ci: hackathon release improvements

.gitattributes

@@ -4,4 +4,4 @@ pkg/operator/crds/*.yaml linguist-generated=true
 Makefile text eol=lf
 tools/make/*.mk text eol=lf
 tools/image-tag text eol=lf
-tools/release text eol=lf
+tools/publish-release-assets.sh text eol=lf

.github/pull_request_template.md

@@ -1,10 +1,9 @@
 <!--
 
-CONTRIBUTORS GUIDE: https://github.com/grafana/alloy/blob/main/docs/developer/contributing.md#updating-the-changelog
+CONTRIBUTORS GUIDE: https://github.com/grafana/alloy/blob/main/docs/developer/contributing.md
 
 If this is your first PR or you have not contributed in a while, we recommend
-taking the time to review the guide. It gives helpful instructions for
-contributors around things like how to update the changelog.
+taking the time to review the guide.
 
 -->
 
@@ -21,7 +20,6 @@ contributors around things like how to update the changelog.
 
 <!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->
 
-- [ ] CHANGELOG.md updated
 - [ ] Documentation added
 - [ ] Tests updated
 - [ ] Config converters updated

.github/workflows/check-sync-module-dependencies.yml

@@ -12,6 +12,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@v5

.github/workflows/integration-tests-k8s.yml

@@ -15,6 +15,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      with:
+        persist-credentials: false
     - name: Setup Go
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
       with:

.github/workflows/lint-pr-title.yml

@@ -0,0 +1,61 @@
+name: PR Title Lint
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  pull-requests: read
+  id-token: write
+
+jobs:
+  lint-pr-title:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get GitHub app secrets 🔐
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@a37de51f3d713a30a9e4b21bcdfbd38170020593 # get-vault-secrets/v1.3.0
+        with:
+          export_env: false
+          repo_secrets: |
+            ALLOYBOT_APP_ID=alloybot:app_id
+            ALLOYBOT_PRIVATE_KEY=alloybot:private_key
+
+      - name: Generate token 🔐
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
+        id: app-token
+        with:
+          app-id: ${{ fromJSON(steps.get-secrets.outputs.secrets).ALLOYBOT_APP_ID }}
+          private-key: ${{ fromJSON(steps.get-secrets.outputs.secrets).ALLOYBOT_PRIVATE_KEY }}
+          owner: grafana
+          repositories: alloy
+
+      - name: Validate PR title 🔎
+        uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+        with:
+          # Require conventional commit types
+          types: |
+            feat
+            fix
+            docs
+            style
+            refactor
+            perf
+            test
+            build
+            ci
+            chore
+            revert
+          # Scope is optional
+          requireScope: false
+          # Disallow uppercase first letter in subject
+          subjectPattern: ^[a-z].+$
+          subjectPatternError: |
+            The subject "{subject}" must start with a lowercase letter.
+            Example: "feat: add new component" not "feat: Add new component"

.github/workflows/lint.yml

@@ -55,7 +55,7 @@ jobs:
           packaging,\
           production,\
           tools/ci,\
-          tools/release,\
+          tools/publish-release-assets.sh,\
           docs/sources/tutorials/assets\
           "
 

.github/workflows/publish-alloy-release.yml

@@ -1,8 +1,7 @@
 name: Publish alloy release containers
 on:
-  push:
-    tags:
-      - v*
+  release:
+    types: [published]
 
 permissions:
   contents: read
@@ -45,6 +44,7 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
       with:
+        ref: ${{ github.event.release.tag_name }}
         persist-credentials: false
 
     - name: Set ownership
@@ -63,18 +63,16 @@ jobs:
       run: |
         RELEASE_BUILD=1 make -j4 dist
       env:
-        VERSION: ${{ github.ref_name }}
+        VERSION: ${{ github.event.release.tag_name }}
 
     - name: Publish dist
-      if: github.ref_type == 'tag'
       uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: dist
         path: ./dist
         if-no-files-found: error
 
