Revise the release lifecycle yanking workflow by bomly-guy · Pull Request #178 · bomly-dev/bomly-cli

bomly-guy · 2026-06-18T18:51:22Z

Summary

Rename and extend the release lifecycle workflow to handle both landing-page sync and WinGet yanking.
Add release-delete/unpublish handling that removes the matching WinGet version manifest when present and opens a cleanup PR.
Update release process docs and checklist to describe the new yanking flow.

Testing

Not run (not requested)

Summary by CodeRabbit

New Features
- Added an expanded release-lifecycle sync that updates the landing-page on publish, and triggers yanking/removal actions when releases are deleted or unpublished.
- Automated WinGet manifest cleanup via an update branch + PR flow for versioned manifests.
Documentation
- Updated CI/release docs to match the new release-lifecycle sync workflow naming and behavior.
- Refined the release checklist to clarify rollback steps, including Homebrew/Scoop PR handling and WinGet yanking expectations.

coderabbitai · 2026-06-18T18:51:40Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 5f59da67-05f9-4663-95da-5a3d6c5de24e

📥 Commits

Reviewing files that changed from the base of the PR and between bd2ab05 and fb7c712.

📒 Files selected for processing (3)

.github/workflows/notify-landing-yank.yml
docs/development/CI.md
docs/development/RELEASE_CHECKLIST.md

✅ Files skipped from review due to trivial changes (1)

docs/development/CI.md

🚧 Files skipped from review as they are similar to previous changes (1)

docs/development/RELEASE_CHECKLIST.md

📝 Walkthrough

Walkthrough

The release lifecycle workflow is renamed to Release lifecycle sync, its notify job is renamed to landing-page, and a new winget-yank job is added that sparse-checks out microsoft/winget-pkgs, removes the versioned manifest, and opens a removal PR when a release is deleted or unpublished. CI and release checklist docs are updated to reflect these changes.

Changes

Release lifecycle sync workflow and docs

Layer / File(s)	Summary
Workflow and job renaming `.github/workflows/notify-landing-yank.yml`	Renames the workflow to `Release lifecycle sync` and renames the primary `notify` job to `landing-page` to reflect broader release lifecycle handling including yanked releases.
winget-yank job implementation `.github/workflows/notify-landing-yank.yml`	Adds a `winget-yank` job triggered on `deleted`/`unpublished` events that sparse-checks out `microsoft/winget-pkgs`, computes the manifest path from the release tag, conditionally removes the manifest directory, commits and pushes a `yank-bomly-*` branch, and opens a removal PR against `master` (skips if manifest is absent or PR already exists).
CI and release checklist documentation `docs/development/CI.md`, `docs/development/RELEASE_CHECKLIST.md`	Updates CI.md to reference the renamed workflow and documents the Yanking Releases flow including WinGet manifest deletion-branch/PR behavior. Updates the release checklist rollback section to delete/unpublish the GitHub Release and clarifies expected WinGet removal PR behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

bomly-dev/bomly-cli#153: Modifies the same notify-landing-yank.yml workflow to handle deleted/unpublished releases by dispatching the landing-page "yanked" event — the direct predecessor to this PR's extension with the winget-yank job.
bomly-dev/bomly-cli#170: Updates notify-landing-yank.yml with the lifecycle trigger/dispatch pattern (published/deleted/unpublished) that this PR builds on for the workflow retitling and winget-yank extension.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: revising the release lifecycle workflow to add yanking capabilities for WinGet packages and expanding existing landing-page sync functionality.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch codex/revise-yanking-workflow

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

github-actions · 2026-06-18T18:53:03Z

Bomly Diff Summary

Compared 9e7e2fe415f1b3807559b93f235d317166c5d66d to fb7c71264de78d6e5f3b6f73c866a30ca5762319.

Overview

Status	Manifests	Dependencies	Findings	Duration
✅ Pass	+0 / ~1 / -0	+1 / ~0 / -0	0 introduced / 0 persisted / 0 resolved	68403ms

Dependency Changes

Summary: 1 added, 0 changed, 0 removed.

Added Dependencies

Change	Package	Version	Scope	Licenses	PURL
added	actions:checkout@v5	v5	runtime	-	pkg:githubactions/actions/checkout@v5

Vulnerabilities

✅ No vulnerability changes.

