Skip to content

feat(owen-cli): release-readiness pipeline, rebuilt against the Owen facade (P-013)#247

Merged
PhysShell merged 4 commits into
mainfrom
claude/owen-cli-release-prep-2026-07-12
Jul 12, 2026
Merged

feat(owen-cli): release-readiness pipeline, rebuilt against the Owen facade (P-013)#247
PhysShell merged 4 commits into
mainfrom
claude/owen-cli-release-prep-2026-07-12

Conversation

@PhysShell

@PhysShell PhysShell commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Что и зачем

Rebuild of PR #244 directly against post-#246 main, using the Owen public identity throughout instead of the pre-rebrand ownsharp/OwnSharp.Cli names PR #244 used. Per the merged facade's own PR body ("Phase 3 — rebuilt against this PR once merged, targeting Owen.Cli/owen") and the reviewer's explicit instruction not to merge #244 in its pre-Owen form, PR #244 is being closed in favor of this one.

Prepares Owen.Cli for eventual NuGet publication without publishing a production package.

  • Package metadata (OwnSharp.Cli.csproj): added Authors, PackageProjectUrl, RepositoryUrl, RepositoryType, PackageTags, PackageReadmeFile, Deterministic, ContinuousIntegrationBuild — additive on top of feat(owen): public facade rebrand for the CLI, Action, and SARIF identity #246's already-Owen-branded PackageId/ToolCommandName/Description. PackageLicenseExpression deliberately left unset: the repository has no LICENSE file, and picking one is the repository owner's decision, not this session's — flagged as the first blocker in the release checklist, not resolved unilaterally.
  • New release workflow (.github/workflows/owen-cli-release.yml, tag namespace owen-cli-v*, replacing PR feat(ownsharp-cli): release-readiness pipeline for the NuGet package (P-013) #244's ownsharp-cli-release.yml): build-test-packsmoke-test (ubuntu + windows) → publish. The smoke-test job installs and exercises the already-packed Owen.Cli artifact from build-test-pack's upload — no checkout, no rebuild, no invocation of the pre-rebrand ownsharp command — verifying owen --version, a leak sample (exit 1, OWN001), a clean sample (exit 0), the OWEN_PYTHON-not-found actionable-failure path (exit 3), and a full uninstall/reinstall cycle. Publish still requires both a pushed owen-cli-v* tag (workflow_dispatch can never reach it) and a nuget-release GitHub Environment a repo admin has to configure with required reviewers — it doesn't exist yet.
  • Internal filenames (ownsharp.dll, ownsharp-extract.dll — the real, unmodified AssemblyName-derived output, per feat(owen): public facade rebrand for the CLI, Action, and SARIF identity #246's established internal/public split) are intentionally left as-is in the package-content inspection step; only the public package ID, command name, tag namespace, and env var are Owen-branded.
  • docs/notes/owen-cli-release.md (replacing PR feat(ownsharp-cli): release-readiness pipeline for the NuGet package (P-013) #244's ownsharp-cli-release.md): versioning policy, the re-verified determinism findings (two packs against this exact source, byte-for-byte identical payload, only NuGet's own per-pack OPC wrapper GUID differs), the metadata audit, and the release checklist — the license blocker is addressed explicitly to the repository owner.

Тип изменения

  • feat — новая возможность (release infrastructure, packaging-only)

Как проверено

  • python tests/run_tests.py — 276/276
  • ruff check . / mypy — clean
  • New workflow YAML parsed with python3 -c "import yaml; yaml.safe_load(...)"
  • Every step in the new workflow was manually replicated and verified locally before being encoded: dotnet pack (twice, for determinism) → diff unzipped payload (only the OPC wrapper .rels/.psmdcp differ) → package-content inspection (ownsharp.dll, ownsharp-extract.dll, 20 vendored core .py files, README all present; .nuspec id/description/tags/authors/repository all correct) → isolated-feed install → owen --version / leak / clean / OWEN_PYTHON-not-found (exit 3) / uninstall→reinstall, all matching what the workflow asserts.

