Merge pull request #6 from proxymesh/ci/workflows-and-release-skill

proxymesh · web-flow · commit 04ce31ea101b · 2026-04-06T10:42:41.000-07:00
CI: align workflows with python-proxy-headers and add release skill
diff --git a/.cursor/skills/release/SKILL.md b/.cursor/skills/release/SKILL.md
@@ -0,0 +1,90 @@
+---
+name: release
+description: >-
+  Bumps RubyProxyHeaders::VERSION in lib/ruby_proxy_headers/version.rb, opens a PR from
+  branch release/VERSION toward main with auto-merge, and coordinates with CI that
+  publishes a GitHub Release when that branch merges. Use when the user invokes /release,
+  /release VERSION, asks for a release PR, version bump, or release automation.
+---
+
+# Release (`/release` and optional VERSION)
+
+## When this applies
+
+- User message starts with **`/release`** or **`/release VERSION`** (VERSION optional).
+- User asks to cut a release, bump the gem version, or open a release PR with auto-merge.
+
+## Preconditions
+
+- Working tree clean (`git status`); stash or commit unrelated work first.
+- `gh` CLI authenticated (`gh auth status`).
+- Remote `origin` is GitHub.
+- Repository allows **auto-merge** (Settings → General → Pull Requests → Allow auto-merge). If auto-merge is unavailable, open the PR anyway and tell the user to merge manually after checks pass.
+
+## Version selection
+
+1. Read the current version from `lib/ruby_proxy_headers/version.rb` (`RubyProxyHeaders::VERSION`, semver `MAJOR.MINOR.PATCH`).
+2. If **VERSION was provided**: set the new version to that string (must match `^\d+\.\d+\.\d+` unless the project already uses a different scheme—then follow the existing file format).
+3. If **VERSION was omitted**: bump the **patch** segment only (e.g. `0.2.1` → `0.2.2`). If the current value is not `x.y.z`, stop and ask the user for an explicit VERSION.
+
+## Git identity (this repo)
+
+Configure once if needed:
+
+```bash
+git config user.email "cursor@proxymesh.com"
+git config user.name "Cursor"
+```
+
+## Steps
+
+1. **Sync main**
+
+   ```bash
+   git fetch origin main
+   ```
+
+2. **Compute** `NEW_VERSION` (per rules above). **Branch name** is `release/${NEW_VERSION}` (no `v` prefix in the branch name).
+
+3. **Create branch from latest main**
+
+   ```bash
+   git checkout -B "release/${NEW_VERSION}" origin/main
+   ```
+
+4. **Edit** `lib/ruby_proxy_headers/version.rb`: set `VERSION = 'NEW_VERSION'` (single-quoted string).
+
+5. **Commit and push** (never push to `main`; push only the release branch)
+
+   ```bash
+   git add lib/ruby_proxy_headers/version.rb
+   git commit -m "chore: bump version to ${NEW_VERSION}"
+   git push -u origin "release/${NEW_VERSION}"
+   ```
+
+6. **Open PR** into `main` with a short body (no Cursor boilerplate). Example:
+
+   ```bash
+   gh pr create --base main --head "release/${NEW_VERSION}" \
+     --title "Release ${NEW_VERSION}" \
+     --body "Bumps the gem version to ${NEW_VERSION} for release."
+   ```
+
+7. **Enable auto-merge** after the PR exists. In non-interactive mode, `gh` requires an explicit merge strategy with `--auto` (use the repository default: usually **`--merge`** for a merge commit, or **`--squash`** / **`--rebase`** if that is what the repo uses).
+
+   ```bash
+   gh pr merge <PR_NUMBER_OR_URL> --auto --merge
+   ```
+
+   If `--auto` fails (permissions, auto-merge disabled, or pending checks), leave the PR open and report the error; the user can merge manually after CI passes. You can poll with `gh pr checks <PR_NUMBER_OR_URL> --watch` then retry `gh pr merge ... --auto --merge`, or merge manually.
+
+## After merge
+
+Merging the PR into `main` runs **Release on merge** (`.github/workflows/github_release_on_release_branch_merge.yml`), which creates a **GitHub Release** for tag `v{version}` from the merge commit. Because releases created with the default `GITHUB_TOKEN` do not trigger other workflows, **Push Gem** (`push_gem.yml`) is also started via **`workflow_run`** when that release workflow finishes. Manual or API-created releases still match the `release: published` trigger on `push_gem.yml`.
+
+## Quick reference
+
+| Input              | Result                                      |
+|--------------------|---------------------------------------------|
+| `/release`         | Patch bump, branch `release/x.y.(z+1)`      |
+| `/release 1.4.0`   | Version `1.4.0`, branch `release/1.4.0`     |
diff --git a/.github/workflows/github_release_on_release_branch_merge.yml b/.github/workflows/github_release_on_release_branch_merge.yml
@@ -0,0 +1,55 @@
+# When a release/* PR merges into main, create a GitHub release (tag vX.Y.Z).
+# Events from GITHUB_TOKEN do not start other workflows; push_gem.yml is triggered via
+# workflow_run when this workflow completes (see push_gem.yml).
+
+name: Release on merge
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+
+concurrency:
+  group: release-on-merge-${{ github.event.pull_request.number }}
+  cancel-in-progress: false
+
+permissions:
+  contents: write
+
+jobs:
+  github-release:
+    if: >-
+      github.event.pull_request.merged == true &&
+      startsWith(github.head_ref, 'release/') &&
+      github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout merge commit
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.merge_commit_sha }}
+
+      - name: Read version from lib/ruby_proxy_headers/version.rb
+        id: meta
+        run: |
+          VERSION=$(ruby -r ./lib/ruby_proxy_headers/version.rb -e 'puts RubyProxyHeaders::VERSION')
+          echo "version=${VERSION}" >> "${GITHUB_OUTPUT}"
+
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          VERSION="${{ steps.meta.outputs.version }}"
+          TAG="v${VERSION}"
+          MERGE_SHA="${{ github.event.pull_request.merge_commit_sha }}"
+          if gh release view "${TAG}" --repo "${{ github.repository }}" >/dev/null 2>&1; then
+            echo "Release ${TAG} already exists; skipping."
+            exit 0
+          fi
+          gh release create "${TAG}" \
+            --repo "${{ github.repository }}" \
+            --target "${MERGE_SHA}" \
+            --title "${TAG}" \
+            --generate-notes
diff --git a/.github/workflows/proxy_integration_tests.yml b/.github/workflows/proxy_integration_tests.yml
@@ -16,12 +16,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@2e007403fc1ec238429ecaa57af6f22f019cc135 # v1.234.0
+        uses: ruby/setup-ruby@v1
         with:
           bundler-cache: true
           ruby-version: ruby
diff --git a/.github/workflows/push_gem.yml b/.github/workflows/push_gem.yml
@@ -10,29 +10,70 @@ on:
   release:
     types: [published]
 