License Changes

✅ No license changes.

Project Posture

✅ No project posture changes (or --matchers +scorecard was not selected).

Policy Findings

✅ No policy differences were identified.

coderabbitai

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/notify-landing-yank.yml:
- Around line 66-74: In the "Check out WinGet package manifests" step that uses
actions/checkout, add the persist-credentials field set to false to prevent
credential leakage through workflow artifacts. Additionally, replace the tag
reference `@v5` with a pinned commit SHA (format: actions/checkout@<commit-sha>)
to mitigate supply chain attack risks from using mutable tag references.
- Line 28: In the `actions/create-github-app-token@v3` step configuration,
change the parameter from `app-id` to `client-id` and update its value to use
only `vars.RELEASE_BOT_CLIENT_ID` without the fallback to
`vars.RELEASE_BOT_APP_ID`. This aligns the workflow with the consistent pattern
used in `release.yml` and `auto-version.yml` and ensures the correct parameter
type is provided to the action.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: eb3bc047-af05-484f-bab2-31d637c66988

📥 Commits

Reviewing files that changed from the base of the PR and between 9e7e2fe and bd2ab05.

📒 Files selected for processing (3)

.github/workflows/notify-landing-yank.yml
docs/development/CI.md
docs/development/RELEASE_CHECKLIST.md

coderabbitai · 2026-06-18T18:55:33Z

+      - name: Check out WinGet package manifests
+        uses: actions/checkout@v5
+        with:
+          repository: microsoft/winget-pkgs
+          ref: master
+          path: winget-pkgs
+          sparse-checkout: manifests/b/Bomly/BomlyCLI
+          sparse-checkout-cone-mode: false
+          fetch-depth: 1


⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add persist-credentials: false and consider pinning the action to a SHA.

Static analysis correctly flags two security concerns:

Missing persist-credentials: false — the default true can leak credentials via workflow artifacts.

Action referenced by tag (@v5) rather than hash — pinning to a SHA (e.g., @<commit-sha>) hardens against supply chain attacks.

🛡️ Proposed fix

- name: Check out WinGet package manifests - uses: actions/checkout@v5 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v5.0.2 with: repository: microsoft/winget-pkgs ref: master path: winget-pkgs sparse-checkout: manifests/b/Bomly/BomlyCLI sparse-checkout-cone-mode: false fetch-depth: 1 + persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 66-74: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 67-67: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/notify-landing-yank.yml around lines 66 - 74, In the "Check out WinGet package manifests" step that uses actions/checkout, add the persist-credentials field set to false to prevent credential leakage through workflow artifacts. Additionally, replace the tag reference `@v5` with a pinned commit SHA (format: actions/checkout@<commit-sha>) to mitigate supply chain attack risks from using mutable tag references.

Source: Linters/SAST tools

coderabbitai Bot reviewed Jun 18, 2026

View reviewed changes

Revise release lifecycle yanking workflow and docs

fb7c712

bomly-guy force-pushed the codex/revise-yanking-workflow branch from bd2ab05 to fb7c712 Compare June 18, 2026 18:58

bomly-guy merged commit 7cf132a into main Jun 18, 2026
13 checks passed

bomly-guy deleted the codex/revise-yanking-workflow branch June 18, 2026 19:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Revise the release lifecycle yanking workflow#178

Revise the release lifecycle yanking workflow#178
bomly-guy merged 1 commit into
mainfrom
codex/revise-yanking-workflow

bomly-guy commented Jun 18, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

coderabbitai Bot commented Jun 18, 2026 •

edited

Loading

Walkthrough

Changes

Estimated code review effort

Possibly related PRs

Uh oh!

github-actions Bot commented Jun 18, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot left a comment

Uh oh!

Uh oh!

coderabbitai Bot Jun 18, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

bomly-guy commented Jun 18, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Testing

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented Jun 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Possibly related PRs

Uh oh!

github-actions Bot commented Jun 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Bomly Diff Summary

Overview

Dependency Changes

Added Dependencies

Vulnerabilities

License Changes

Project Posture

Policy Findings

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai Bot Jun 18, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

bomly-guy commented Jun 18, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Jun 18, 2026 •

edited

Loading

github-actions Bot commented Jun 18, 2026 •

edited

Loading