fixing versions for gh releases #2269

Merged

mfreeman451 merged 8 commits from refs/pull/2269/head into main

2025-10-04 06:30:30 +00:00

mfreeman451 commented

2025-10-04 05:52:05 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1695
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1695
Original created: 2025-10-04T05:52:05Z
Original updated: 2025-10-04T06:30:33Z
Original head: carverauto/serviceradar:chore/github_release_updates
Original base: main
Original merged: 2025-10-04T06:30:30Z by @mfreeman451

PR Type

Enhancement

Description

Automated GitHub release workflow with Bazel integration
Version-aware package naming for Debian/RPM assets
Release helper scripts for changelog extraction
Enhanced runfile resolution with Bazel support

Diagram Walkthrough

flowchart LR
  A["Tag Push"] --> B["GitHub Workflow"]
  B --> C["Extract Changelog"]
  B --> D["Build Packages"]
  D --> E["Upload to Release"]
  F["cut-release.sh"] --> G["Update VERSION"]
  G --> H["Create Tag"]
  I["publish_packages.go"] --> J["Version Stamping"]
  J --> K["Asset Upload"]

File Walkthrough

Relevant files

Enhancement

4 files

publish_packages.go `Enhanced package publishing with version stamping`	+153/-17
cut-release.sh `New release preparation script`	+171/-0
extract-changelog.py `Changelog extraction utility`	+106/-0
release.yml `Automated release workflow with Bazel`	+176/-189

Documentation

2 files

CHANGELOG `Added changelog with release notes`	+140/-0
RELEASE_PUBLISHING.md `Updated release documentation`	+21/-0

Configuration changes

2 files

VERSION `Updated version to 1.0.53-pre14`	+1/-1
BUILD.bazel `Added Bazel dependency for publish tool`	+3/-0

Dependencies

2 files

go.mod `Added Bazel rules_go dependency`	+1/-0
go.sum `Updated dependency checksums`	+2/-0