Связанные issue

Refs #202, P-013. Supersedes #244 (closed in favor of this PR — pre-Owen branding). No issues closed (release infra, not a shipped release).

Чеклист

  • изменение покрыто тестом/селфтестом — the new release workflow is the test surface; every assertion in it was hand-verified locally first
  • README/docs обновлены — OwnSharp.Cli/README.md links to the new release note; docs/notes/owen-cli-release.md is new
  • коммиты в conventional-commit стиле (feat:)

Boundaries honored

  • No package published to nuget.org.
  • No license chosen on the repository owner's behalf — surfaced as an open blocker, not resolved unilaterally.
  • No personal API key requested or stored — the workflow only references secrets.NUGET_API_KEY by name.
  • No public compatibility promise chosen beyond what the repo already supports (0.x alpha).
  • No analyzer or CLI behavior changed — packaging/CI/docs only.

Generated by Claude Code

Summary by CodeRabbit

  • New Features
    • Added a full release pipeline for the Owen CLI, including build/pack, deterministic packaging verification, cross-platform install-and-runtime smoke tests, and gated publication.
    • Added expanded NuGet/tool package metadata and ensured README is included in the distributed package.
    • Enforced environment protection requirements during publish.
  • Documentation
    • Documented the Owen CLI release-readiness process, version/tag rules, validation steps, and release checklist.
  • Tests
    • Added offline, fixture-driven validation for environment protection configurations (accept/reject scenarios).

…facade (P-013)

Rebuild of PR #244's release-prep work directly against post-#246 main,
using the Owen public identity throughout instead of the pre-rebrand
ownsharp/OwnSharp.Cli names PR #244 used (per review: do not merge the
old-brand version, rebuild it against the merged facade).

Package metadata (OwnSharp.Cli.csproj) — added Authors, PackageProjectUrl,
RepositoryUrl, RepositoryType, PackageTags, PackageReadmeFile, and
deterministic-pack properties (Deterministic, ContinuousIntegrationBuild)
on top of #246's already-Owen-branded PackageId/ToolCommandName/Description
-- these are additive metadata, not a rebrand of what #246 already set.
PackageLicenseExpression is deliberately left unset: the repository has no
LICENSE file, and choosing one is the repository owner's call, not this
session's -- flagged as the first blocker in the release checklist, not
resolved unilaterally.

New release workflow (.github/workflows/owen-cli-release.yml, replacing
PR #244's ownsharp-cli-release.yml under the Owen tag namespace
owen-cli-v*): build-test-pack -> smoke-test (ubuntu + windows) -> publish.
The smoke-test job installs and exercises the already-packed Owen.Cli
artifact from build-test-pack's upload -- no checkout, no rebuild, no
invocation of the pre-rebrand `ownsharp` command -- verifying `owen
--version`, a leak sample (exit 1, OWN001), a clean sample (exit 0), the
OWEN_PYTHON-not-found actionable-failure path (exit 3), and a full
uninstall/reinstall cycle. Publish still requires both a pushed
owen-cli-v* tag (workflow_dispatch can never reach it) and a
`nuget-release` GitHub Environment a repo admin has to configure with
required reviewers -- it doesn't exist yet.

Internal filenames (ownsharp.dll, ownsharp-extract.dll -- the real,
unmodified AssemblyName-derived output, per #246's established internal/
public split) are intentionally left as-is in the package-content
inspection step; only the public package ID, command name, tag namespace,
and env var are Owen-branded.

docs/notes/owen-cli-release.md (replacing PR #244's
ownsharp-cli-release.md) documents the versioning policy, the verified
determinism findings (re-verified against this exact source: two packs,
byte-for-byte identical payload, only NuGet's own per-pack OPC wrapper
GUID differs), the metadata audit, and the release checklist -- including
the license blocker addressed explicitly to the repository owner.

