revert: remove release-please + PR title lint automation#60
Merged
Conversation
Drops the release-please bot and the PR title lint workflow added in PR #59. They were experimental and don't match the awslabs convention (none of awslabs/mcp, aws-lambda-powertools-python, automated-security-helper, multi-agent-orchestrator use release-please). Removing reduces third-party action attack surface (release-please-action@v4 and amannn/action-semantic-pull-request@v5 both had contents:write + pull-requests:write permissions running on every push to main / every PR), and removes infrastructure that wasn't being used: the release-please run on PR #58's merge failed because the org-level "Allow GitHub Actions to create and approve pull requests" setting is disabled (correctly disabled for security). Releases revert to the manual `make release` flow that we successfully used to ship v0.3.5. AGENTS.md restored to describe that flow. Kept from the prior work (independent wins, not release-please-specific): - setuptools-scm migration (PR #56): version still derived from git tags - SETUPTOOLS_SCM_PRETEND_VERSION_FOR_* in publish.yml (PR #57): still needed to force tag version through dirty-tree builds Removes: .github/workflows/release-please.yml .github/workflows/lint-pr-title.yml release-please-config.json .release-please-manifest.json Post-merge cleanup (manual via web UI): 1. Delete the "main protection" branch ruleset on Settings → Rules → Rulesets — otherwise it blocks all future PRs waiting for the `lint` check that no longer exists. 2. Delete the stale release-please--branches--main branch on origin left over from the failed bot run: git push origin --delete release-please--branches--main
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reverts the release-please and PR title lint workflows added in PR #59.
Why
OpenSSF's Best Practices Working Group explicitly recommends keeping "Allow GitHub Actions to create and approve pull requests" disabled. release-please requires that setting enabled to function, creating a tension between automation convenience and security best practice.
Recent supply-chain attacks reinforce the concern:
For a published Python package on PyPI with real users, the marginal benefit of release-please (auto-opens Release PRs so you don't forget to release) doesn't justify the marginal increase in third-party-action attack surface running on every push to main with
contents: writepermission.This also better aligns with awslabs conventions — peer repos like awslabs/mcp,
aws-lambda-powertools-python,automated-security-helper,multi-agent-orchestratordon't use release-please.What this removes
What this keeps (independent wins)
Release flow after merge
Returns to manual `make release` / `make release-minor` / `make release-major` — the same flow used successfully for v0.3.5. AGENTS.md restored to describe this.
Post-merge cleanup