Imported from GitHub pull request. Original GitHub pull request: #1695 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1695 Original created: 2025-10-04T05:52:05Z Original updated: 2025-10-04T06:30:33Z Original head: carverauto/serviceradar:chore/github_release_updates Original base: main Original merged: 2025-10-04T06:30:30Z by @mfreeman451 --- ### **PR Type** Enhancement ___ ### **Description** - Automated GitHub release workflow with Bazel integration - Version-aware package naming for Debian/RPM assets - Release helper scripts for changelog extraction - Enhanced runfile resolution with Bazel support ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Tag Push"] --> B["GitHub Workflow"] B --> C["Extract Changelog"] B --> D["Build Packages"] D --> E["Upload to Release"] F["cut-release.sh"] --> G["Update VERSION"] G --> H["Create Tag"] I["publish_packages.go"] --> J["Version Stamping"] J --> K["Asset Upload"] ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><details><summary>4 files</summary><table> <tr> <td><strong>publish_packages.go</strong><dd><code>Enhanced package publishing with version stamping</code>                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1695/files#diff-638cfa7da020be995c5e05ba794edd1080d194845870a0061688e0b9afbcadc7">+153/-17</a></td> </tr> <tr> <td><strong>cut-release.sh</strong><dd><code>New release preparation script</code>                                                      </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1695/files#diff-e1c5bf42cbcadebac62a863cbe688195123704af58008761373302e5283d15a7">+171/-0</a>  </td> </tr> <tr> <td><strong>extract-changelog.py</strong><dd><code>Changelog extraction utility</code>                                                          </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1695/files#diff-0363bfb3a25f78e8ca5734f0f5bbfd2b0d3fc63a2eb8a78958218c1ea6b9286c">+106/-0</a>  </td> </tr> <tr> <td><strong>release.yml</strong><dd><code>Automated release workflow with Bazel</code>                                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1695/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34">+176/-189</a></td> </tr> </table></details></td></tr><tr><td><strong>Documentation</strong></td><td><details><summary>2 files</summary><table> <tr> <td><strong>CHANGELOG</strong><dd><code>Added changelog with release notes</code>                                              </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1695/files#diff-ecec88c33adb7591ee6aa88e29b62ad52ef443611cba5e0f0ecac9b5725afdba">+140/-0</a>  </td> </tr> <tr> <td><strong>RELEASE_PUBLISHING.md</strong><dd><code>Updated release documentation</code>                                                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1695/files#diff-6ca2ba93be21a4d63c3f8a08ff4889a2979a0c281a4bb70dbe15635bd199bc7e">+21/-0</a>    </td> </tr> </table></details></td></tr><tr><td><strong>Configuration changes</strong></td><td><details><summary>2 files</summary><table> <tr> <td><strong>VERSION</strong><dd><code>Updated version to 1.0.53-pre14</code>                                                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1695/files#diff-7b60b8e351cbb80c47459ffe2c79f1a26404871f49294780fe47ad0e58c09350">+1/-1</a>      </td> </tr> <tr> <td><strong>BUILD.bazel</strong><dd><code>Added Bazel dependency for publish tool</code>                                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1695/files#diff-fb0e62a1ff706ec8f72e2a1bc655729d1d4fea31e015702ac01e032f67aaf708">+3/-0</a>      </td> </tr> </table></details></td></tr><tr><td><strong>Dependencies</strong></td><td><details><summary>2 files</summary><table> <tr> <td><strong>go.mod</strong><dd><code>Added Bazel rules_go dependency</code>                                                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1695/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6">+1/-0</a>      </td> </tr> <tr> <td><strong>go.sum</strong><dd><code>Updated dependency checksums</code>                                                          </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1695/files#diff-3295df7234525439d778f1b282d146a4f1ff6b415248aaac074e8042d9f42d63">+2/-0</a>      </td> </tr> </table></details></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-10-04 05:53:07 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1695#issuecomment-3367932949
Original created: 2025-10-04T05:53:07Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Fragile git parsing Description: The script parses git status output and extracts file paths using fixed substring slicing (`file=${entry:3}`), which can mis-handle filenames with status codes or spaces and lead to unintended behavior; use `git status --porcelain -z` with null-delimited parsing instead. cut-release.sh [82-109] Referred Code repo_root=$(git rev-parse --show-toplevel 2>/dev/null \|\| true) if [[ -z "$repo_root" ]]; then echo "This script must be run inside the ServiceRadar repository" >&2 exit 1 fi cd "$repo_root" tag="${tag_prefix}${version}" # Ensure the working tree is clean apart from allowed files. if [[ "$dry_run" == "false" ]]; then mapfile -t dirty < <(git status --porcelain) else mapfile -t dirty < <(git status --porcelain) fi for entry in "${dirty[@]}"; do file=${entry:3} case "$file" in ""\|"VERSION"\|"CHANGELOG") ;; ... (clipped 7 lines)
	Secret handling risk Description: The workflow writes a BuildBuddy API key to `.bazelrc.remote`; if the workspace is uploaded or artifacts cached, there is a risk of inadvertent secret exposure unless the file is protected and cleaned—ensure the file is not persisted to artifacts or logs. release.yml [70-75] Referred Code `if: ${{ env.BUILDBUDDY_ORG_API_KEY != '' }} run: \| umask 077 printf 'common --remote_header=x-buildbuddy-api-key=%s\n' "${BUILDBUDDY_ORG_API_KEY}" > .bazelrc.remote - name: Resolve release metadata`