     - name: Publish unsigned Windows executables
-      if: github.ref_type == 'tag'
       uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: windows-executables
@@ -85,7 +83,6 @@ jobs:
 
   sign_alloy_windows:
     name: Sign Alloy executables for Windows
-    if: github.ref_type == 'tag'
     runs-on: windows-2025
     environment:
       name: azure-trusted-signing
@@ -127,6 +124,7 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
       with:
+        ref: ${{ github.event.release.tag_name }}
         persist-credentials: false
 
     - name: Set ownership
@@ -152,7 +150,7 @@ jobs:
       run: |
         RELEASE_BUILD=1 makensis -V4 -DVERSION=${VERSION} -DOUT="../../dist/alloy-installer-windows-amd64.exe" ./packaging/windows/install_script.nsis
       env:
-        VERSION: ${{ github.ref_name }}
+        VERSION: ${{ github.event.release.tag_name }}
 
     - name: Publish unsigned Windows installer
       uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -193,22 +191,22 @@ jobs:
         azure-tenant-id: ${{ fromJSON(steps.get-signing-secrets.outputs.secrets).tenant-id }}
         signed-artifact-name: 'windows-installer-signed'
 
-  publish_github_release:
-    name: Publish GitHub release
-    if: github.ref_type == 'tag'
+  upload_release_assets:
+    name: Upload release assets
     container: grafana/alloy-build-image:v0.1.23@sha256:89dad4df5afe167898860bfa06c2eea290f4da0c2cff668fdf43299ddca867dc
     runs-on:
       labels: github-hosted-ubuntu-x64-large
     needs:
     - sign_alloy_windows_installer
     permissions:
-      # This job needs write access so it can create a draft GitHub release.
+      # This job needs write access to upload assets to the GitHub release.
       contents: write
       id-token: write
     steps:
     - name: Checkout code
       uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
       with:
+        ref: ${{ github.event.release.tag_name }}
         persist-credentials: false
 
     - name: Set ownership
@@ -217,38 +215,6 @@ jobs:
           # This is to fix Git not liking owner of the checkout directory
           chown -R $(id -u):$(id -g) $PWD
 
-    - name: Set up Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-      with:
-        go-version-file: go.mod
-        cache: false
-
-    # A GitHub App is used to create the release instead of github-actions so that submit-winget-manifest is triggered when the release is published
-    - name: Get GitHub app secrets
-      id: get-secrets
-      uses: grafana/shared-workflows/actions/get-vault-secrets@a37de51f3d713a30a9e4b21bcdfbd38170020593 # get-vault-secrets/v1.3.0
-      with:
-        export_env: false
-        repo_secrets: |
-          ALLOYBOT_APP_ID=alloybot:app_id
-          ALLOYBOT_PRIVATE_KEY=alloybot:private_key
-
-    - name: Create GitHub app token
-      uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
-      id: app-token
-      with:
-        app-id: ${{ fromJSON(steps.get-secrets.outputs.secrets).ALLOYBOT_APP_ID }}
-        private-key: ${{ fromJSON(steps.get-secrets.outputs.secrets).ALLOYBOT_PRIVATE_KEY }}
-        owner: grafana
-        repositories: alloy
-
-    - name: Checkout
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
-      with:
-        fetch-depth: 0
-        token: ${{ steps.app-token.outputs.token }}
-        persist-credentials: false
-
     - name: Download dist
       uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
@@ -269,8 +235,8 @@ jobs:
         name: windows-installer-signed
         path: dist
 
-    - name: Publish
-      run: |
-        VERSION="${GITHUB_REF_NAME}" RELEASE_DOC_TAG=$(echo "${GITHUB_REF_NAME}" | awk -F '.' '{print $1"."$2}') ./tools/release
+    - name: Publish release assets
+      run: ./tools/publish-release-assets.sh
       env:
-        GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+        RELEASE_TAG: ${{ github.event.release.tag_name }}
+        GH_TOKEN: ${{ github.token }}