Merge pull request #139 from linearis-oss/feat/issue-52-release-automation

feat(release): automate weekly/dispatch releases and changelog ownership

Author: iamfj

.github/workflows/ci.yml

@@ -112,7 +112,8 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          plan_files=$(git log main...HEAD \
+          base_ref="origin/${GITHUB_BASE_REF:-main}"
+          plan_files=$(git log "$base_ref"...HEAD \
             --diff-filter=A --name-only --pretty=format: \
             -- 'docs/plans/*.md' | sed '/^$/d')
 
@@ -140,3 +141,37 @@ jobs:
             exit 1
           fi
           echo "No plan files found — OK"
+
+  guard-changelog-history:
+    name: Guard CHANGELOG history in PR
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Detect CHANGELOG.md in branch history
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          if [ "${GITHUB_HEAD_REF:-}" = "next" ] && [ "${GITHUB_BASE_REF:-}" = "main" ]; then
+            echo "Promotion PR next -> main detected. Skipping changelog history guard."
+            exit 0
+          fi
+
+          base_ref="origin/${GITHUB_BASE_REF:-main}"
+          output=$(git log "$base_ref"...HEAD --name-status --pretty=format: -- CHANGELOG.md | sed '/^$/d')
+
+          if [ -n "$output" ]; then
+            echo "::error::CHANGELOG.md is release-workflow-owned and must not appear in PR branch history"
+            echo "Drop or amend commits that touch CHANGELOG.md, then push with --force-with-lease"
+            echo
+            echo "$output"
+            exit 1
+          fi
+
+          echo "No CHANGELOG.md history violations — OK"

.github/workflows/promote-next-to-main.yml

@@ -0,0 +1,98 @@
+name: Promote next to main
+
+on:
+  push:
+    branches:
+      - next
+  release:
+    types:
+      - published
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+concurrency:
+  group: promote-next-to-main
+  cancel-in-progress: true
+
+jobs:
+  promote:
+    if: ${{ github.event_name != 'release' || (github.event.release.prerelease == true && github.event.release.target_commitish == 'next') }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          ref: next
+          fetch-depth: 0
+
+      - name: Fetch main and next refs
+        run: git fetch origin main next
+
+      - name: Build PR metadata
+        id: meta
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          version=$(node -p "require('./package.json').version.replace(/-next\\.\\d+$/, '')")
+          title="release ${version} to stable channel"
+          compare_url="https://github.com/${GITHUB_REPOSITORY}/compare/main...next"
+
+          commits=$(git log --no-merges --pretty='- %h %s' origin/main..origin/next | head -n 200)
+          if [ -z "$commits" ]; then
+            commits="- (no new commits; branches currently aligned)"
+          fi
+
+          {
+            echo "title=$title"
+            echo "version=$version"
+            echo "compare_url=$compare_url"
+            echo "body<<EOF"
+            echo "## Purpose"
+            echo "Promote tested prerelease changes from \\`next\\` into stable channel on \\`main\\`."
+            echo
+            echo "## Target stable version"
+            echo "\\`$version\\`"
+            echo
+            echo "## Included commits (next ahead of main)"
+            echo "$commits"
+            echo
+            echo "## Compare"
+            echo "$compare_url"
+            echo
+            echo "## Notes"
+            echo "- This PR is auto-maintained on every push to \\`next\\`."
+            echo "- Merge this PR to promote current prerelease train to stable."
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Upsert promotion PR
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          existing=$(gh pr list \
+            --state open \
+            --base main \
+            --head next \
+            --json number \
+            --jq '.[0].number // empty')
+
+          if [ -n "$existing" ]; then
+            gh pr edit "$existing" \
+              --title "${{ steps.meta.outputs.title }}" \
+              --body "${{ steps.meta.outputs.body }}"
+            echo "Updated PR #$existing"
+          else
+            gh pr create \
+              --base main \
+              --head next \
+              --title "${{ steps.meta.outputs.title }}" \
+              --body "${{ steps.meta.outputs.body }}"
+            echo "Created promotion PR"
+          fi

.github/workflows/publish.yml

@@ -0,0 +1,104 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - next
+  schedule:
+    - cron: "0 9 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  id-token: write
+
+concurrency:
+  group: release-${{ github.event_name == 'schedule' && 'main' || github.ref_name }}
+  cancel-in-progress: false
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Guard workflow_dispatch caller permissions
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const { owner, repo } = context.repo;
+            const username = context.actor;
+            const result = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner,
+              repo,
+              username,
+            });
+
+            const role = result.data.role_name ?? result.data.permission;
+            const allowed = new Set(["maintain", "admin"]);
+
+            if (!allowed.has(role)) {
+              core.setFailed(
+                `User ${username} has role '${role}'. Only maintain/admin may invoke workflow_dispatch releases.`,
+              );
+              return;
+            }
+
+            core.info(`workflow_dispatch authorized for ${username} (${role})`);
+
+      - name: Resolve and validate target branch
+        id: target
+        shell: bash
+        run: |
+          if [ "${{ github.event_name }}" = "schedule" ]; then
+            branch="main"
+          else
+            branch="${{ github.ref_name }}"
+          fi
+
+          case "$branch" in
+            main|next) ;;
+            *)
+              echo "Unsupported release branch: $branch"
+              echo "Allowed branches: main, next"
+              exit 1
+              ;;
+          esac
+
+          echo "branch=$branch" >> "$GITHUB_OUTPUT"
+          echo "Releasing from branch: $branch"
+
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: ${{ steps.target.outputs.branch }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          cache: npm
+          registry-url: https://registry.npmjs.org
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Unit tests
+        run: npm test
+
+      - name: Lint and format check
+        run: npm run check:ci
+
+      - name: Type check
+        run: npx tsc --noEmit
+
+      - name: Run semantic-release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GITHUB_REF: refs/heads/${{ steps.target.outputs.branch }}
+          GITHUB_REF_NAME: ${{ steps.target.outputs.branch }}
+        run: npm run release:run