From 87004fc4aae5f2bab7f2bb500dc00b597493909d Mon Sep 17 00:00:00 2001
From: Saurabh Jain <saurabhjain1592@gmail.com>
Date: Sun, 19 Apr 2026 13:40:19 +0200
Subject: [PATCH 1/2] fix(release): emit CHANGELOG section as GitHub release
 body + preflight validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous release workflow published a generic "install + see CHANGELOG"
body for every tagged release. Anyone landing on the release page (from
README links, registry listings that pull GitHub release descriptions, or
blog posts citing the tag) had to click through to see what changed.
Worse, a missing CHANGELOG section would still publish to the registry
first and only fail at the GitHub release step — leaving a partial
release with no release page and no retry path on the same version.

Changes:

- New preflight job runs FIRST with no dependencies. Validates the
  CHANGELOG.md section exists for the target version (awk extracts the
  section between "## [X.Y.Z]" and the next "## ["), fails loudly with
  an actionable error if missing, builds the final release body (install
  block + CHANGELOG content), and uploads it as an artifact.

- Publish/release jobs now depend on preflight. Missing CHANGELOG
  section → preflight fails → zero side effects. No partial releases.

- Final release body = install block prepended to the extracted CHANGELOG
  section, delivered via body_path from the artifact.

- Pinned actions/upload-artifact and actions/download-artifact to SHAs
  matching the repo's SHA-pinning convention where present.

Matches the pattern established in axonflow-openclaw-plugin#47.
---
 .github/workflows/release.yml | 64 ++++++++++++++++++++++++++---------
 1 file changed, 48 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 286c1a4..4e29f1d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,7 +12,46 @@ env:
   DO_NOT_TRACK: '1'
 
 jobs:
+  # Preflight: validate CHANGELOG has a section for the tag being released
+  # BEFORE any publish step runs. A missing section fails the entire
+  # workflow cleanly rather than publishing to PyPI first and then failing
+  # at the GitHub release step.
+  preflight:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Extract CHANGELOG section
+        run: |
+          VERSION="${GITHUB_REF#refs/tags/v}"
+          awk -v ver="$VERSION" '$0 ~ "^## \\["ver"\\]" {p=1; next} p && /^## \[/ {exit} p {print}' CHANGELOG.md > /tmp/release-body.md
+          if [ ! -s /tmp/release-body.md ]; then
+            echo "::error::No CHANGELOG.md section found for version $VERSION — refusing to publish."
+            echo "::error::Add a '## [$VERSION] - YYYY-MM-DD' section to CHANGELOG.md and re-tag."
+            exit 1
+          fi
+          {
+            echo "## AxonFlow Python SDK v${VERSION}"
+            echo ""
+            echo "### Installation"
+            echo ""
+            echo '```bash'
+            echo "pip install axonflow==${VERSION}"
+            echo '```'
+            echo ""
+            cat /tmp/release-body.md
+          } > /tmp/release-body-final.md
+          echo "Release body: $(wc -l < /tmp/release-body-final.md) lines"
+
+      - name: Upload release body artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: release-body
+          path: /tmp/release-body-final.md
+          retention-days: 1
+
   build:
+    needs: preflight
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -74,36 +113,29 @@ jobs:
           packages-dir: dist/
 
   create-release:
-    needs: publish-pypi
+    needs: [preflight, publish-pypi]
     runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
-
-      - name: Download artifacts
+      - name: Download dist artifacts
         uses: actions/download-artifact@v4
         with:
           name: dist
           path: dist/
 
+      - name: Download release body artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: release-body
+          path: /tmp/release-body
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v1
         with:
           files: dist/*
           name: Release ${{ github.ref_name }}
-          body: |
-            ## AxonFlow Python SDK ${{ github.ref_name }}
-
-            ### Installation
-
-            ```bash
-            pip install axonflow
-            ```
-
-            ### Changes
-
-            See [CHANGELOG.md](https://github.com/getaxonflow/axonflow-sdk-python/blob/main/CHANGELOG.md) for full release details.
+          body_path: /tmp/release-body/release-body-final.md
           generate_release_notes: false
 
   verify-publish:

From 743e524808a1600845f852cb326cdca3be8763fa Mon Sep 17 00:00:00 2001
From: Saurabh Jain <saurabhjain1592@gmail.com>
Date: Sun, 19 Apr 2026 14:11:18 +0200
Subject: [PATCH 2/2] review: explicit preflight dependency on verify-publish
 for consistency

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4e29f1d..23849b0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -139,7 +139,7 @@ jobs:
           generate_release_notes: false
 
   verify-publish:
-    needs: publish-pypi
+    needs: [preflight, publish-pypi]
     runs-on: ubuntu-latest
     steps:
       - name: Extract version from tag