Every step in the new workflow was manually replicated and verified
locally before being encoded: dotnet pack (twice, for determinism) ->
diff unzipped payload -> package-content inspection -> isolated-feed
install -> owen --version / leak / clean / OWEN_PYTHON-not-found /
uninstall-reinstall, all matching what the workflow asserts.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SSXTDuh1ZHdQc4QqmYwshw
@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: f87d456f-71e1-486e-a567-78a4c2619346

📥 Commits

Reviewing files that changed from the base of the PR and between 76cdf62 and 5559872.

📒 Files selected for processing (2)
  • .github/workflows/owen-cli-release.yml
  • docs/notes/owen-cli-release.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/owen-cli-release.yml

📝 Walkthrough

Walkthrough

Adds Owen.Cli package metadata and deterministic packing, a gated multi-platform release workflow, an offline environment-protection predicate with fixtures, and documentation for versioning, publishing, and release checks.

Changes

Owen.Cli release

Layer / File(s) Summary
Package metadata and payload
frontend/roslyn/OwnSharp.Cli/OwnSharp.Cli.csproj, frontend/roslyn/OwnSharp.Cli/README.md
Adds NuGet metadata, deterministic packing settings, packaged README content, and release-process references.
Environment protection predicate
scripts/check_environment_protection.sh, scripts/fixtures/environment-protection/*, .github/workflows/ci.yml
Validates that environment protection includes a required_reviewers rule with at least one reviewer and tests accepted and rejected fixture cases offline.
Build, smoke test, and publish workflow
.github/workflows/owen-cli-release.yml
Builds, packs, inspects, installs, and smoke-tests the tool on Ubuntu and Windows before conditionally publishing a tag-matched package to NuGet behind environment protection.
Release policy and checklist
docs/notes/owen-cli-release.md
Documents naming, version alignment, deterministic packaging, workflow gates, protection requirements, release steps, and unresolved licensing and publication boundaries.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions
  participant BuildTestPack
  participant SmokeTest
  participant Publish
  participant NuGet
  GitHubActions->>BuildTestPack: Build, test, pack, and inspect artifact
  BuildTestPack->>SmokeTest: Provide packed nupkg
  SmokeTest->>SmokeTest: Install and run on Ubuntu and Windows
  SmokeTest->>Publish: Complete smoke tests
  Publish->>Publish: Validate required reviewers
  Publish->>NuGet: Push packaged artifact
Loading
🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: an Owen CLI release-readiness pipeline rebuilt against the Owen facade.
Description check ✅ Passed The description follows the required template and fills all mandatory sections with specific details.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/owen-cli-release-prep-2026-07-12

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9c79c19d63

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

# publish"). Requiring event_name == 'push' closes that hole.
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/owen-cli-v')
runs-on: ubuntu-latest
environment: nuget-release

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Do not rely on an unconfigured environment gate

When nuget-release has not been pre-created with required reviewers (the comments/docs say it does not exist yet), this line does not create a manual approval gate: GitHub documents that referencing a missing environment creates it and that the newly created environment has “no protection rules or secrets configured” (https://docs.github.com/en/actions/how-tos/deploy/configure-and-manage-deployments/manage-environments#creating-an-environment). If NUGET_API_KEY is present as a repository secret, a matching owen-cli-v* tag push can reach dotnet nuget push without the approval this workflow promises; fail the job unless the protected environment already exists or require the key only as a protected environment secret.

Useful? React with 👍 / 👎.

claude added 2 commits July 12, 2026 15:41
Codex review (P1): GitHub auto-creates a referenced-but-never-configured
environment on first use, with zero protection rules. `environment:
nuget-release` alone is therefore not proof a human ever approves this
job -- if the environment is never actually set up under Settings ->
Environments and NUGET_API_KEY already exists as a repository secret, a
tag push could reach `dotnet nuget push` with no approval at all, silently
defeating the safety story the workflow documents.

