ci: auto-publish releases to the BCR via reusable workflow#54
Merged
Conversation
Mirror bashtest/bzl/mbo: add publish.yaml (bazel-contrib/publish-to-bcr@v1.4.1,
registry_fork helly25/bazel-central-registry, draft PR, URL-based integrity)
and hook it into release.yml after the release job. Replaces the retired
publish-to-bcr GitHub App.
publish.yaml sets top-level `permissions: {}` (checkov CKV2_GHA_1) with the
publish job opting into contents:write; the release.yml publish job grants
contents:write (a called workflow can't exceed the caller's permissions).
Fab-Cat
approved these changes
Jun 15, 2026
helly25
added a commit
that referenced
this pull request
Jun 20, 2026
Adapt the remaining release-process fixes from mbo's 0.11.1 (the BCR auto-publish half already landed in #54), so proto can cut a working release. - release_prep.sh: archive the patched/generated worktree via a throwaway index instead of `git archive "${TAG}"`. The latter reads the committed tree and silently dropped the edits release_prep makes (the bazelmod.patch hunk that comments out the dev-only includes, the generated empty root BUILD.bazel) -- so released tarballs shipped with the dev includes active and did not build standalone. Verified: the archive's MODULE.bazel now has the includes commented and dev dirs are export-ignored. - Drop .bcr/patches/bazelmod.patch and its `bcr-bazelmod-patch-applies` pre-commit hook: the tarball is now self-contained, so publish-to-bcr needs no patch (removes the stale-patch failure mode that broke prior publishes; the BCR entry's MODULE.bazel is the tarball's directly). - trigger_release.sh: require running on main at exactly origin/main; validate the version arg is numeric X.Y.Z; portable BSD/GNU sed for the version bump and CHANGELOG prepend; pre-flight that .github/workflows/bazelmod.patch still applies. Keep the simple flow -- open the version-bump PR and stop, leaving review+merge to another maintainer (no self-approve/admin-merge). - release.yml: trigger on numeric-semver tags only ([0-9]+.[0-9]+.[0-9]+). - main.yml: trigger on branch pushes only, so release tags don't re-run the full matrix.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rolls out the BCR auto-publish workflow to proto (proven on bashtest #9275, bzl #9276; mbo #191 merged).
publish-to-bcr@v1.4.1,registry_fork: helly25/bazel-central-registry, draft PR, URL-based integrity. Top-levelpermissions: {}(checkov CKV2_GHA_1) + publish job opts intocontents: write.publishjobneeds: release, grantscontents: write.BCR_PUBLISH_TOKENis set on proto. Independent of the in-flight refactor (touches only publish.yaml + release.yml). After merge, the next tagged release opens a draft BCR PR forhelly25_proto.