ci: harden the git-cliff release flow (gitlab mirror without an artifact server + commit lint) #20

Merged
psk merged 2 commits from ci/harden-release-flow into master 2026-06-29 23:56:16 +00:00
Owner

Two fixes hardening the new git-cliff release flow (follow-ups to PR #17/#19).

1. release.yml — GitLab mirror + Pages were silently skipped

v0.3.2 published all 7 assets to Forgejo , but the release job then went red and the mirror-gitlab job (needs: release) was skipped → no GitLab release, no Pages redeploy.

Cause: #15 split GitLab into a downstream job and hands artifacts over via actions/upload-artifact/download-artifact, which need a Forgejo Actions artifact storage backend this self-hosted runner doesn't have (exactly the risk #15's comment flagged). upload-artifact failed after the Forgejo release succeeded → release job red → mirror skipped.

Fix: drop the artifact hand-off. mirror-gitlab now pulls the assets straight from the Forgejo release via the API (browser_download_url + token) and rebuilds the flat wasm site bundle from the -wasm.zip asset. Keeps #15's isolation (GitLab can't block Forgejo) without the artifact server, and the release job no longer goes red after a successful release. Validated locally by running this exact pull+rebuild logic against the v0.3.2 release.

2. ci.yml — add a commit-lint job

The pipeline now derives the version and changelog from Conventional Commits (git-cliff). A malformed subject is silently dropped from both — no bump, missing from the changelog. New fast (no-build) job gates every commit a PR adds with a shell regex over the accepted types. Dependency-free (no Node/commitlint) since this is a Rust repo on a sudo-less runner.

Note: it's a job inside ci.yml, so it inherits the path filter — a PR touching only non-allowlisted paths skips CI (and thus the lint). Happy to move it to its own always-on workflow if you'd rather gate every PR. And if you want to match bossman's exact linter instead of the shell check, say the word.

v0.3.2 itself is published on Forgejo; the GitLab/Pages backfill for it is being handled separately.

Two fixes hardening the new git-cliff release flow (follow-ups to PR #17/#19). ## 1. `release.yml` — GitLab mirror + Pages were silently skipped v0.3.2 published all 7 assets to **Forgejo** ✅, but the `release` job then went **red** and the `mirror-gitlab` job (`needs: release`) was **skipped** → no GitLab release, no Pages redeploy. **Cause:** #15 split GitLab into a downstream job and hands artifacts over via `actions/upload-artifact`/`download-artifact`, which need a Forgejo Actions **artifact storage backend this self-hosted runner doesn't have** (exactly the risk #15's comment flagged). `upload-artifact` failed *after* the Forgejo release succeeded → release job red → mirror skipped. **Fix:** drop the artifact hand-off. `mirror-gitlab` now **pulls the assets straight from the Forgejo release** via the API (`browser_download_url` + token) and rebuilds the flat wasm site bundle from the `-wasm.zip` asset. Keeps #15's isolation (GitLab can't block Forgejo) without the artifact server, and the release job no longer goes red after a successful release. *Validated locally by running this exact pull+rebuild logic against the v0.3.2 release.* ## 2. `ci.yml` — add a `commit-lint` job The pipeline now derives the **version and changelog from Conventional Commits** (git-cliff). A malformed subject is silently dropped from both — no bump, missing from the changelog. New fast (no-build) job gates every commit a PR adds with a shell regex over the accepted types. Dependency-free (no Node/commitlint) since this is a Rust repo on a sudo-less runner. > Note: it's a job inside `ci.yml`, so it inherits the path filter — a PR touching only non-allowlisted paths skips CI (and thus the lint). Happy to move it to its own always-on workflow if you'd rather gate *every* PR. And if you want to match bossman's exact linter instead of the shell check, say the word. v0.3.2 itself is published on Forgejo; the GitLab/Pages backfill for it is being handled separately.
ci: harden the git-cliff release flow (gitlab mirror without an artifact server + commit lint)
All checks were successful
ci / build-and-test (pull_request) Successful in 8m59s
ci / commit-lint (pull_request) Successful in 2s
e6dbe41569
Two fixes for the new Conventional-Commit-driven release pipeline:

1. release.yml — the release job's actions/upload-artifact and mirror-gitlab's
   download-artifact need a Forgejo Actions artifact storage backend this
   self-hosted runner doesn't have. On v0.3.2 that silently failed the release
   job AFTER the forgejo release had already published its 7 assets, which
   skipped the whole mirror-gitlab job, so the GitLab release + Pages demo never
   ran. Replace the hand-off: mirror-gitlab now pulls the assets straight from
   the forgejo release via the API (browser_download_url works with the token)
   and rebuilds the flat wasm site bundle from the -wasm.zip asset. Keeps #15's
   isolation (gitlab can't block forgejo) without the artifact-server dependency,
   and stops the release job going red after a fully-successful release.

2. ci.yml — add a fast, dependency-free commit-lint job. The release pipeline now
   derives the version AND the changelog from Conventional Commits (git-cliff),
   so a non-conforming subject is silently dropped from both (no bump, missing
   from the changelog). Gate every commit a PR adds with a shell regex over the
   accepted types — no Node/commitlint, since this is a Rust repo on a sudo-less
   runner.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Merge branch 'master' into ci/harden-release-flow
All checks were successful
ci / build-and-test (pull_request) Successful in 8m55s
ci / commit-lint (pull_request) Successful in 2s
38478c24de
psk merged commit edc3dddf0c into master 2026-06-29 23:56:15 +00:00
psk deleted branch ci/harden-release-flow 2026-06-29 23:56:16 +00:00
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
public/soundy-bits!20
No description provided.