The publish job's first step now queries the GitHub API for the
environment's protection_rules and refuses to publish -- fails loudly,
before the artifact is even downloaded -- when that array is empty,
converting "never configured" from a silent bypass into a loud failure.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SSXTDuh1ZHdQc4QqmYwshw
Two independent review findings, both closed:

1. owen-cli-release.yml only triggered on tag push / workflow_dispatch, so
   a green PR check never actually ran build-test-pack -> smoke-test on
   either OS -- only a real tag push did, and PRs never push tags. Added a
   pull_request trigger scoped to the paths that matter (the CLI/extractor
   projects, ownlang, the workflow file itself, the shared protection
   script). The publish job's existing tag-push condition is unchanged, so
   it stays skipped on pull_request exactly as it already was on
   workflow_dispatch.

2. The environment-protection check (`.protection_rules | length`) accepted
   ANY protection rule -- a wait_timer-only or branch_policy-only
   environment, or a required_reviewers rule saved with zero reviewers,
   none of which actually gate on a human. Extracted the real predicate
   into scripts/check_environment_protection.sh: accepts only a
   required_reviewers rule with >=1 reviewer. The publish job now checks
   out just scripts/ (sparse), fetches the environment via `gh api` into a
   file, and calls the script. Its permissions gained `actions: read`,
   which the environment-read endpoint requires alongside `contents: read`.

Fixture-driven, offline test in ci.yml's new environment-protection-selftest
job (runs on every ordinary push/PR, no GitHub API or real Environment
needed): zero rules, wait_timer-only, branch_policy-only, and
required_reviewers-with-zero-reviewers all reject; required_reviewers with
one reviewer accepts.

The same script and fixtures will also back action-marketplace-readiness.yml's
analogous move-major-tag check (PR #248, stacked on this branch for now --
duplication is temporary until #247 merges and #248 rebases cleanly onto
main).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SSXTDuh1ZHdQc4QqmYwshw
PhysShell pushed a commit that referenced this pull request Jul 12, 2026
…ction rule

Follow-up review finding: the environment-protection check
(`.protection_rules | length`) accepted ANY protection rule -- a
wait_timer-only or branch_policy-only environment, or a required_reviewers
rule saved with zero reviewers, none of which actually gate on a human.

move-major-tag now checks out the repo first (moved ahead of the
protection check, since it now needs a repo file), fetches the
action-major-tag-move environment via `gh api` into a file, and calls
scripts/check_environment_protection.sh -- the same shared, fixture-tested
predicate owen-cli-release.yml's publish job uses, which only accepts a
required_reviewers rule with >=1 reviewer. permissions gained actions:read,
which the environment-read endpoint requires alongside contents:write.

This branch is currently stacked on claude/owen-cli-release-prep-2026-07-12
(PR #247) to pick up the shared script/fixtures/ci.yml selftest -- it will
be rebased cleanly onto main once #247 merges, per the reviewer's stated
merge order.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SSXTDuh1ZHdQc4QqmYwshw

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (3)
.github/workflows/owen-cli-release.yml (3)

181-182: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Same expression-interpolation pattern repeats across smoke-test.

${{ needs.build-test-pack.outputs.version }} is inlined directly into run: scripts at lines 182, 200-201, 246, and 248 — same script-injection anti-pattern as above, flagged by zizmor at each site. Recommend consolidating into one env: block per step (or a single job-level env:) and referencing $OWEN_CLI_VERSION instead.

