Skip to content

Split-job release workflow + --mode assertion flag#91

Merged
theoephraim merged 3 commits into
mainfrom
ci/split-jobs-mode-flag
Jun 2, 2026
Merged

Split-job release workflow + --mode assertion flag#91
theoephraim merged 3 commits into
mainfrom
ci/split-jobs-mode-flag

Conversation

@theoephraim
Copy link
Copy Markdown
Member

@theoephraim theoephraim commented Jun 2, 2026
edited
Loading

Summary

  • Adds --expect-mode <version-pr|publish> to bumpy ci release for asserting the detected release mode (errors instead of silently smart-routing when the runtime state doesn't match what the job expects). Cannot be combined with --auto-publish.
  • Restructures the project's own release workflow into three jobs: a low-privilege plan job gating a version-pr job (PR-write creds only) and a publish job (environment: publish, id-token: write for npm trusted publishing).
  • Rewrites docs/github-actions.md to lead with the split-job workflow + setup steps. The single-job version is kept as a simplified alternative.

Why

Without a split, every push to main runs a job with id-token: write (or NPM_TOKEN in env) — even when the workflow is only updating the Version Packages PR. The split scopes those credentials to the publish job only and lets the npm trusted publisher be pinned to a specific GitHub Environment so rogue workflow files in the repo can't request a valid OIDC token.

The --expect-mode flag turns the split's implicit if: gate into an explicit runtime assertion: if the publish job somehow runs while bump files are still present (a race, weird merge, or someone manually re-triggers it), it fails fast instead of silently falling into the version-pr code path.

Setup required after merge

  1. Pin the npm trusted publisher to environment publish on each package's npmjs.com settings → Trusted Publishers → GitHub Actions. (Already done.)
  2. (Optional) Create the publish environment manually in repo Settings → Environments and restrict deployment branches to main only. This is cheap defense in depth — auto-create works too if you skip this. (Already done.)

The new docs framing makes the split clearer:

  • Required setup: npm trusted publisher pinning + BUMPY_GH_TOKEN. That's it.
  • Optional hardening: branch restriction on the environment (recommended), required reviewers (usually redundant with npmStaged: true).

Notable internals

  • ReleaseOptions.mode: 'auto-publish' | 'version-pr' renamed to autoPublish: boolean — cleaner CLI-flag-to-internal mapping. New assertMode?: 'version-pr' | 'publish' field carries the assertion. The only caller is packages/bumpy/src/cli.ts.
  • ciReleaseCommand now computes detectedMode once and consolidates the two near-identical "fall through to publish" branches.
  • Auto-publish mode flagged as not recommended in the docs (loses the review step + can't compose with the split-job pattern).
  • The user-facing flag is --expect-mode (reads natural in YAML); the internal field stays assertMode (technically accurate at the code level).

Test plan

  • bun run check — typecheck + format clean
  • bun run test — 225 tests pass
  • Manual: confirm the new release workflow runs end-to-end on the next merge to main (will exercise the planversion-pr path here, since this PR itself ships with a bump file)

🤖 Generated with Claude Code

@theoephraim
feat(ci): split-job release workflow + --mode assertion
cccf862 
Add a `--mode <version-pr|publish>` flag to `bumpy ci release` so each
job in a split-job release workflow can assert its expected runtime
state and fail loudly on drift instead of silently routing.

Updates the project's own release.yaml to use the recommended pattern:
a `plan` job (no write perms) gates a `version-pr` job (PR-only creds)
and a `publish` job (scoped to a new `publish` GitHub Environment with
id-token: write), so npm trusted-publisher OIDC can be pinned to the
environment and NPM_TOKEN exposure can be scoped via env secrets.

Internal: ReleaseOptions field `mode: 'auto-publish' | 'version-pr'`
renamed to `autoPublish: boolean` for clarity; new `assertMode` field
carries the assertion. `--mode` + `--auto-publish` together is
rejected at the CLI level.

Docs: github-actions.md restructured to lead with the split-job
workflow + environment setup, with the single-job version kept as a
simplified alternative. Auto-publish flagged as not recommended.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 2, 2026
edited
Loading

bumpy-frog

The changes in this PR will be included in the next version bump.

minor Minor releases

  • @varlock/bumpy 1.10.2 → 1.11.0

Bump files in this PR

Click here if you want to add another bump file to this PR

This comment is maintained by bumpy.

@theoephraim
rename --mode to --expect-mode for clarity
fe31f8a 
The flag asserts the detected mode rather than setting it, so the
name should reflect that. Reads more naturally in YAML where there's
no surrounding context.

Internal `assertMode` field name unchanged.
@theoephraim
docs: de-emphasize --auto-publish and correct credential framing
e053c9f 
The prior copy implied --auto-publish defeats a security boundary by
combining PR-write and publish credentials. That's misleading — a
single-job non-auto-publish workflow has the same credential surface,
just split across two runs. The actual cost of --auto-publish is
purely the loss of the Version Packages PR preview/review gate.

Tightens the wording in cli.md/github-actions.md, drops the README
mention, shrinks the github-actions.md section to a brief pointer,
and adds a docstring on autoPublish() so future readers don't
re-derive the wrong conclusion.
@theoephraim theoephraim merged commit 5782ff9 into main Jun 2, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theoephraim