Skip to content

Implement draft release#57

Merged
IgorDobryn merged 2 commits into
mainfrom
MT-22958-implement-draft-release-workflow-for-mailtrap-java
Jul 10, 2026
Merged

Implement draft release#57
IgorDobryn merged 2 commits into
mainfrom
MT-22958-implement-draft-release-workflow-for-mailtrap-java

Conversation

@IgorDobryn

@IgorDobryn IgorDobryn commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Motivation

Release automation

Changes

  • Implement draft-release workflow

How to test

  • Trigger draft release workflow
  • Assert new release PR created
  • Assert new release tag is added

Example automated release PR #59

Summary by CodeRabbit

  • New Features
    • Added automated “Draft Java Release” workflow that calculates the next semantic version, generates release notes, prevents duplicate release tags, and can open a release pull request.
    • Enabled Maven publishing to auto-publish artifacts and wait until publishing completes.
  • Documentation
    • Updated the changelog with new entries and release links for versions 1.0.0 through 1.3.0.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e7122882-1fe0-4417-a298-0dfa2fa75779

📥 Commits

Reviewing files that changed from the base of the PR and between 067113a and 11e2086.

📒 Files selected for processing (1)
  • pom.xml

📝 Walkthrough

Walkthrough

The placeholder workflow now automates Java 17 Maven release drafting, including version calculation, tag validation, metadata updates, optional release PR creation, and draft release creation. Maven publishing is configured to wait for published artifacts, and the changelog lists versions 1.0.0 through 1.3.0.

Changes

Java release automation

Layer / File(s) Summary
Draft release pipeline
.github/workflows/draft-release.yml, pom.xml, CHANGELOG.md
The workflow computes and validates semver tags, generates release notes, updates release metadata, optionally opens a release PR, and optionally creates a draft release. Maven publishing waits until artifacts are published, and the changelog includes releases 1.0.0 through 1.3.0.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions
  participant MavenProject
  participant GitHubAPI
  GitHubActions->>MavenProject: Read project.version
  GitHubActions->>GitHubAPI: Check computed tag
  GitHubActions->>MavenProject: Update pom.xml and CHANGELOG.md
  GitHubActions->>GitHubAPI: Open release PR
  GitHubActions->>GitHubAPI: Create draft release with notes
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: implementing draft release automation.
Description check ✅ Passed The description covers Motivation, Changes, and How to test, with only the non-critical Images and GIFs section missing.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@IgorDobryn IgorDobryn marked this pull request as ready for review July 10, 2026 08:16

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
.github/workflows/draft-release.yml (1)

18-20: 🩺 Stability & Availability | 🔵 Trivial | ⚖️ Poor tradeoff

TOCTOU race between tag-exists check and draft release creation.

With cancel-in-progress: false and a workflow-level concurrency group, two simultaneous dispatch runs could both pass the abort-if-tag-exists check (line 52) and both proceed to create a draft release (line 84) for the same tag. Consider serializing runs with cancel-in-progress: true or using a deployment lock to prevent overlapping release runs.

Also applies to: 84-89

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/draft-release.yml around lines 18 - 20, Prevent
overlapping draft-release workflow runs from racing between the tag-existence
check and release creation: update the workflow-level concurrency configuration
to cancel an in-progress run when a newer run starts, or otherwise add a
deployment lock covering the check and draft release creation steps. Preserve
the existing workflow concurrency group and ensure only one run can proceed for
a tag at a time.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/draft-release.yml:
- Around line 67-72: Add a workflow step before “Prepend new section to
CHANGELOG.md” that creates an empty CHANGELOG.md only when the file is absent,
using a shell existence check; keep the existing prepend action and
release-notes condition unchanged.
- Around line 63-65: Prevent shell injection in the Maven version bump step by
assigning steps.bump.outputs.next to an environment variable and referencing
that variable in the run command instead of interpolating the output directly.
Update the “Bump version in pom.xml” step while preserving its existing
condition and Maven options.
- Line 47: Replace every mutable `@master` reference for railsware/github-actions
steps in the release workflow, including compute-next-semver and the other five
release actions, with their reviewed, immutable commit SHAs; preserve each
action and its configuration while ensuring all six uses are pinned
consistently.

---

Nitpick comments:
In @.github/workflows/draft-release.yml:
- Around line 18-20: Prevent overlapping draft-release workflow runs from racing
between the tag-existence check and release creation: update the workflow-level
concurrency configuration to cancel an in-progress run when a newer run starts,
or otherwise add a deployment lock covering the check and draft release creation
steps. Preserve the existing workflow concurrency group and ensure only one run
can proceed for a tag at a time.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 42b8f5f7-f218-46c6-b5e0-5287d2b34e3e

📥 Commits

Reviewing files that changed from the base of the PR and between 1b209fb and 067113a.