🔒 Proposed fix (representative — apply to all four sites)
       - name: dotnet tool install --global from the packed artifact (isolated source)
-        run: dotnet tool install --global Owen.Cli --version "${{ needs.build-test-pack.outputs.version }}" --configfile "$RUNNER_TEMP/isolated-nuget.config"
+        env:
+          OWEN_CLI_VERSION: ${{ needs.build-test-pack.outputs.version }}
+        run: dotnet tool install --global Owen.Cli --version "$OWEN_CLI_VERSION" --configfile "$RUNNER_TEMP/isolated-nuget.config"
       ...
       - name: owen --version reports the released version
+        env:
+          OWEN_CLI_VERSION: ${{ needs.build-test-pack.outputs.version }}
         run: |
           out=$(owen --version)
-          [ "$out" = "${{ needs.build-test-pack.outputs.version }}" ] \
-            || { echo "FAIL: owen --version printed '$out', expected '${{ needs.build-test-pack.outputs.version }}'"; exit 1; }
+          [ "$out" = "$OWEN_CLI_VERSION" ] \
+            || { echo "FAIL: owen --version printed '$out', expected '$OWEN_CLI_VERSION'"; exit 1; }
       ...
       - name: Reinstall/update behavior — uninstall, then reinstall clean
+        env:
+          OWEN_CLI_VERSION: ${{ needs.build-test-pack.outputs.version }}
         run: |
           dotnet tool uninstall --global Owen.Cli
           ...
-          dotnet tool install --global Owen.Cli --version "${{ needs.build-test-pack.outputs.version }}" --configfile "$RUNNER_TEMP/isolated-nuget.config"
+          dotnet tool install --global Owen.Cli --version "$OWEN_CLI_VERSION" --configfile "$RUNNER_TEMP/isolated-nuget.config"
           out=$(owen --version)
-          [ "$out" = "${{ needs.build-test-pack.outputs.version }}" ] \
+          [ "$out" = "$OWEN_CLI_VERSION" ] \
             || { echo "FAIL: reinstalled owen --version printed '$out'"; exit 1; }

Practical exploitability today is low — the pull_request trigger already runs the PR's own workflow content (so an attacker doesn't need this indirection to run arbitrary code), and push/workflow_dispatch runs use presumably-reviewed content — but the fix is cheap and removes the pattern zizmor is designed to catch.

Also applies to: 197-201, 240-248

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/owen-cli-release.yml around lines 181 - 182, Replace
direct `${{ needs.build-test-pack.outputs.version }}` interpolation in all four
smoke-test run steps with an environment variable such as OWEN_CLI_VERSION,
defined in each step’s env block or once at the job level, and reference
`$OWEN_CLI_VERSION` in the scripts. Apply this consistently to the dotnet tool
installation and subsequent smoke-test commands while preserving the existing
version value.

Source: Linters/SAST tools


307-313: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider NuGet Trusted Publishing instead of a long-lived NUGET_API_KEY.

NuGet.org now supports OIDC-based Trusted Publishing for GitHub Actions (GA since September 2025), which trades the long-lived secrets.NUGET_API_KEY for a short-lived, per-run token — no secret to store, rotate, or leak. Since nuget-release isn't configured yet (per docs/notes/owen-cli-release.md's boundaries), this would be a good time to set it up this way rather than provisioning a durable API key first.

permissions:
  contents: read
  actions: read
  id-token: write   # required for OIDC
steps:
  - uses: NuGet/login@v1
    id: nuget-login
    with:
      user: ${{ secrets.NUGET_USER }}
  - run: dotnet nuget push "$nupkg" --api-key "${{ steps.nuget-login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate

Requires a one-time Trusted Publishing policy setup on nuget.org tied to this repo/workflow — an owner-side decision similar to the license blocker already tracked, so this is worth flagging now rather than after NUGET_API_KEY is provisioned.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/owen-cli-release.yml around lines 307 - 313, The NuGet
release currently relies on the long-lived NUGET_API_KEY secret. Update the
workflow permissions and NuGet publishing step to use NuGet Trusted Publishing
via NuGet/login@v1 and its short-lived NUGET_API_KEY output, including the
required id-token: write and actions: read permissions; record or flag the
one-time nuget.org policy setup required for the nuget-release workflow.