	Input validation risk Description: Upload name derivation enforces specific filename patterns for .deb/.rpm and returns errors for unexpected formats; if input paths are user-influenced, this could cause denial of service in automation—validate inputs upstream or hardcode manifest to trusted files. publish_packages.go [641-666] Referred Code func resolveUploadName(path, debVersion, rpmVersion, rpmRelease string) (string, error) { ext := strings.ToLower(filepath.Ext(path)) switch ext { case ".deb": base := strings.TrimSuffix(filepath.Base(path), ext) parts := strings.SplitN(base, "__", 2) if len(parts) != 2 \|\| strings.TrimSpace(parts[0]) == "" \|\| strings.TrimSpace(parts[1]) == "" { return "", fmt.Errorf("unexpected debian artifact name %q", filepath.Base(path)) } return fmt.Sprintf("%s_%s_%s%s", parts[0], debVersion, parts[1], ext), nil case ".rpm": base := strings.TrimSuffix(filepath.Base(path), ext) idx := strings.LastIndex(base, ".") if idx == -1 \|\| idx == len(base)-1 { return "", fmt.Errorf("unexpected rpm artifact name %q", filepath.Base(path)) } arch := base[idx+1:] namePart := strings.TrimRight(base[:idx], "-") if strings.TrimSpace(namePart) == "" { return "", fmt.Errorf("unexpected rpm artifact name %q", filepath.Base(path)) } ... (clipped 5 lines)
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
⚪	No custom compliance provided Follow the guide to enable custom compliance check.
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1695#issuecomment-3367932949 Original created: 2025-10-04T05:53:07Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR:<br> <table><tbody><tr><td colspan='2'><strong>Security Compliance</strong></td></tr> <tr><td rowspan=3>⚪</td> <td><details><summary><strong>Fragile git parsing </strong></summary><br> <b>Description:</b> The script parses git status output and extracts file paths using fixed substring slicing <br>(<code>file=${entry:3}</code>), which can mis-handle filenames with status codes or spaces and lead to <br>unintended behavior; use <code>git status --porcelain -z</code> with null-delimited parsing instead.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1695/files#diff-e1c5bf42cbcadebac62a863cbe688195123704af58008761373302e5283d15a7R82-R109'>cut-release.sh [82-109]</a></strong><br> <details open><summary>Referred Code</summary> ```shell repo_root=$(git rev-parse --show-toplevel 2>/dev/null || true) if [[ -z "$repo_root" ]]; then echo "This script must be run inside the ServiceRadar repository" >&2 exit 1 fi cd "$repo_root" tag="${tag_prefix}${version}" # Ensure the working tree is clean apart from allowed files. if [[ "$dry_run" == "false" ]]; then mapfile -t dirty < <(git status --porcelain) else mapfile -t dirty < <(git status --porcelain) fi for entry in "${dirty[@]}"; do file=${entry:3} case "$file" in ""|"VERSION"|"CHANGELOG") ;; ... (clipped 7 lines) ``` </details></details></td></tr> <tr><td><details><summary><strong>Secret handling risk </strong></summary><br> <b>Description:</b> The workflow writes a BuildBuddy API key to <code>.bazelrc.remote</code>; if the workspace is uploaded <br>or artifacts cached, there is a risk of inadvertent secret exposure unless the file is <br>protected and cleaned—ensure the file is not persisted to artifacts or logs.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1695/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R70-R75'>release.yml [70-75]</a></strong><br> <details open><summary>Referred Code</summary> ```yaml if: ${{ env.BUILDBUDDY_ORG_API_KEY != '' }} run: | umask 077 printf 'common --remote_header=x-buildbuddy-api-key=%s\n' "${BUILDBUDDY_ORG_API_KEY}" > .bazelrc.remote - name: Resolve release metadata ``` </details></details></td></tr> <tr><td><details><summary><strong>Input validation risk </strong></summary><br> <b>Description:</b> Upload name derivation enforces specific filename patterns for .deb/.rpm and returns <br>errors for unexpected formats; if input paths are user-influenced, this could cause denial <br>of service in automation—validate inputs upstream or hardcode manifest to trusted files.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1695/files#diff-638cfa7da020be995c5e05ba794edd1080d194845870a0061688e0b9afbcadc7R641-R666'>publish_packages.go [641-666]</a></strong><br> <details open><summary>Referred Code</summary> ```go func resolveUploadName(path, debVersion, rpmVersion, rpmRelease string) (string, error) { ext := strings.ToLower(filepath.Ext(path)) switch ext { case ".deb": base := strings.TrimSuffix(filepath.Base(path), ext) parts := strings.SplitN(base, "__", 2) if len(parts) != 2 || strings.TrimSpace(parts[0]) == "" || strings.TrimSpace(parts[1]) == "" { return "", fmt.Errorf("unexpected debian artifact name %q", filepath.Base(path)) } return fmt.Sprintf("%s_%s_%s%s", parts[0], debVersion, parts[1], ext), nil case ".rpm": base := strings.TrimSuffix(filepath.Base(path), ext) idx := strings.LastIndex(base, ".") if idx == -1 || idx == len(base)-1 { return "", fmt.Errorf("unexpected rpm artifact name %q", filepath.Base(path)) } arch := base[idx+1:] namePart := strings.TrimRight(base[:idx], "-") if strings.TrimSpace(namePart) == "" { return "", fmt.Errorf("unexpected rpm artifact name %q", filepath.Base(path)) } ... (clipped 5 lines) ``` </details></details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary>🎫 <strong>No ticket provided </summary></strong> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>No custom compliance provided</strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/'>guide</a> to enable custom compliance check. </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant<br> 🟡 - Partial Compliant<br> 🔴 - Not Compliant<br> ⚪ - Requires Further Human Verification<br> 🏷️ - Compliance label<br> </details>