+  workflow_dispatch:
+
+  # GitHub does not start new workflow runs for events caused by the default
+  # GITHUB_TOKEN (e.g. gh release create in another workflow). After
+  # "Release on merge" creates a release, trigger this workflow instead.
+  workflow_run:
+    workflows: [Release on merge]
+    types: [completed]
+
 permissions:
   contents: read
 
 jobs:
+  gate:
+    runs-on: ubuntu-latest
+    outputs:
+      publish: ${{ steps.decide.outputs.publish }}
+    steps:
+      - uses: actions/checkout@v6
+        if: github.event_name == 'workflow_run'
+        with:
+          ref: main
+
+      - id: decide
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          if [[ "${{ github.event_name }}" != "workflow_run" ]]; then
+            echo "publish=true" >> "${GITHUB_OUTPUT}"
+            exit 0
+          fi
+          if [[ "${{ github.event.workflow_run.conclusion }}" != "success" ]]; then
+            echo "publish=false" >> "${GITHUB_OUTPUT}"
+            exit 0
+          fi
+          VERSION="$(ruby -r ./lib/ruby_proxy_headers/version.rb -e 'puts RubyProxyHeaders::VERSION')"
+          TAG="v${VERSION}"
+          if gh release view "${TAG}" --repo "${{ github.repository }}" >/dev/null 2>&1; then
+            echo "publish=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "No GitHub release ${TAG} yet (or release job was skipped); skipping gem push."
+            echo "publish=false" >> "${GITHUB_OUTPUT}"
+          fi
+
   push:
-    if: github.repository == 'proxymesh/ruby-proxy-headers'
+    needs: gate
+    if: >-
+      github.repository == 'proxymesh/ruby-proxy-headers' &&
+      needs.gate.outputs.publish == 'true'
     runs-on: ubuntu-latest
 
     permissions:
       contents: write
       id-token: write
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v6
         with:
+          ref: ${{ github.event_name == 'workflow_run' && 'main' || github.ref }}
           persist-credentials: false
 
       - name: Verify release tag matches gem version
+        if: github.event_name == 'release'
         env:
           REF_NAME: ${{ github.ref_name }}
         run: |
@@ -43,9 +84,9 @@ jobs:
           fi
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@2e007403fc1ec238429ecaa57af6f22f019cc135 # v1.234.0
+        uses: ruby/setup-ruby@v1
         with:
           bundler-cache: true
           ruby-version: ruby
 
-      - uses: rubygems/release-gem@a25424ba2ba8b387abc8ef40807c2c85b96cbe32 # v1
+      - uses: rubygems/release-gem@v1
