ci: dispatch event to create-swarm-app when released

[slapec93]

When we release a new version, dispatch an event to create-swarm-app repository, so it opens a PR to bump Bee.js version to latest

[github-actions]

File	Coverage Now	Coverage Before	Delta%	Rating
Total	2054 / 2524	2054 / 2524	0.00
bee-dev.ts	5 / 14	5 / 14	0.00
bee.ts	377 / 458	377 / 458	0.00
index.ts	16 / 16	16 / 16	0.00
chunk/bmt.ts	15 / 16	15 / 16	0.00
chunk/cac.ts	20 / 21	20 / 21	0.00
chunk/soc.ts	58 / 59	58 / 59	0.00
feed/identifier.ts	5 / 5	5 / 5	0.00
feed/index.ts	83 / 85	83 / 85	0.00
feed/retrievable.ts	18 / 19	18 / 19	0.00
manifest/manifest.ts	222 / 237	222 / 237	0.00
modules/bytes.ts	21 / 25	21 / 25	0.00
modules/bzz.ts	30 / 31	30 / 31	0.00
modules/chunk.ts	14 / 14	14 / 14	0.00
modules/envelope.ts	7 / 7	7 / 7	0.00
modules/feed.ts	22 / 24	22 / 24	0.00
modules/grantee.ts	21 / 21	21 / 21	0.00
modules/gsoc.ts	10 / 11	10 / 11	0.00
modules/pinning.ts	19 / 20	19 / 20	0.00
modules/pss.ts	11 / 12	11 / 12	0.00
modules/rchash.ts	5 / 7	5 / 7	0.00
modules/soc.ts	10 / 10	10 / 10	0.00
modules/status.ts	5 / 10	5 / 10	0.00
modules/stewardship.ts	11 / 11	11 / 11	0.00
modules/tag.ts	19 / 20	19 / 20	0.00
modules/debug/balance.ts	26 / 26	26 / 26	0.00
modules/debug/chequebook.ts	40 / 58	40 / 58	0.00
modules/debug/connectivity.ts	28 / 35	28 / 35	0.00
modules/debug/settlements.ts	18 / 18	18 / 18	0.00
modules/debug/stake.ts	21 / 32	21 / 32	0.00
modules/debug/stamps.ts	43 / 45	43 / 45	0.00
modules/debug/states.ts	24 / 29	24 / 29	0.00
modules/debug/status.ts	34 / 36	34 / 36	0.00
modules/debug/transactions.ts	18 / 27	18 / 27	0.00
stamper/stamper.ts	21 / 21	21 / 21	0.00
types/debug.ts	8 / 12	8 / 12	0.00
types/index.ts	21 / 21	21 / 21	0.00
utils/bytes.ts	41 / 53	41 / 53	0.00
utils/chunk-size.ts	9 / 9	9 / 9	0.00
utils/chunk-stream.browser.ts	0 / 71	0 / 71	0.00
utils/chunk-stream.ts	57 / 63	57 / 63	0.00
utils/cid.ts	22 / 23	22 / 23	0.00
utils/collection.browser.ts	0 / 4	0 / 4	0.00
utils/collection.node.ts	29 / 33	29 / 33	0.00
utils/collection.ts	14 / 18	14 / 18	0.00
utils/constants.ts	7 / 7	7 / 7	0.00
utils/data.browser.ts	0 / 8	0 / 8	0.00
utils/data.ts	4 / 11	4 / 11	0.00
utils/duration.ts	20 / 22	20 / 22	0.00
utils/error.ts	12 / 12	12 / 12	0.00
utils/expose.ts	16 / 16	16 / 16	0.00
utils/file.ts	8 / 12	8 / 12	0.00
utils/headers.ts	62 / 71	62 / 71	0.00
utils/http.ts	44 / 49	44 / 49	0.00
utils/mime.ts	1 / 1	1 / 1	0.00
utils/pss.ts	5 / 5	5 / 5	0.00
utils/redundancy.ts	32 / 44	32 / 44	0.00
utils/resource-locator.ts	7 / 7	7 / 7	0.00
utils/size.ts	12 / 14	12 / 14	0.00
utils/stamps.ts	55 / 78	55 / 78	0.00
utils/tar-uploader.browser.ts	0 / 11	0 / 11	0.00
utils/tar-uploader.ts	12 / 12	12 / 12	0.00
utils/tar-writer.browser.ts	0 / 8	0 / 8	0.00
utils/tar-writer.ts	13 / 14	13 / 14	0.00
utils/tar.browser.ts	0 / 40	0 / 40	0.00
utils/tar.ts	36 / 39	36 / 39	0.00
utils/tokens.ts	24 / 41	24 / 41	0.00
utils/type.ts	79 / 100	79 / 100	0.00
utils/typed-bytes.ts	85 / 86	85 / 86	0.00
utils/url.ts	11 / 15	11 / 15	0.00
utils/workaround.ts	11 / 14	11 / 14	0.00

[darkobas2]

One nit on the trigger filter:

on:
  release:
    types: [published]

This fires on pre-releases and drafts too — so RC tags will dispatch into create-swarm-app and open auto-bump PRs against unstable versions. If that's not desired, gate the job:

jobs:
  dispatch:
    if: github.event.release.prerelease == false && github.event.release.draft == false

Architecture (App + dispatch + scoped token) looks good. The bigger concerns are on the receiver side (#13).

[darkobas2]

Heads up — the org already has the App's identifiers + key stored as organization secrets, no need to provision new repo-level ones:

• BEE_RUNNER_APP_ID (App ID, numeric) or BEE_RUNNER_CLIENT_ID (Client ID, string) — pick whichever format you prefer; actions/create-github-app-token@v1 accepts both via the same app-id input
• BEE_RUNNER_KEY (the private key)

Update the workflow to reference those instead of RELEASE_DISPATCHER_*:

- uses: actions/create-github-app-token@v1
  with:
    app-id: ${{ secrets.BEE_RUNNER_CLIENT_ID }}
    private-key: ${{ secrets.BEE_RUNNER_KEY }}
    repositories: create-swarm-app

One less secret to provision per consuming repo.

[darkobas2]

Dispatch flow itself looks good — prerelease/draft gate is in, App token is scoped to create-swarm-app only, event_type matches the receiver. Two notes:

1. Coverage refactor: gh run list should filter by status

RUN_ID=$(gh run list --branch master --workflow tests.yaml --limit 1 --json databaseId --jq '.[0].databaseId')

--limit 1 returns the most recent master run regardless of outcome. If master is failing or in progress when a PR runs, you either get no artifact (silent skip via continue-on-error) or you compare against a partial/broken run. Add a status filter:

RUN_ID=$(gh run list --branch master --workflow tests.yaml --status success --limit 1 --json databaseId --jq '.[0].databaseId')

Also worth a guard for the empty case — if there's no successful master run yet (e.g. right after this merges, before master has produced an artifact), RUN_ID is empty and the download step fails. The continue-on-error: true + outcome == 'success' gate covers that without breaking the workflow, but a one-line if [ -z "$RUN_ID" ]; then exit 0; fi makes the intent explicit.

2. Two unrelated changes in one PR

The dispatch-release workflow and the tests.yaml coverage refactor are independent features touching different parts of CI. Splitting them would make git bisect and revert cleaner if either turns out to misbehave. Not blocking — just a nudge for next time.

LGTM once the master-coverage status filter is in. Architecture (App + dispatch + scoped token) is solid.

[darkobas2]

dispatch-release.yml — ✅ looks good

• Filtering on release.prerelease == false && release.draft == false plus the receiver's semver regex validation gives two layers of defense before any sed runs.
• repositories: create-swarm-app correctly scopes the App token to a single repo.
• tag_name.replace(/^v/, '') handles both v1.2.3 and 1.2.3 tag styles.

One small edge case: a maintainer who forgets to tick "this is a prerelease" but tags it v1.2.3-rc.1 would still dispatch. The receiver's regex (^X.Y.Z(-…)?$) accepts that, so an RC could open a PR. Probably fine in practice — just worth being aware of. If you want to be stricter, gate dispatch on !contains(github.event.release.tag_name, '-').

tests.yaml — scope + a couple of small risks

• 🟡 Scope creep: the coverage-comparison refactor is unrelated to the dispatch feature. Splitting it into its own PR would make both easier to revert if one regresses.
• 🟡 gh run list --limit 1 doesn't filter by status: it'll happily return an in-progress or failed master run whose artifact was never uploaded. The continue-on-error + outcome == 'success' guard on the download step makes this degrade gracefully, but you'd silently lose coverage comparison until the next green master. Suggest --status success (and possibly --status completed) to pick the latest run that actually has an artifact:

  gh run list --branch master --workflow tests.yaml --status success --limit 1 --json databaseId --jq '.[0].databaseId'

• 🟢 The new coverage-comparison invocation drops two positional args (master, head_ref) — assuming npxie coverage-comparison was updated to take (repo, before-summary-path, after-summary-path, pr#, token), that's fine; otherwise it'll fail at runtime. Worth confirming against the tool's current signature.

Nit

• The dispatch workflow itself doesn't need permissions: since it only uses the App token, but adding an explicit permissions: {} (deny-all for GITHUB_TOKEN) is a nice belt-and-suspenders.