This guide explains how to use the automated release workflows for this GitHub Action and provides detailed documentation about the CI/CD workflows.
- Overview
- Workflows Overview
- CodeQL Security Scan
- Test Release (Dry Run)
- Create Release (Production)
- Best Practices
- Troubleshooting
- Additional Resources
- Support
We have two primary workflows for releasing this GitHub Action:
- Test Release - A safe, dry-run environment that creates a draft release.
- Create Release - The production workflow that publishes a public release to the GitHub Marketplace.
Always test first with a Test Release before creating a production release!
This repository uses GitHub Actions for CI/CD, including security scanning and automated releases.
| Workflow | Purpose | Trigger | Creates Release | Safe for Testing |
|---|---|---|---|---|
codeql.yml |
Security scanning | Auto + Manual | No | ✅ Yes |
create-release.yml |
Production release | Manual | Yes (Published) | |
test-release.yml |
Test release process | Manual | Yes (Draft only) | ✅ Yes |
This workflow automatically scans the codebase for security vulnerabilities using GitHub's CodeQL analysis to identify security risks and code quality issues.
- File:
.github/workflows/codeql.yml - Purpose: To automate security scanning and identify vulnerabilities before they are introduced into the main branch.
- Triggers:
- Pull Requests: Runs on all PRs targeting the
mainbranch. - Schedule: Runs weekly (every Monday at 00:00 UTC).
- Manual: Can be triggered manually.
- Pull Requests: Runs on all PRs targeting the
- Initializes CodeQL: Sets up the CodeQL engine with JavaScript language support.
- Runs Analysis: Executes the
security-extendedquery suite for a comprehensive scan. - Uploads Results: Reports findings to the Security tab under Code scanning alerts.
- Permissions:
actions: read: To read workflow information.contents: read: To read repository contents for scanning.security-events: write: To write security scan results to the Security tab.
- Query Suite:
security-extended - Runner:
ubuntu-latest
- The workflow runs automatically. Review results in the Security tab and address any identified vulnerabilities before merging pull requests.
Use this workflow to test the release process safely without publishing anything. It creates a draft release for validation.
- Before a production release to ensure everything works.
- When testing changes to the build or release workflow.
- To validate release notes and artifacts.
- Navigate to the Actions tab in the GitHub repository.
- Select "Test Release (Dry Run)" from the workflow list.
- Click the "Run workflow" button.
- Fill in the required inputs:
| Input | Example | Description |
|---|---|---|
| Tag | v2.0.0-test |
Use a test suffix like -test, -rc1, or -beta. |
| Release notes | Testing release automation |
A brief description for the test. |
| Set as latest | ☐ Unchecked | Leave unchecked for testing. |
| Set as pre-release | ✓ Checked | Mark as a pre-release for testing. |
- Click "Run workflow".
After the workflow completes, review the draft release, then delete it.
- File:
.github/workflows/test-release.yml - Trigger: Manual (
workflow_dispatch) - Permissions:
contents: write
Workflow Steps:
- Validation: Checks tag format, verifies the current branch is
main, and checks if the tag already exists. - Build: Installs dependencies (
npm ci), builds the distribution (npm run build), and verifies the build artifacts. - Simulation: Shows what commands would run, checks for uncommitted changes, and simulates tag creation without pushing.
- Draft Release: Creates a non-published DRAFT release, adds a "TEST" label to the release name, and includes a warning in the release body.
- Summary: Shows all validation results, provides the draft release URL, and lists cleanup steps.
- Workflow completes without errors
- All validation steps pass
- Build succeeds
- Draft release is created
- Release notes are formatted correctly
- Delete draft release after review
- Ready to run production release
This workflow creates and publishes a real, public release to the GitHub Marketplace.
- This is for production releases only.
- Ensure you have successfully run a Test Release first.
- You must be on the
mainbranch.
- Go to the Actions tab.
- Select "Create Release" from the workflow list.
- Click "Run workflow".
- Fill in the inputs:
| Input | Example | Description |
|---|---|---|
| Tag | v2.0.0 |
Must follow semantic versioning (e.g., v*.*.*). |
| Release notes | See example below | Detailed notes for the release. |
| Set as latest | ✓ Checked | Mark as the latest official release. |
| Set as pre-release | ☐ Unchecked | Only check for beta or RC versions. |
- Click "Run workflow".
## What's New
### Features
- Added support for deployment gates
- Improved error handling and logging
- Updated to use token-based authentication
### Bug Fixes
- Fixed issue with change request creation timeout
- Resolved npm build errors in CI/CD
### Dependencies
- Updated axios to v1.7.7
- Updated @actions/core to v1.10.1
### Breaking Changes
None
### Upgrade Instructions
Simply update your workflow to use `@v2.0.0` instead of the previous version.- File:
.github/workflows/create-release.yml - Trigger: Manual (
workflow_dispatch) - Permissions:
contents: write
Workflow Steps:
- Validation Phase: Enforces strict tag format (
v*.*.*), checks for existing tags, and verifies the branch ismain. - Build Phase: Sets up Node.js, installs dependencies with
npm ci, builds the distribution withnpm run build, and verifies thatdist/index.jsexists. - Commit Phase: Commits and pushes build artifacts to the
mainbranch. - Release Phase: Creates an annotated Git tag, pushes the tag, and publishes the final release to GitHub.
- Summary Phase: Provides the release URL and a post-release checklist.
After the workflow completes successfully, follow these steps:
- Verify the release at the URL provided in the workflow summary.
- Check GitHub Marketplace to confirm the new version appears (this may take 5-10 minutes).
- Inform the QE team to begin testing the new version.
- Monitor for issues from users.
- Update documentation if needed.
Follow Semantic Versioning (SemVer):
- Major (
v2.0.0): For breaking changes. - Minor (
v2.1.0): For new, backward-compatible features. - Patch (
v2.1.1): For backward-compatible bug fixes.
- All changes are merged into the
mainbranch. - All automated tests are passing.
- A Test Release was successful.
- Release notes are prepared and follow the recommended format.
- The version number is correct and follows SemVer.
Do:
- ✅ List all new features
- ✅ Document bug fixes
- ✅ Note any breaking changes
- ✅ Include upgrade instructions
- ✅ Credit contributors
Don't:
- ❌ Be vague ("various improvements")
- ❌ Use internal jargon
- ❌ Forget to mention breaking changes
- ❌ Skip upgrade instructions
A good format example:
## What's New
### Features
- Added support for deployment gates.
### Bug Fixes
- Fixed an issue with change request timeouts.
### Breaking Changes
- None.Actions → Test Release (Dry Run) → Run workflow
Tag: v2.0.0-test
Actions → Create Release → Run workflow
Tag: v2.0.0
- Verify release page
- Check GitHub Marketplace
- Inform QE team
- Monitor for issues
- "Tag already exists": Choose a new version number or delete the conflicting tag if it was a mistake.
- Build Fails: Run
npm ci && npm run buildlocally to debug. Check for missing dependencies inpackage.json. - Not on
mainbranch: Switch to themainbranch and pull the latest changes. - Release not in Marketplace: Wait 5-10 minutes. Ensure the release is marked as "latest" and
action.ymlis correct.
- GitHub Actions Documentation
- CodeQL Documentation
- ServiceNow DevOps Documentation
- Semantic Versioning
- Keep a Changelog
For issues or questions:
- GitHub Issues: Create an issue
- ServiceNow Support: Now Support Portal