plan: collapse release to a single human action

[brianmhunt]

Summary

Captures the cost of TKO's current tag-driven release flow — which we just lived through on the 4.1.0 cut — and proposes collapsing it to a single human action: merge the version PR.

Why now

The 4.1.0 cut required:

1. Push initial tag v4.1.0
2. Wait for changesets/action (which silently skipped PR creation under the tag-push trigger — known wrinkle, branch name changeset-release/refs/tags/v4.1.0 is the symptom)
3. Hand-open the version PR (chore: version packages (v4.1.0) #372) wrapping the bot-generated branch
4. Review + merge the PR
5. Force-move the tag to the merged commit and re-push
6. Wait for second workflow run

Five out of six steps are admin or latency. The two with maintainer judgment (review and merge) are buried in the noise. That cuts directly against the Dark Factory thesis — a single time-constrained maintainer with AI agents shouldn't be pushing tags twice and worrying about whether they're on the right commit.

Proposed shape

• Trigger release.yml on push: branches: [main] (the canonical changesets pattern).
• Single job replaces three (prepare-release / publish / github-release).
• changesets/action's built-in publish input runs npx changeset publish automatically when there are no pending changesets and sets outputs.published.
• A post-publish step generates vX.Y.Z from tools/release-version.cjs, creates the tag and GitHub Release. No more force-push tag dance, no more tag-vs-version validation.

Tradeoffs

• Lose the "tag when I want to release" entry point. Maintainer instead decides timing by when they merge the version PR.
• Releases batch by version-PR cadence — every changeset-bearing feature PR rebumps the open version PR; merge whenever the batch feels release-worthy.
• GitHub release notes lose the "tag pre-existed" guarantee. Mitigation: github-release.yml already exists as a manual backfill workflow.

Out of scope

• Changelog reform (separate plan — about artifact shape, not pipeline).
• Pre-release / canary channels (separate plan — would auto-publish every main commit to next).

Test plan

• Plan reviewed for accuracy against current release.yml and the 4.1.0-cut experience
• Phasing approved (land plan + workflow rewrite together; test with a no-op patch release)

https://claude.ai/code/session_01Jnv99bwWtFWFmsyL7A2cJv

---

Generated by Claude Code

Summary by CodeRabbit

• Documentation
  • Added comprehensive release process documentation outlining updated workflow structure, permissions configuration, concurrency handling, and verification procedures.

[coderabbitai]

📝 Walkthrough

Walkthrough

A plan document is added specifying a simplified release workflow triggered by main branch pushes, with automated version PRs and gated publication conditioned on user merge approval, replacing the current tag-push-driven multi-step procedure.

Changes

Release Workflow Plan

Layer / File(s)	Summary
Current State & Problem Analysis plans/single-action-release.md (lines 1–52)	Document introduces the goal and documents the existing six-step tag-driven release flow, the 4.1.0 cut incident, and the pain points that motivate the change.
Target State Definition plans/single-action-release.md (lines 55–74)	Defines the new trigger (push to main), automated version PR workflow, and single human action (merge the version PR) required to complete a release.
Mechanism & Implementation Details plans/single-action-release.md (lines 79–219)	Specifies the new two-job release.yml structure (prepare to open/update version PR and signal readiness; publish-and-tag gated on that signal to build, test, publish via changeset publish --no-git-tag, and create GitHub release/tag via gh release create), including least-privilege permissions and concurrency config.
Workflow Changes & Tradeoffs plans/single-action-release.md (lines 221–328)	Summarizes removed steps (force-tag dance), kept safeguards (OIDC trusted publishing, manual fallback), failure modes (partial npm publish recovery, atomic release creation, doc-only pushes), and tradeoffs (batched releases, auto-updated version PR, prepare cost, no per-package tags, version PR lacking publish-check runs).
Phasing & Out-of-Scope plans/single-action-release.md (lines 331–392)	Outlines the two-phase implementation plan (proposal PR, then implementation PR updating release.yml and AGENTS.md, optionally followed by auto-merge enablement), lists out-of-scope items, and specifies verification checks for a happy-path patch release.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly Related PRs

• release: automate GitHub releases #278: Proposes the same GitHub release automation mechanics (branch-triggered publish, changeset publish --no-git-tag, gh release create, and version-PR workflow) described in this plan.
• release: adopt npm trusted publishing #270: Implements the same release workflow structure—splitting into prepare/publish jobs, gating on the prepare signal, and adopting least-privilege OIDC for npm publishing.
• Add build and release certainty automation #238: Addresses the same Changesets-based release migration (main-branch triggering, version-PR opening, and gated publish step).

Poem

🐰 One button press, one hop, one joy—
No tag-push dance to break, no tag-typo toy!
The version PR blooms on main so bright,
We merge, we publish, and all feels right! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'plan: collapse release to a single human action' directly and clearly summarizes the main change: proposing a release workflow redesign where the single human action is merging the version PR instead of a multi-step process.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch plans/single-action-release

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e3981050bf

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Authenticate git before pushing the release tag

In the proposed workflow, the checkout step disables credential persistence (persist-credentials: false), but this step later executes git push origin "$tag" when changesets publishes. On GitHub-hosted runners that push will be unauthenticated and fail, which blocks both tag creation and the subsequent GitHub Release step on every real publish run. Either keep checkout credentials enabled for this job or switch to an authenticated API/gh path that creates the tag without git push.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

Adds a written plan to simplify TKO’s Changesets-based release process by making “merge the version PR” the only required human action, shifting release.yml to run on main pushes and automating publish + tag + GitHub Release creation.

Changes:

• Documented the current tag-driven release flow and the specific 4.1.0 failure mode.
• Proposed a push: branches: [main]-triggered release.yml shape using changesets/action’s built-in publish behavior.
• Outlined tradeoffs, phasing, and a verification checklist for the new flow.

[Copilot]

In the proposed workflow snippet, actions/checkout is configured with persist-credentials: false, but later steps push a git tag to origin. With credentials not persisted, git push origin "$tag" will fail unless you add separate git authentication/remote configuration (or avoid git push by letting gh release create create the tag).

[Copilot]

The proposed “Tag repo + create GitHub release” step isn’t idempotent: git tag "$tag" fails if the tag already exists, and gh release create fails if the release exists (e.g., reruns, partial failures, or manual backfill). Consider reusing the existing github-release workflow’s safety checks (view existing release/tag, verify target SHA, and skip when already correct) so retries are safe.

Suggested change

	git tag "$tag"
	git push origin "$tag"
	prerelease=""
	case "$version" in *-alpha*|*-beta*|*-rc*) prerelease="--prerelease";; esac
	gh release create "$tag" \
	--target "$GITHUB_SHA" \
	--title "TKO ${version}" \
	--generate-notes \
	$prerelease
	target_sha="${GITHUB_SHA}"
	local_tag_sha="$(git rev-parse -q --verify "refs/tags/$tag^{commit}" 2>/dev/null || true)"
	remote_tag_sha="$(git ls-remote --tags origin "refs/tags/$tag" | awk '{print $1}' | head -n1)"
	if [ -n "$local_tag_sha" ] && [ "$local_tag_sha" != "$target_sha" ]; then
	echo "Existing local tag $tag points to $local_tag_sha, expected $target_sha" >&2
	exit 1
	fi
	if [ -n "$remote_tag_sha" ] && [ "$remote_tag_sha" != "$target_sha" ]; then
	echo "Existing remote tag $tag points to $remote_tag_sha, expected $target_sha" >&2
	exit 1
	fi
	if [ -z "$local_tag_sha" ] && [ -z "$remote_tag_sha" ]; then
	git tag "$tag" "$target_sha"
	git push origin "$tag"
	else
	echo "Tag $tag already exists at the expected SHA; skipping tag creation."
	fi
	prerelease=""
	case "$version" in *-alpha*|*-beta*|*-rc*) prerelease="--prerelease";; esac
	release_json="$(gh release view "$tag" --json tagName,targetCommitish 2>/dev/null || true)"
	if [ -n "$release_json" ]; then
	release_tag="$(printf '%s' "$release_json" | jq -r '.tagName')"
	release_target="$(printf '%s' "$release_json" | jq -r '.targetCommitish')"
	if [ "$release_tag" != "$tag" ]; then
	echo "Existing release lookup returned unexpected tag $release_tag for $tag" >&2
	exit 1
	fi
	if [ "$release_target" != "$target_sha" ]; then
	echo "Existing release $tag targets $release_target, expected $target_sha" >&2
	exit 1
	fi
	echo "Release $tag already exists at the expected target; skipping release creation."
	else
	gh release create "$tag" \
	--target "$target_sha" \
	--title "TKO ${version}" \
	--generate-notes \
	$prerelease
	fi

[Copilot]

Collapsing to a single job means the job needs both contents: write (tags/releases) and id-token: write (npm OIDC) during the entire run (including checkout/install/build). That’s a meaningful increase in token blast radius vs the current split-job, least-privilege design in .github/workflows/release.yml. Either call out this security tradeoff explicitly in the plan and add mitigations (e.g., keep separate jobs, use environments/required reviewers for publish, etc.), or retain the least-privilege separation.

[Copilot]

The pain-points table is written with a double leading pipe (||), which renders as an empty first column in Markdown. If the intent is a 2‑column table, switch those rows to a single leading pipe (| Current step | … |, |---|---|, etc.) so it renders correctly in GitHub.

[brianmhunt]

Adversarial review

Verified against .github/workflows/release.yml, tools/release-version.cjs, and AGENTS.md § Release Process on this branch.

Verified

• ✅ Current trigger: push: tags: ['v*']
• ✅ Three jobs: prepare-release / publish / github-release
• ✅ tools/release-version.cjs exists and is the version source
• ✅ github-release.yml exists as manual backfill
• ✅ publish-check.yml exists for PR validation
• ✅ AGENTS.md § Release Process documents the tag-push entry point and force-move dance (lines 156–159)
• ✅ changesets/action's built-in publish: input runs npx changeset publish and exposes outputs.published

Issues with the proposed release.yml

1. Missing concurrency: block. Current file has concurrency: ${{ github.workflow }}-${{ github.ref }}. Without it, two main pushes in quick succession (back-to-back PR merges) can race the version-PR update or the publish path. Keep it.

2. persist-credentials: false + git push origin \"$tag\" won't work. The proposed checkout disables credential persistence, but the post-publish step then runs git tag + git push origin \"$tag\". With no credentials persisted, the push has no auth. Either set persist-credentials: true for that checkout (least bad) or create the tag via gh api repos/:owner/:repo/git/refs -f ref=refs/tags/$tag -f sha=$GITHUB_SHA using GH_TOKEN. Current github-release.yml sidesteps this by only creating the GH release (which gh CLI handles), not pushing a git tag.

3. commitMode: github-api silently dropped. Current prepare-release step uses commitMode: github-api, which makes changesets/action create the version-PR commit through the GitHub API (signed by github-actions[bot] / verified). Plan's snippet omits it — falls back to local git commit, producing unsigned commits and potentially tripping branch-protection rules that require verification. If intentional, say why; if not, keep it.

4. Loss of least-privilege isolation. Current splits prepare-release (contents: write, pull-requests: write) from publish (contents: read, id-token: write) so the publish path can't modify branches/PRs and the PR-opening path can't mint OIDC tokens. The proposed single-job collapses all three permissions onto every run. Worth at least a tradeoff bullet acknowledging this — or two-step the workflow (changesets/action job → conditional publish-and-tag job gated on outputs.published).

5. bun run build runs on every main push. Single-job design means the build runs even when the path is "open/update version PR, no publish". Current prepare-release skips the build for that path. On a busy main branch this is real CI minutes. Either accept it explicitly or gate the build behind if: steps.changesets.outputs.published == 'true' and run it before the publish step (note: changesets/action's built-in publish runs inside the action, so build must precede the action step — push the build into a separate downstream job triggered by outputs.published, or live with the waste).

6. Tag-creation ordering. Plan does git tag → git push origin \"$tag\" → gh release create. If gh release create fails after the tag is pushed, the repo has an orphan tag with no release, and re-running won't help (the existing-tag check in github-release.yml is keyed on the release, not the tag). Safer ordering: gh release create --target \"$GITHUB_SHA\" \"$tag\" first (which creates the tag and release atomically when the tag doesn't yet exist), skip the explicit git tag + git push. gh release create will create the underlying ref for you.

7. Auto-publish on next main push after merging the version PR is fine, but flag the implicit double-merge case. Sequence: version PR auto-updated with one changeset → maintainer merges it → before publish completes, another feature PR with a new changeset lands on main → release.yml re-runs, sees no pending changesets at the moment it checked (race), publishes prematurely. Low probability but worth a sentence in Tradeoffs. The concurrency: block (issue 1) mostly mitigates.

Document-level nits

• Pain points table has 7 rows; Original State numbered list has 6 steps. "Five of seven" vs "Five of six" appear in adjacent paragraphs — the table inserts an implicit "review version bumps" row that the numbered list folds into step 3. Reconcile.
• Phasing step 1 says "land plan + workflow rewrite together" but step 2 defers AGENTS.md update. AGENTS.md § Release Process actively misleads as soon as the workflow flips — it should change in the same PR or the plan should call out the temporary inconsistency.
• Out of scope mentions canary channels but the post-publish snippet already branches on *-alpha*|*-beta*|*-rc* for --prerelease. Worth one line explaining what the prerelease branching does cover (git/GH-release marking) vs what's still out of scope (auto-publishing every main commit to next).

Verdict

Direction is right and the dark-factory motivation is well-grounded. Request changes for issues 1–4 (concurrency, push-auth, commitMode, least-privilege) before this becomes the implementation; 5–7 are tradeoffs to acknowledge in the plan rather than blockers.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plans/single-action-release.md`:
- Line 1: The plan file plans/single-action-release.md must be renamed to follow
the date-prefixed convention: create a new file named
plans/YYYY-MM-DD-single-action-release.md using the author date of the first
commit that introduced this plan (replace YYYY-MM-DD with that author date) and
move the content into that file, then delete the old
plans/single-action-release.md and update any references; ensure the filename
matches the slug "single-action-release" exactly and commit the rename so the
repo history reflects the date-prefixed name.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: eea52728-0e2f-45df-aa7b-e79c11f07746

📥 Commits

Reviewing files that changed from the base of the PR and between 07ec0f3 and 4d9be2a.

📒 Files selected for processing (1)

• plans/single-action-release.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Rename this plan file to the required date-prefixed format.

plans/single-action-release.md does not follow the required naming convention for significant plans. Please rename it to plans/YYYY-MM-DD-single-action-release.md using the first commit’s author date for this plan (for example, plans/2026-05-04-single-action-release.md if that is the author date).

As per coding guidelines, plans/**/*.md: "When writing plans for significant changes, name them plans/YYYY-MM-DD-<slug>.md using the author date of the first commit that adds the plan".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plans/single-action-release.md` at line 1, The plan file
plans/single-action-release.md must be renamed to follow the date-prefixed
convention: create a new file named plans/YYYY-MM-DD-single-action-release.md
using the author date of the first commit that introduced this plan (replace
YYYY-MM-DD with that author date) and move the content into that file, then
delete the old plans/single-action-release.md and update any references; ensure
the filename matches the slug "single-action-release" exactly and commit the
rename so the repo history reflects the date-prefixed name.