Implement draft release job#68
Conversation
📝 WalkthroughWalkthroughA placeholder GitHub Actions workflow for drafting PHP releases was replaced with a functional pipeline. The new workflow computes the next semantic version, generates release notes from merged PRs, updates CHANGELOG.md, opens a release PR, and creates a draft GitHub release, with added concurrency and permissions settings. ChangesDraft PHP release automation
Estimated code review effort: 3 (Moderate) | ~20 minutes Sequence Diagram(s)sequenceDiagram
participant Workflow as draft-release workflow
participant GH as GitHub CLI
participant SemverAction as compute-next-semver
participant NotesAction as release notes action
participant Repo as CHANGELOG.md / main
Workflow->>GH: fetch latest release tag
Workflow->>SemverAction: compute next version from current version
Workflow->>NotesAction: generate release notes from merged PRs
NotesAction-->>Workflow: release_notes output
alt release_notes not empty
Workflow->>Repo: prepend notes to CHANGELOG.md
Workflow->>Repo: open release PR against main
Workflow->>GH: create draft GitHub release
end
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/draft-release.yml (1)
47-47: 🔒 Security & Privacy | 🔵 Trivial | ⚖️ Poor tradeoffConsider pinning third-party actions to a commit SHA.
All five
railsware/github-actions/*actions are referenced at@master, a mutable ref. Given these steps run withcontents: write/pull-requests: writeand access the job token, a mutatedmasterwould execute untrusted code with those privileges. Pinning to a full commit SHA (with a version comment) mitigates supply-chain drift.Also applies to: 54-54, 60-60, 67-67, 77-77
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/draft-release.yml at line 47, The workflow uses multiple railsware/github-actions steps via the mutable `@master` ref, which should be pinned to immutable commit SHAs. Update each referenced action in the draft-release workflow, including compute-next-semver and the other railsware/github-actions/* usages, to a full commit SHA and keep a version comment so the action versions are fixed and auditable.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/draft-release.yml:
- Around line 42-43: The release version lookup in the draft-release workflow
fails before any published release exists because the `gh api ...
releases/latest` call returns 404. Update the version-seeding logic around the
`latest`/`GITHUB_OUTPUT` step to handle the no-published-release case
gracefully, either by falling back to a default initial version or by detecting
the 404 and using a safe starting version so the draft release can still be
created.
---
Nitpick comments:
In @.github/workflows/draft-release.yml:
- Line 47: The workflow uses multiple railsware/github-actions steps via the
mutable `@master` ref, which should be pinned to immutable commit SHAs. Update
each referenced action in the draft-release workflow, including
compute-next-semver and the other railsware/github-actions/* usages, to a full
commit SHA and keep a version comment so the action versions are fixed and
auditable.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f0d03547-c013-4e12-925c-dbc1654c3162
📒 Files selected for processing (1)
.github/workflows/draft-release.yml
| latest=$(gh api "repos/$GITHUB_REPOSITORY/releases/latest" --jq '.tag_name') | ||
| echo "version=${latest#v}" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow around the cited lines
cat -n .github/workflows/draft-release.yml | sed -n '1,120p'
# Find any references to compute-next-semver in the repo
rg -n "compute-next-semver|releases/latest|latest release|version=" .github/workflows . -g '!node_modules'Repository: mailtrap/mailtrap-php
Length of output: 3764
🌐 Web query:
GitHub API releases/latest draft prerelease excluded no published release 404 compute-next-semver empty current input
💡 Result:
The GitHub API endpoint GET /repos/{owner}/{repo}/releases/latest is designed to return the most recent non-prerelease, non-draft release [1][2][3]. If a repository has only draft or prerelease releases, or no releases at all, this endpoint will return a 404 Not Found error [2][4][5]. This occurs because the endpoint specifically ignores drafts and prereleases when determining the "latest" version [1][2][6]. Key behaviors and technical details: - Definition of Latest: The "latest" release is strictly defined as the most recent published full release, sorted by the created_at attribute [1][3]. - API 404: The 404 response is the standard behavior when the criteria for a "latest" release are not met [4]. While some official documentation may not explicitly list 404 as a potential response code, it is widely documented as the expected behavior for repositories lacking stable, published releases [4]. - Prerelease/Draft Exclusion: These release types are intentionally excluded from this specific endpoint [1][5]. They cannot be set as the "latest" release via the API's make_latest parameter [1][3]. - Handling 404s: Developers relying on this endpoint for automated tooling (like version resolvers) must implement handling for the 404 error, typically by falling back to listing all releases and manually parsing tags to find the latest available version [2][7]. For scenarios where you need to support prereleases or drafts, you should avoid /releases/latest and instead use the /repos/{owner}/{repo}/releases endpoint to list all releases and filter them programmatically [2].
Citations:
- 1: https://docs.github.com/en/rest/releases/releases?apiVersion=2026-03-10&apiversion=2022-11-28%2F1000
- 2: Feature request: Resolve `github:...@latest` via GitHub `/releases/latest` (stable-only) jdx/mise#8470
- 3: https://docs.github.com/en/enterprise-server@3.17/rest/releases/releases
- 4: [Schema Inaccuracy] the /repos/{owner}/{repo}/releases/latest endpoint can return a 404 github/rest-api-description#3726
- 5: https://github3.readthedocs.io/en/stable/api-reference/repos.html
- 6: https://docs.github.com/en/enterprise-server@3.2/rest/releases/releases
- 7: fix(github): resolve "latest" version correctly via GitHub API jdx/mise#8532
🌐 Web query:
railsware/github-actions compute-next-semver empty current input default initial version
💡 Result:
The railsware/github-actions repository contains a collection of utility actions [1], but there is no widely documented or specialized GitHub Action named compute-next-semver within that specific organization [2][3][1]. It is highly likely that the action you are referring to is a different project—such as MiguelRipoll23/get-next-version [4], mirceanton/action-semver-metadata [5], or lhstrh/action-repo-semver [6]—which are commonly used to compute semantic versions and handle initial version inputs. If you are encountering issues with "empty" inputs for initial versions in such GitHub Actions: 1. Handling of Empty Inputs: In GitHub Actions, if a workflow input is empty, it does not automatically revert to a default value unless the action logic explicitly checks for an empty string and applies a fallback [4][7]. 2. Default Behavior: Most well-designed semver actions (like mirceanton/action-semver-metadata [5] or lhstrh/action-repo-semver [6]) have explicit input fields (e.g., default-version) to handle the case where no previous release exists. 3. Troubleshooting: - Verify the exact repository name you are using. - Check the action.yml file of the specific action for an input parameter named something like default-initial-version, initial-version, or default-version [4][5][6]. - Ensure you are providing this input in your workflow if you do not want to rely on the hardcoded default (which is often 0.0.0 or 1.0.0) [5][6]. If you are using a custom or private action, you may need to update its logic to check if the input is empty or null and provide a default accordingly [4].
Citations:
- 1: https://github.com/railsware/github-actions
- 2: railsware/github-actions@ce4ed43
- 3: railsware/github-actions@7cb18f7
- 4: MiguelRipoll23/get-next-version@b806679
- 5: https://github.com/mirceanton/action-semver-metadata
- 6: https://github.com/lhstrh/action-repo-semver
- 7: https://stackoverflow.com/questions/73404033/how-to-keep-default-action-input-if-parameter-passed-is-empty-in-github-action
🌐 Web query:
site:github.com/railsware/github-actions compute-next-semver action.yml current input default empty
💡 Result:
Based on the provided search results, there is no widely recognized GitHub Action named exactly compute-next-semver. Several similar tools exist, such as allegro-actions/next-version [1], fabien-marty/github-next-semantic-version [2], and other CLI-based tools like git-semver [3] and next-ver [4]. In the context of GitHub Actions, inputs defined in an action.yml file that are left empty or omitted by the user behave according to the default value specified in the configuration. If a default is defined as an empty string or not provided, the input will hold an empty value within the action's execution environment. For example, in the documentation for github-next-semantic-version, specific options like --must-have-labels explicitly note that "empty => no filtering" [2]. If you are working with a specific custom action, you should check its action.yml file to see how the default property is defined for each input.
Citations:
- 1: https://github.com/allegro-actions/next-version
- 2: https://github.com/fabien-marty/github-next-semantic-version/blob/main/README.md
- 3: https://github.com/PandasWhoCode/git-semver
- 4: https://github.com/bahmutov/next-ver
Handle the no-published-release case in draft-release.yml
GET /repos/$GITHUB_REPOSITORY/releases/latest returns 404 until the repo has a published release, and this workflow only creates drafts. Seed an initial version or fall back cleanly here so the first draft release doesn’t fail.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/draft-release.yml around lines 42 - 43, The release
version lookup in the draft-release workflow fails before any published release
exists because the `gh api ... releases/latest` call returns 404. Update the
version-seeding logic around the `latest`/`GITHUB_OUTPUT` step to handle the
no-published-release case gracefully, either by falling back to a default
initial version or by detecting the 404 and using a safe starting version so the
draft release can still be created.
Motivation
Release automation
Changes
How to test
Summary by CodeRabbit
New Features
Chores