fix(ci): guard release component outputs

[yacosta738]

Related Issues

No issue linked.

---

Summary

Fixes release workflow component flag output serialization so component-scoped downstream jobs receive clean boolean outputs. Adds a fail-fast guardrail that validates has_corvus_runtime, has_rook, has_cerebro, and has_gradle_kmp before Docker, binary, npm, or release asset jobs evaluate needs.publish.outputs.* gates.

This prevents a supported cerebro release from completing green while build-cerebro-binaries and docker-image-cerebro are silently skipped due to malformed $GITHUB_OUTPUT formatting.

---

Tested Information

• node --test scripts/release-contract.test.mjs
  • Result: 54 tests passed, 0 failed.
• Verified the build-cerebro-binaries and docker-image-cerebro jobs still gate on needs.publish.outputs.has_cerebro == 'true'.

---

Documentation Impact

• Docs updated in: none.
• No docs update required because this is a CI release workflow correctness fix covered by release contract tests.
• I verified the documentation matches the current behavior.

---

Breaking Changes

None.

---

Checklist

• I have checked that there isn’t already a PR solving the same problem.
• I have read the Contributing Guidelines.
• I ensured my code follows the project's style guidelines.
• I have added or updated tests that prove my fix is effective or that my feature works.
• I have updated the documentation, or I explained above why no documentation update is needed.
• I verified the documentation matches the current behavior.
• I have documented any breaking changes in the Breaking Changes section.
• I have linked the related issue (if any).

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	72e648d
Status:	✅  Deploy successful!
Preview URL:	https://b4072f29.corvus-42x.pages.dev
Branch Preview URL:	https://fix-release-component-output.corvus-42x.pages.dev

View logs

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e153d08a-fde0-46ba-9ac2-c6b98ed6078f

📥 Commits

Reviewing files that changed from the base of the PR and between cdefa9b and 72e648d.

📒 Files selected for processing (2)

• .github/workflows/_publish.yml
• scripts/release-contract.test.mjs

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: sonar
• GitHub Check: pr-checks
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: submit-gradle
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (1)

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• scripts/release-contract.test.mjs

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/.github/**/*.{yml,yaml} : For workflow/template-only changes, ensure YAML/template syntax validity

Applied to files:

• .github/workflows/_publish.yml
• scripts/release-contract.test.mjs

🔇 Additional comments (4)

.github/workflows/_publish.yml (2)

98-98: Component flag serialization fix is correct.

Using a real newline delimiter here preserves one-output-per-line semantics in $GITHUB_OUTPUT, so downstream needs.publish.outputs.* gates can evaluate reliably.

---

105-124: Guardrail step correctly blocks malformed component flag outputs.

This fail-fast validation closes the silent-skip path by enforcing strict true|false values before any component-scoped publish jobs run.

scripts/release-contract.test.mjs (2)

998-1002: Regression assertion for newline serialization is well targeted.

Good contract check to prevent reintroducing literal \\n output formatting.

---

1004-1017: Guardrail contract coverage is strong.

These assertions make the workflow fail-safe behavior explicit and protect against future drift in component-flag validation logic.

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Enhanced validation in the release pipeline to ensure correct and consistent output formatting.
  • Implemented stricter validation checks to catch configuration errors during the release process.
  • Expanded test coverage for release workflow requirements to improve release reliability.

Walkthrough

This PR refines the GitHub Actions publish workflow to ensure component-flag boolean outputs are properly serialized with real newline delimiters, and adds a validation step to reject any outputs that are not exactly true or false. Corresponding test assertions verify the stricter formatting and validation behavior.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/_publish.yml	Adjusts component-flag output serialization to use real newline delimiters instead of literal \n, and introduces a validation step that verifies each flag is exactly true or false, terminating the workflow on invalid values.
Release Contract Tests scripts/release-contract.test.mjs	Adds assertions enforcing proper newline serialization in component-flag outputs and verifying the new validation block exists with rejection patterns for invalid boolean values.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix(release): harden release-please diagnostics #451: Modifies the same release contract test file with additional workflow assertions and schema validations.

Suggested labels

area:ci, risk:high

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commit style with 'fix' prefix and a clear, concise description of the change within 72 characters.
Description check	✅ Passed	The description covers all required sections: Related Issues, Summary, Tested Information, Documentation Impact, Breaking Changes, and a completed Checklist matching the template.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/release-component-output-guardrail

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud