Revise the release lifecycle yanking workflow

[bomly-guy]

Summary

• Rename and extend the release lifecycle workflow to handle both landing-page sync and WinGet yanking.
• Add release-delete/unpublish handling that removes the matching WinGet version manifest when present and opens a cleanup PR.
• Update release process docs and checklist to describe the new yanking flow.

Testing

• Not run (not requested)

Summary by CodeRabbit

• New Features

  • Added an expanded release-lifecycle sync that updates the landing-page on publish, and triggers yanking/removal actions when releases are deleted or unpublished.
  • Automated WinGet manifest cleanup via an update branch + PR flow for versioned manifests.

• Documentation

  • Updated CI/release docs to match the new release-lifecycle sync workflow naming and behavior.
  • Refined the release checklist to clarify rollback steps, including Homebrew/Scoop PR handling and WinGet yanking expectations.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 5f59da67-05f9-4663-95da-5a3d6c5de24e

📥 Commits

Reviewing files that changed from the base of the PR and between bd2ab05 and fb7c712.

📒 Files selected for processing (3)

• .github/workflows/notify-landing-yank.yml
• docs/development/CI.md
• docs/development/RELEASE_CHECKLIST.md

✅ Files skipped from review due to trivial changes (1)

• docs/development/CI.md

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/development/RELEASE_CHECKLIST.md

---

📝 Walkthrough

Walkthrough

The release lifecycle workflow is renamed to Release lifecycle sync, its notify job is renamed to landing-page, and a new winget-yank job is added that sparse-checks out microsoft/winget-pkgs, removes the versioned manifest, and opens a removal PR when a release is deleted or unpublished. CI and release checklist docs are updated to reflect these changes.

Changes

Release lifecycle sync workflow and docs

Layer / File(s)	Summary
Workflow and job renaming .github/workflows/notify-landing-yank.yml	Renames the workflow to Release lifecycle sync and renames the primary notify job to landing-page to reflect broader release lifecycle handling including yanked releases.
winget-yank job implementation .github/workflows/notify-landing-yank.yml	Adds a winget-yank job triggered on deleted/unpublished events that sparse-checks out microsoft/winget-pkgs, computes the manifest path from the release tag, conditionally removes the manifest directory, commits and pushes a yank-bomly-* branch, and opens a removal PR against master (skips if manifest is absent or PR already exists).
CI and release checklist documentation docs/development/CI.md, docs/development/RELEASE_CHECKLIST.md	Updates CI.md to reference the renamed workflow and documents the Yanking Releases flow including WinGet manifest deletion-branch/PR behavior. Updates the release checklist rollback section to delete/unpublish the GitHub Release and clarifies expected WinGet removal PR behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• bomly-dev/bomly-cli#153: Modifies the same notify-landing-yank.yml workflow to handle deleted/unpublished releases by dispatching the landing-page "yanked" event — the direct predecessor to this PR's extension with the winget-yank job.
• bomly-dev/bomly-cli#170: Updates notify-landing-yank.yml with the lifecycle trigger/dispatch pattern (published/deleted/unpublished) that this PR builds on for the workflow retitling and winget-yank extension.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: revising the release lifecycle workflow to add yanking capabilities for WinGet packages and expanding existing landing-page sync functionality.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/revise-yanking-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Bomly Diff Summary

Compared 9e7e2fe415f1b3807559b93f235d317166c5d66d to fb7c71264de78d6e5f3b6f73c866a30ca5762319.

Overview

Status	Manifests	Dependencies	Findings	Duration
✅ Pass	+0 / ~1 / -0	+1 / ~0 / -0	0 introduced / 0 persisted / 0 resolved	68403ms

Dependency Changes

Summary: 1 added, 0 changed, 0 removed.

Added Dependencies

Change	Package	Version	Scope	Licenses	PURL
added	actions:checkout@v5	v5	runtime	-	pkg:githubactions/actions/checkout@v5

Vulnerabilities

✅ No vulnerability changes.

License Changes

✅ No license changes.

Project Posture

✅ No project posture changes (or --matchers +scorecard was not selected).

Policy Findings

✅ No policy differences were identified.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/notify-landing-yank.yml:
- Around line 66-74: In the "Check out WinGet package manifests" step that uses
actions/checkout, add the persist-credentials field set to false to prevent
credential leakage through workflow artifacts. Additionally, replace the tag
reference `@v5` with a pinned commit SHA (format: actions/checkout@<commit-sha>)
to mitigate supply chain attack risks from using mutable tag references.
- Line 28: In the `actions/create-github-app-token@v3` step configuration,
change the parameter from `app-id` to `client-id` and update its value to use
only `vars.RELEASE_BOT_CLIENT_ID` without the fallback to
`vars.RELEASE_BOT_APP_ID`. This aligns the workflow with the consistent pattern
used in `release.yml` and `auto-version.yml` and ensures the correct parameter
type is provided to the action.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: eb3bc047-af05-484f-bab2-31d637c66988

📥 Commits

Reviewing files that changed from the base of the PR and between 9e7e2fe and bd2ab05.

📒 Files selected for processing (3)

• .github/workflows/notify-landing-yank.yml
• docs/development/CI.md
• docs/development/RELEASE_CHECKLIST.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add persist-credentials: false and consider pinning the action to a SHA.

Static analysis correctly flags two security concerns:

1. Missing persist-credentials: false — the default true can leak credentials via workflow artifacts.
2. Action referenced by tag (@v5) rather than hash — pinning to a SHA (e.g., @<commit-sha>) hardens against supply chain attacks.

🛡️ Proposed fix

       - name: Check out WinGet package manifests
-        uses: actions/checkout@v5
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v5.0.2
         with:
           repository: microsoft/winget-pkgs
           ref: master
           path: winget-pkgs
           sparse-checkout: manifests/b/Bomly/BomlyCLI
           sparse-checkout-cone-mode: false
           fetch-depth: 1
+          persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 66-74: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 67-67: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/notify-landing-yank.yml around lines 66 - 74, In the
"Check out WinGet package manifests" step that uses actions/checkout, add the
persist-credentials field set to false to prevent credential leakage through
workflow artifacts. Additionally, replace the tag reference `@v5` with a pinned
commit SHA (format: actions/checkout@<commit-sha>) to mitigate supply chain
attack risks from using mutable tag references.

Source: Linters/SAST tools