Source: Linters/SAST tools


91-101: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Recommend env-var indirection to avoid literal expression expansion into the shell script.

csproj_version="${{ steps.version.outputs.version }}" is expanded by GitHub Actions as raw text into the script before bash runs it. Since this value is grep'd straight out of the tracked csproj, and this same workflow triggers on pull_request for paths that include that csproj, a version string containing shell metacharacters could break out of the quoted assignment. Piping the value through env: instead keeps it as an opaque environment-variable value that bash never re-parses as script text.

🔒 Proposed fix
       - name: On a tag push, assert the tag matches the csproj Version
         if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/owen-cli-v')
+        env:
+          CSPROJ_VERSION: ${{ steps.version.outputs.version }}
         run: |
           tag_version="${GITHUB_REF_NAME#owen-cli-v}"
-          csproj_version="${{ steps.version.outputs.version }}"
+          csproj_version="$CSPROJ_VERSION"
           if [ "$tag_version" != "$csproj_version" ]; then
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/owen-cli-release.yml around lines 91 - 101, Update the
tag/version assertion step around the shell variables tag_version and
csproj_version to pass steps.version.outputs.version through the step’s env
configuration, then read it from the environment inside the script instead of
embedding the GitHub expression in the shell assignment. Preserve the existing
comparison, error messages, and release failure behavior.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/notes/owen-cli-release.md`:
- Around line 133-135: Update the `publish` gate description in the release
notes to quote the complete condition, including `github.event_name == 'push'`
alongside the tag-prefix check. Preserve the explanation that
`workflow_dispatch` runs cannot reach `publish`, and ensure the wording does not
imply the tag check alone prevents dispatch bypasses.

---

Nitpick comments:
In @.github/workflows/owen-cli-release.yml:
- Around line 181-182: Replace direct `${{ needs.build-test-pack.outputs.version
}}` interpolation in all four smoke-test run steps with an environment variable
such as OWEN_CLI_VERSION, defined in each step’s env block or once at the job
level, and reference `$OWEN_CLI_VERSION` in the scripts. Apply this consistently
to the dotnet tool installation and subsequent smoke-test commands while
preserving the existing version value.
- Around line 307-313: The NuGet release currently relies on the long-lived
NUGET_API_KEY secret. Update the workflow permissions and NuGet publishing step
to use NuGet Trusted Publishing via NuGet/login@v1 and its short-lived
NUGET_API_KEY output, including the required id-token: write and actions: read
permissions; record or flag the one-time nuget.org policy setup required for the
nuget-release workflow.
- Around line 91-101: Update the tag/version assertion step around the shell
variables tag_version and csproj_version to pass steps.version.outputs.version
through the step’s env configuration, then read it from the environment inside
the script instead of embedding the GitHub expression in the shell assignment.
Preserve the existing comparison, error messages, and release failure behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 790c65a9-eaa0-4fcc-8fa7-9af6a65c8760

📥 Commits

Reviewing files that changed from the base of the PR and between d61d453 and 76cdf62.

📒 Files selected for processing (11)
  • .github/workflows/ci.yml
  • .github/workflows/owen-cli-release.yml
  • docs/notes/owen-cli-release.md
  • frontend/roslyn/OwnSharp.Cli/OwnSharp.Cli.csproj
  • frontend/roslyn/OwnSharp.Cli/README.md
  • scripts/check_environment_protection.sh
  • scripts/fixtures/environment-protection/branch-policy-only.json
  • scripts/fixtures/environment-protection/required-reviewers-empty.json
  • scripts/fixtures/environment-protection/required-reviewers-with-reviewer.json
  • scripts/fixtures/environment-protection/wait-timer-only.json
  • scripts/fixtures/environment-protection/zero-rules.json

Comment thread docs/notes/owen-cli-release.md Outdated
CodeRabbit review:

- docs/notes/owen-cli-release.md quoted the publish gate as just
  `startsWith(github.ref, 'refs/tags/owen-cli-v')`, dropping the
  `github.event_name == 'push'` half the workflow's own comment explains
  is required to block a `workflow_dispatch --ref owen-cli-vX` bypass --
  the exact scenario the doc's next sentence claimed was already
  impossible. Quoted the real condition in full.