qodo-code-review[bot] commented

2025-10-04 05:54:12 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1695#issuecomment-3367933450
Original created: 2025-10-04T05:54:12Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Docker image publishing is missing The new release workflow omits the previous functionality of building and pushing Docker images. The suggestion is to re-add this step to the workflow to avoid a regression, as the current implementation only publishes Debian and RPM packages. Examples: .github/workflows/release.yml [58-196] `publish: runs-on: oracle env: BUILDBUDDY_ORG_API_KEY: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v5 with: fetch-depth: 0 ... (clipped 129 lines)` Solution Walkthrough: Before: `# .github/workflows/release.yml jobs: publish: runs-on: oracle steps: - name: Checkout ... - name: Resolve release metadata ... - name: Generate release notes ... - name: Publish Debian and RPM packages run: \| bazel run --config=remote --stamp //release:publish_packages -- "${args[@]}" - name: Verify uploaded release assets via API # This step only verifies .deb and .rpm assets ...` After: # .github/workflows/release.yml jobs: publish: runs-on: oracle steps: - name: Checkout ... - name: Resolve release metadata ... - name: Generate release notes ... - name: Publish Debian and RPM packages run: \| bazel run --config=remote --stamp //release:publish_packages -- "${args[@]}" - name: Build and push Docker images run: \| # Re-introduce logic to build and push Docker images # e.g., ./scripts/build-images.sh --push --tag ${{ steps.release.outputs.tag }} - name: Verify uploaded release assets via API ... Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies that the new workflow omits the Docker image publishing step, which was part of the previous release process, representing a significant regression.	High
Possible issue	Improve parsing of git status Improve the robustness of parsing `git status --porcelain` output by using `awk` to extract filenames, which better handles different git statuses. scripts/cut-release.sh [93-109] if [[ "$dry_run" == "false" ]]; then mapfile -t dirty < <(git status --porcelain) else mapfile -t dirty < <(git status --porcelain) fi for entry in "${dirty[@]}"; do - file=${entry:3} + # Awk handles different git status formats, including renames. + file=$(echo "$entry" \| awk '{print $2}') case "$file" in - ""\|"VERSION"\|"CHANGELOG") + "VERSION"\|"CHANGELOG") ;; ) - echo "Unexpected pending change: $file" >&2 + echo "Unexpected pending change: $entry" >&2 echo "Please commit or stash it before running this script." >&2 exit 1 ;; esac done Apply / Chat* Suggestion importance[1-10]: 5 __ Why: The suggestion correctly identifies that parsing `git status --porcelain` with a fixed-offset substring is brittle, but the proposed `awk` solution is also flawed for renames and filenames with spaces.	Low
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1695#issuecomment-3367933450 Original created: 2025-10-04T05:54:12Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Docker image publishing is missing</summary> ___ **The new release workflow omits the previous functionality of building and <br>pushing Docker images. The suggestion is to re-add this step to the workflow to <br>avoid a regression, as the current implementation only publishes Debian and RPM <br>packages.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1695/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R58-R196">.github/workflows/release.yml [58-196]</a> </summary> ```yaml publish: runs-on: oracle env: BUILDBUDDY_ORG_API_KEY: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v5 with: fetch-depth: 0 ... (clipped 129 lines) ``` </details> ### Solution Walkthrough: #### Before: ```yaml # .github/workflows/release.yml jobs: publish: runs-on: oracle steps: - name: Checkout ... - name: Resolve release metadata ... - name: Generate release notes ... - name: Publish Debian and RPM packages run: | bazel run --config=remote --stamp //release:publish_packages -- "${args[@]}" - name: Verify uploaded release assets via API # This step only verifies .deb and .rpm assets ... ``` #### After: ```yaml # .github/workflows/release.yml jobs: publish: runs-on: oracle steps: - name: Checkout ... - name: Resolve release metadata ... - name: Generate release notes ... - name: Publish Debian and RPM packages run: | bazel run --config=remote --stamp //release:publish_packages -- "${args[@]}" - name: Build and push Docker images run: | # Re-introduce logic to build and push Docker images # e.g., ./scripts/build-images.sh --push --tag ${{ steps.release.outputs.tag }} - name: Verify uploaded release assets via API ... ``` <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: The suggestion correctly identifies that the new workflow omits the Docker image publishing step, which was part of the previous release process, representing a significant regression. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>Possible issue</td> <td> <details><summary>Improve parsing of git status</summary> ___ **Improve the robustness of parsing <code>git status --porcelain</code> output by using <code>awk</code> to <br>extract filenames, which better handles different git statuses.** [scripts/cut-release.sh [93-109]](https://github.com/carverauto/serviceradar/pull/1695/files#diff-e1c5bf42cbcadebac62a863cbe688195123704af58008761373302e5283d15a7R93-R109) ```diff if [[ "$dry_run" == "false" ]]; then mapfile -t dirty < <(git status --porcelain) else mapfile -t dirty < <(git status --porcelain) fi for entry in "${dirty[@]}"; do - file=${entry:3} + # Awk handles different git status formats, including renames. + file=$(echo "$entry" | awk '{print $2}') case "$file" in - ""|"VERSION"|"CHANGELOG") + "VERSION"|"CHANGELOG") ;; *) - echo "Unexpected pending change: $file" >&2 + echo "Unexpected pending change: $entry" >&2 echo "Please commit or stash it before running this script." >&2 exit 1 ;; esac done ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 5</summary> __ Why: The suggestion correctly identifies that parsing `git status --porcelain` with a fixed-offset substring is brittle, but the proposed `awk` solution is also flawed for renames and filenames with spaces. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>