Skip to content

ci: integrate release-please action#116

Merged
tada5hi merged 2 commits into
mainfrom
ci/release-please
Jun 30, 2026
Merged

ci: integrate release-please action#116
tada5hi merged 2 commits into
mainfrom
ci/release-please

Conversation

@tada5hi

@tada5hi tada5hi commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Integrate release-please for automated versioning and releases, modeled on the hub-seeder setup and adapted for this Python/Poetry/PyPI project.

Changes

  • release-please-config.jsonrelease-type: python (bumps version in pyproject.toml), include-v-in-tag: true (matches existing v* tags), bump-minor-pre-major: true (pre-1.0: feat: → minor, fix: → patch).
  • .release-please-manifest.json — bootstrapped to the current version 0.2.16 so release-please continues cleanly from the existing v0.2.16 tag instead of starting a new series.
  • .github/workflows/release.yml — runs on push to main; the release-please job maintains the release PR, and once a release is created it builds the package, publishes to PyPI (trusted publishing / OIDC), and deploys the Sphinx docs to GitHub Pages.
  • Removed publish.yml and sphinx.yml — their tag-triggered jobs are folded into release.yml. Tags created by release-please use GITHUB_TOKEN, which by design does not trigger separate tag-triggered workflows, so the standalone files would never have fired.

Follow-up required before this works

  1. Settings → Actions → General → enable "Allow GitHub Actions to create and approve pull requests", otherwise release-please cannot open its PR.
  2. The existing PyPI trusted publisher config and the pypi environment must remain in place (reused unchanged from the old publish.yml).

Behavior note

With bump-minor-pre-major, feat: commits now produce minor bumps (e.g. 0.3.0) rather than the manual patch bumps used previously. This is standard release-please/semver behavior and matches hub-seeder.

Summary by CodeRabbit

  • New Features

    • Added an automated release flow on the main branch, including package publishing and documentation deployment.
    • Release versions now follow a standardized tagging and versioning setup.
  • Chores

    • Updated the project version to 0.2.16.
    • Removed older tag-based publishing and documentation workflows in favor of the new release process.

Adopt release-please for automated versioning and releases, modeled on
the hub-seeder setup and adapted for Python/Poetry/PyPI.

- Add release-please-config.json (release-type: python, v-prefixed tags,
  bump-minor-pre-major) and bootstrap .release-please-manifest.json to
  the current version 0.2.16 to align with existing v* tags.
- Add release.yml that runs release-please on pushes to main and, once a
  release is created, builds the package, publishes to PyPI via trusted
  publishing, and deploys the Sphinx docs.
- Remove publish.yml and sphinx.yml; their tag-triggered jobs are folded
  into release.yml since tags created with GITHUB_TOKEN do not trigger
  separate workflows.
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@tada5hi, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 55 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4d291f14-4dc1-49f0-a885-9056ce545c2f

📥 Commits

Reviewing files that changed from the base of the PR and between f7526f9 and b775248.

📒 Files selected for processing (1)
  • .github/workflows/release.yml
📝 Walkthrough

Walkthrough

Removes separate publish.yml and sphinx.yml workflows and replaces them with a unified release.yml workflow driven by Release Please on pushes to main. Adds release-please-config.json and updates .release-please-manifest.json to version 0.2.16.

Changes

Release CI/CD consolidation

Layer / File(s) Summary
Release Please config and manifest
release-please-config.json, .release-please-manifest.json
Adds release-please-config.json specifying python release type with tag/version options, and updates the manifest to set the root package version to 0.2.16.
Unified release workflow
.github/workflows/release.yml
Adds a single workflow on main push with four jobs: release-please (creates releases), build (Poetry build + artifact upload), publish (PyPI via OIDC), and docs (Sphinx build + GitHub Pages deploy). Removes the separate .github/workflows/publish.yml and .github/workflows/sphinx.yml.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hoppy days, the workflows merge into one,
Release Please now leads when pushes are done,
Docs and PyPI both follow in line,
No more separate files — everything's fine!
One workflow to rule them, neat and divine. 🌟

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: integrating release-please into the CI/release process.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/release-please

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 11-14: The workflow-level permissions are too broad and currently
grant write access to every job, including ones that do not need it. Update the
release workflow so the existing permissions are scoped per job instead of at
the top level: keep write access only on the release-please and docs jobs, and
leave build and publish with read-only or no permissions. Use the job names and
the workflow permissions block in release.yml to locate and move the settings.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 77bed367-2030-4679-9cb8-dc2723a6bfa7

📥 Commits

Reviewing files that changed from the base of the PR and between b425f76 and f7526f9.

📒 Files selected for processing (5)
  • .github/workflows/publish.yml
  • .github/workflows/release.yml
  • .github/workflows/sphinx.yml
  • .release-please-manifest.json
  • release-please-config.json
💤 Files with no reviewable changes (2)
  • .github/workflows/sphinx.yml
  • .github/workflows/publish.yml

Comment on lines +11 to +14
permissions:
contents: write
pull-requests: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Scope workflow permissions per job.

contents: write and pull-requests: write are currently granted to every job, including build and publish, which do not need them. That unnecessarily widens the blast radius for third-party actions and shell steps; move these permissions onto release-please and docs, and leave the other jobs read-only or tokenless.

Suggested tightening
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       releases_created: ${{ steps.release.outputs.releases_created }}
@@
   build:
     runs-on: ubuntu-latest
     needs: release-please
     if: needs.release-please.outputs.releases_created == 'true'
+    permissions:
+      contents: read
@@
   publish:
     runs-on: ubuntu-latest
     needs: build
     environment: pypi
     permissions:
       id-token: write
@@
   docs:
     runs-on: ubuntu-latest
     needs: release-please
     if: needs.release-please.outputs.releases_created == 'true'
     permissions:
       contents: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: write
pull-requests: write
🧰 Tools
🪛 zizmor (1.26.1)

[error] 12-12: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level

(excessive-permissions)


[error] 13-13: overly broad permissions (excessive-permissions): pull-requests: write is overly broad at the workflow level

(excessive-permissions)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 11 - 14, The workflow-level
permissions are too broad and currently grant write access to every job,
including ones that do not need it. Update the release workflow so the existing
permissions are scoped per job instead of at the top level: keep write access
only on the release-please and docs jobs, and leave build and publish with
read-only or no permissions. Use the job names and the workflow permissions
block in release.yml to locate and move the settings.

Source: Linters/SAST tools

@tada5hi tada5hi merged commit 1d66a1f into main Jun 30, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant