_notes != ''
+ env:
+ NEXT_VERSION: ${{ steps.bump.outputs.next }}
- run: mvn versions:set -DnewVersion=${{ steps.bump.outputs.next }} -DgenerateBackupPoms=false
+ run: mvn versions:set -DnewVersion="$NEXT_VERSION" -DgenerateBackupPoms=false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Bump version in pom.xml | |
| if: steps.notes.outputs.release_notes != '' | |
| run: mvn versions:set -DnewVersion=${{ steps.bump.outputs.next }} -DgenerateBackupPoms=false | |
| - name: Bump version in pom.xml | |
| if: steps.notes.outputs.release_notes != '' | |
| env: | |
| NEXT_VERSION: ${{ steps.bump.outputs.next }} | |
| run: mvn versions:set -DnewVersion="$NEXT_VERSION" -DgenerateBackupPoms=false |
🧰 Tools
🪛 zizmor (1.26.1)
[info] 65-65: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/draft-release.yml around lines 63 - 65, Prevent shell
injection in the Maven version bump step by assigning steps.bump.outputs.next to
an environment variable and referencing that variable in the run command instead
of interpolating the output directly. Update the “Bump version in pom.xml” step
while preserving its existing condition and Maven options.
Source: Linters/SAST tools
| - name: Prepend new section to CHANGELOG.md | ||
| if: steps.notes.outputs.release_notes != '' | ||
| uses: railsware/github-actions/prepend-changelog@master | ||
| with: | ||
| version: ${{ steps.bump.outputs.next }} | ||
| release-notes: ${{ steps.notes.outputs.release_notes }} |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
Handle missing CHANGELOG.md to fix the pipeline failure.
The pipeline failed with ENOENT: no such file or directory, open 'CHANGELOG.md' because the workflow checks out main (line 33) but CHANGELOG.md is new in this PR and hasn't been merged yet. The prepend-changelog action internally calls fs.readFileSync('CHANGELOG.md') and crashes when the file is absent. Add a guard step to create the file if it doesn't exist.
🐛 Proposed fix
- name: Ensure CHANGELOG.md exists
+ if: steps.notes.outputs.release_notes != ''
+ run: |
+ if [ ! -f CHANGELOG.md ]; then
+ touch CHANGELOG.md
+ fi
+
- name: Prepend new section to CHANGELOG.md
if: steps.notes.outputs.release_notes != ''
uses: railsware/github-actions/prepend-changelog@master📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Prepend new section to CHANGELOG.md | |
| if: steps.notes.outputs.release_notes != '' | |
| uses: railsware/github-actions/prepend-changelog@master | |
| with: | |
| version: ${{ steps.bump.outputs.next }} | |
| release-notes: ${{ steps.notes.outputs.release_notes }} | |
| - name: Ensure CHANGELOG.md exists | |
| if: steps.notes.outputs.release_notes != '' | |
| run: | | |
| if [ ! -f CHANGELOG.md ]; then | |
| touch CHANGELOG.md | |
| fi | |
| - name: Prepend new section to CHANGELOG.md | |
| if: steps.notes.outputs.release_notes != '' | |
| uses: railsware/github-actions/prepend-changelog@master | |
| with: | |
| version: ${{ steps.bump.outputs.next }} | |
| release-notes: ${{ steps.notes.outputs.release_notes }} |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/draft-release.yml around lines 67 - 72, Add a workflow
step before “Prepend new section to CHANGELOG.md” that creates an empty
CHANGELOG.md only when the file is absent, using a shell existence check; keep
the existing prepend action and release-notes condition unchanged.
Source: Pipeline failures
Motivation
Release automation
Changes
How to test
Example automated release PR #59
Summary by CodeRabbit