📒 Files selected for processing (2)
  • .github/workflows/draft-release.yml
  • CHANGELOG.md


- name: Compute next version
id: bump
uses: railsware/github-actions/compute-next-semver@master

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Fetch the latest commit SHA for each railsware action branch.
for action in compute-next-semver abort-if-tag-exists generate-release-notes prepend-changelog open-sdk-release-pr create-draft-github-release; do
  echo "=== $action ==="
  gh api repos/railsware/github-actions/commits --jq ".[].sha" 2>/dev/null | head -1
done

Repository: mailtrap/mailtrap-java

Length of output: 583


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/draft-release.yml"

echo "== relevant lines =="
nl -ba "$file" | sed -n '1,140p' | rg 'railsware/github-actions|uses:|`@master`|@'

echo
echo "== full action references =="
rg -n 'railsware/github-actions|uses:' "$file"

Repository: mailtrap/mailtrap-java

Length of output: 217


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/draft-release.yml"

echo "== railsware/github-actions references =="
grep -nE 'railsware/github-actions|uses:' "$file" || true

echo
echo "== surrounding context =="
sed -n '35,95p' "$file"

Repository: mailtrap/mailtrap-java

Length of output: 2825


Pin all railsware/github-actions steps to commit SHAs. The six release steps still use mutable @master refs, so a compromise of that repo could run arbitrary code here with write permissions.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/draft-release.yml at line 47, Replace every mutable
`@master` reference for railsware/github-actions steps in the release workflow,
including compute-next-semver and the other five release actions, with their
reviewed, immutable commit SHAs; preserve each action and its configuration
while ensuring all six uses are pinned consistently.

Source: Linters/SAST tools

Comment on lines +63 to +65
- name: Bump version in pom.xml
if: steps.notes.outputs.release_notes != ''
run: mvn versions:set -DnewVersion=${{ steps.bump.outputs.next }} -DgenerateBackupPoms=false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Prevent shell injection via environment variable on the Maven version bump.

steps.bump.outputs.next is interpolated directly into the run command. If the upstream compute-next-semver action (pinned to @master) ever produces unexpected output, shell metacharacters in that value would execute arbitrary commands. Pass the value through an environment variable instead.

🔒️ Proposed fix
       - name: Bump version in pom.xml
         if: steps.notes.outputs.release_notes != ''
+        env:
+          NEXT_VERSION: ${{ steps.bump.outputs.next }}
-        run: mvn versions:set -DnewVersion=${{ steps.bump.outputs.next }} -DgenerateBackupPoms=false
+        run: mvn versions:set -DnewVersion="$NEXT_VERSION" -DgenerateBackupPoms=false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Bump version in pom.xml
if: steps.notes.outputs.release_notes != ''
run: mvn versions:set -DnewVersion=${{ steps.bump.outputs.next }} -DgenerateBackupPoms=false
- name: Bump version in pom.xml
if: steps.notes.outputs.release_notes != ''
env:
NEXT_VERSION: ${{ steps.bump.outputs.next }}
run: mvn versions:set -DnewVersion="$NEXT_VERSION" -DgenerateBackupPoms=false
🧰 Tools
🪛 zizmor (1.26.1)

[info] 65-65: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/draft-release.yml around lines 63 - 65, Prevent shell
injection in the Maven version bump step by assigning steps.bump.outputs.next to
an environment variable and referencing that variable in the run command instead
of interpolating the output directly. Update the “Bump version in pom.xml” step
while preserving its existing condition and Maven options.

Source: Linters/SAST tools

Comment on lines +67 to +72
- name: Prepend new section to CHANGELOG.md
if: steps.notes.outputs.release_notes != ''
uses: railsware/github-actions/prepend-changelog@master
with:
version: ${{ steps.bump.outputs.next }}
release-notes: ${{ steps.notes.outputs.release_notes }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Handle missing CHANGELOG.md to fix the pipeline failure.

The pipeline failed with ENOENT: no such file or directory, open 'CHANGELOG.md' because the workflow checks out main (line 33) but CHANGELOG.md is new in this PR and hasn't been merged yet. The prepend-changelog action internally calls fs.readFileSync('CHANGELOG.md') and crashes when the file is absent. Add a guard step to create the file if it doesn't exist.

🐛 Proposed fix
       - name: Ensure CHANGELOG.md exists
+        if: steps.notes.outputs.release_notes != ''
+        run: |
+          if [ ! -f CHANGELOG.md ]; then
+            touch CHANGELOG.md
+          fi
+
       - name: Prepend new section to CHANGELOG.md
         if: steps.notes.outputs.release_notes != ''
         uses: railsware/github-actions/prepend-changelog@master
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Prepend new section to CHANGELOG.md
if: steps.notes.outputs.release_notes != ''
uses: railsware/github-actions/prepend-changelog@master
with:
version: ${{ steps.bump.outputs.next }}
release-notes: ${{ steps.notes.outputs.release_notes }}
- name: Ensure CHANGELOG.md exists
if: steps.notes.outputs.release_notes != ''
run: |
if [ ! -f CHANGELOG.md ]; then
touch CHANGELOG.md
fi
- name: Prepend new section to CHANGELOG.md
if: steps.notes.outputs.release_notes != ''
uses: railsware/github-actions/prepend-changelog@master
with:
version: ${{ steps.bump.outputs.next }}
release-notes: ${{ steps.notes.outputs.release_notes }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/draft-release.yml around lines 67 - 72, Add a workflow
step before “Prepend new section to CHANGELOG.md” that creates an empty
CHANGELOG.md only when the file is absent, using a shell existence check; keep
the existing prepend action and release-notes condition unchanged.

Source: Pipeline failures

@IgorDobryn IgorDobryn merged commit 3223982 into main Jul 10, 2026
2 checks passed
@IgorDobryn IgorDobryn deleted the MT-22958-implement-draft-release-workflow-for-mailtrap-java branch July 10, 2026 13:17
@github-actions github-actions Bot mentioned this pull request Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants