Add release artifact sync workflow#49
Conversation
This comment has been minimized.
This comment has been minimized.
|
The tag concern is understood, but in this repo there is no corresponding public commit for the private build. Public release tags are intentionally just anchors on the public default branch, so creating a missing release tag at the current public branch head is acceptable for this sync workflow. |
Not sure if there's something in this - but the public releases are not code-based - they're just buckets for uploads. Maybe add a comment to help the review understand the intent. |
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
8410e59 to
2ead027
Compare
I added a comment in the code so that future reviewers can see why the concern is not really applicable here. |
AI Pull Request OverviewDisclaimer: This review was generated by automated AI and may contain errors. Do not trust its outputs without human verification. Summary
Approval rating (1-10)6/10. The approach is reasonable, but release recovery and privileged workflow hardening should be addressed before relying on this automation. Summary per fileSummary per file
Overall AssessmentThe PR is small and focused, but it introduces release-publishing automation with write access to the repository. The biggest functional issue is that a transient upload failure can leave an empty or incomplete release that future scheduled runs will permanently skip. The workflow should also avoid mutable third-party action/tool references while running with Detailed ReviewDetailed ReviewFindingsHigh: Incomplete releases can become permanently skipped after a partial failure
A safer pattern is to track whether the script created the release and delete it on upload failure, or make the scheduled path decide based on required assets rather than release existence alone. For example, the function could install a cleanup trap only for newly created releases until upload succeeds: created_release=false
if ! gh release view "${source_tag}" --repo "${target_repo}" >/dev/null 2>&1; then
gh release create "${source_tag}" --repo "${target_repo}" --title "${source_tag}" --notes "" >/dev/null
created_release=true
fi
if ! gh release upload "${source_tag}" "${tmpdir}"/* --repo "${target_repo}" --clobber >&2; then
if [ "${created_release}" = true ]; then
gh release delete "${source_tag}" --repo "${target_repo}" --yes >/dev/null 2>&1 || true
fi
return 1
fiHigh: Mutable action and tool references run with repository write permissions
For release-publishing automation, pin the third-party action to an immutable commit SHA and pin Medium: Private GHCR source images will not be readable without explicit registry authentication
Make the registry access model explicit. If the image is public, document that assumption in the workflow/script. If it is private, add the required permission and authentication step, such as AI agent details. |
Description
Adds a release artifact sync workflow for copying release binaries from an OCI artifact bundle into GitHub Releases.
The workflow can run nightly or through
workflow_dispatch. When a tag is provided, it syncs that tag explicitly and overwrites matching release assets. Without a tag, it lists tags fromghcr.io/openfaasltd/inlets-pro-artifactsand only syncs releases that are missing from the public repository.The release sync logic is kept in
hack/sync-release-artifacts.shso it can be tested locally with a source OCI artifact, target repository, and optional tag.Motivation and context
This is part of a series of changes to automate publishing and release syncing between the private and public inlets-pro repositories.
How has this been tested
Tested the script locally against a public OCI artifact bundle and a test repository, including the explicit tag sync path and the no-tag skip path.
Also tested the workflow end-to-end through
workflow_dispatchagainst a test repository. The run completed successfully and uploaded the expected release binaries and checksums.