- `${{ steps.version.outputs.version }}` (grep'd from the csproj, which
  this workflow now also builds on pull_request) and
  `${{ needs.build-test-pack.outputs.version }}` were both inlined
  directly into run: scripts at five sites -- the same
  expression-into-shell-text pattern zizmor flags elsewhere in this repo.
  Both now flow through env: (a job-level OWEN_CLI_VERSION for
  smoke-test's four sites, a step-level CSPROJ_VERSION for the
  tag/version-match assertion) instead of raw interpolation.

Not implemented: CodeRabbit's NuGet Trusted Publishing (OIDC) suggestion
for the publish step. Real publication is already blocked on the license
and Environment decisions the docs already flag as the repository owner's
call, not this session's; swapping the auth mechanism before either of
those is resolved is the same category of decision, not a code fix.

Re-verified locally end-to-end after the env: refactor: pack, isolated-feed
install, `owen --version`, and the full uninstall/reinstall cycle all still
pass with the version flowing through the environment instead of inline
interpolation.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SSXTDuh1ZHdQc4QqmYwshw
@github-actions

Copy link
Copy Markdown

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@PhysShell
PhysShell merged commit 5eb0225 into main Jul 12, 2026
44 checks passed
PhysShell pushed a commit that referenced this pull request Jul 12, 2026
…n facade (P-013 gate B)

Rebase of PR #248 onto post-#247 main. New workflow
(.github/workflows/action-marketplace-readiness.yml): consumer-simulation
(uses: ./ against fixtures/marketplace-consumer-demo, not the precision-test
corpus) -> validate-release-tag (immutable vX.Y.Z, gated on both
event_name == 'push' and the ref prefix) -> move-major-tag
(workflow_dispatch-only, environment-gated via the shared
scripts/check_environment_protection.sh predicate #247 introduced,
template-injection-safe input handling).

docs/notes/action-marketplace-readiness.md documents the versioning policy,
the consumer-simulation fixture rationale, and two prior review corrections
(environment auto-creation with zero rules; predicate tightened to
required_reviewers-only). README.md/README.ru.md get a casing fix
(PhysShell/own.net -> PhysShell/Own.NET) and a versioning-policy pointer.

Final review hardening: git rev-parse "refs/tags/$TARGET" returns an
annotated tag's own SHA, not the commit it points at. Peeled to
^{commit} so the major tag always ends up on the release commit rather
than on the tag object itself.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SSXTDuh1ZHdQc4QqmYwshw
PhysShell added a commit that referenced this pull request Jul 12, 2026
…n facade (P-013 gate B)

Rebase of PR #248 onto post-#247 main. New workflow
(.github/workflows/action-marketplace-readiness.yml): consumer-simulation
(uses: ./ against fixtures/marketplace-consumer-demo, not the precision-test
corpus) -> validate-release-tag (immutable vX.Y.Z, gated on both
event_name == 'push' and the ref prefix) -> move-major-tag
(workflow_dispatch-only, environment-gated via the shared
scripts/check_environment_protection.sh predicate #247 introduced,
template-injection-safe input handling).

docs/notes/action-marketplace-readiness.md documents the versioning policy,
the consumer-simulation fixture rationale, and two prior review corrections
(environment auto-creation with zero rules; predicate tightened to
required_reviewers-only). README.md/README.ru.md get a casing fix
(PhysShell/own.net -> PhysShell/Own.NET) and a versioning-policy pointer.

Final review hardening: git rev-parse "refs/tags/$TARGET" returns an
annotated tag's own SHA, not the commit it points at. Peeled to
^{commit} so the major tag always ends up on the release commit rather
than on the tag object itself.


Claude-Session: https://claude.ai/code/session_01SSXTDuh1ZHdQc4QqmYwshw

Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants