ci: release process with changelog

[auricom]

Overview

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Jan 22, 2026, 10:12 AM

[claude]

Claude finished @auricom's task in 2m 10s —— View job

---

Code Review Complete ✅

I've reviewed the release process implementation. This is a comprehensive addition that significantly improves the release workflow for ev-node. Below is my detailed feedback organized by priority and category.

---

Critical Issues

1. Security: Unpinned GitHub Actions (High Priority)

Location: .github/workflows/release.yml:79, :252

Three third-party actions are using mutable tags instead of pinned commit SHAs:

# Line 79
uses: anthropics/claude-code-action@v1

# Line 252  
uses: softprops/action-gh-release@v2

Risk: Mutable tags can be updated by action maintainers, potentially introducing malicious code or breaking changes without your knowledge.

Recommendation: Pin to specific commit SHAs:

uses: anthropics/claude-code-action@<commit-sha>  # Pin v1 to specific SHA
uses: softprops/action-gh-release@<commit-sha>    # Pin v2 to specific SHA

Fix unpinned actions →

2. Missing git-cliff Configuration

Location: .github/workflows/release.yml:32 (references git-cliff), RELEASE.md:32, 69

The documentation references git-cliff for changelog generation, but:

• No .git-cliff.toml or cliff.toml configuration file exists in the repository
• The workflow doesn't actually use git-cliff (it uses Claude AI instead)

Issues:

1. Documentation mismatch: RELEASE.md says git-cliff generates changelogs, but the workflow uses Claude AI (line 77-113)
2. Unclear intent: If git-cliff is planned for future use, it needs configuration. If Claude AI is the chosen tool, documentation should reflect this.

Recommendation: Either:

• Add .git-cliff.toml configuration and integrate git-cliff into the workflow, OR
• Update RELEASE.md to accurately describe the Claude AI-based changelog generation process

Fix documentation mismatch →

---

High Priority Issues

3. Tag Validation Regex Too Permissive

Location: .github/workflows/release.yml:29-32

if [[ ! "$CURRENT_TAG" =~ ^[a-zA-Z0-9/_.-]+$ ]]; then
  echo "::error::Invalid tag format: $CURRENT_TAG"
  exit 1
fi

Issues:

• Allows invalid characters like underscores and periods in app names
• Doesn't validate semantic versioning format
• Doesn't enforce the documented {app-name}/v{major}.{minor}.{patch} pattern

Recommendation: Use stricter validation matching the documented format:

# Validate format: app-name/vX.Y.Z
if [[ ! "$CURRENT_TAG" =~ ^[a-z0-9/-]+/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  echo "::error::Invalid tag format: $CURRENT_TAG (expected: app-name/vX.Y.Z)"
  exit 1
fi

4. Error Handling Gaps in Shell Scripts

Location: .github/workflows/release.yml (multiple locations)

Several bash steps lack robust error handling:

Line 43-56: Git diff generation has no error checking

git diff --stat "$PREV_TAG"..HEAD > git-diff-stats.txt
git log --oneline "$PREV_TAG"..HEAD > git-commits.txt
git diff "$PREV_TAG"..HEAD > git-full-diff.txt
# No validation that these commands succeeded

Line 132-162: Branch creation assumes git operations succeed

git checkout -b "$BRANCH_NAME"
# No check if branch already exists or checkout failed

Recommendation: Add error checking:

set -euo pipefail  # At the start of each script

# Check command results
if ! git diff --stat "$PREV_TAG"..HEAD > git-diff-stats.txt; then
  echo "::error::Failed to generate diff stats"
  exit 1
fi

5. Potential Command Injection in Branch Names

Location: .github/workflows/release.yml:132-139

TAG="${{ github.ref_name }}"
BRANCH_NAME="release/$TAG"
git checkout -b "$BRANCH_NAME"

Risk: While github.ref_name is from GitHub's trusted context, the tag name is attacker-controlled (anyone with push access). If tag validation fails or is bypassed, malicious branch names could be created.

Recommendation: Sanitize the branch name:

# Sanitize tag name for branch creation
SAFE_TAG=$(echo "$TAG" | tr -cd 'a-zA-Z0-9/._-')
BRANCH_NAME="release/$SAFE_TAG"

---

Medium Priority Issues

6. Documentation Clarity: Release Branch Lifecycle Unclear

Location: RELEASE.md:42, 129-162, 666

The documentation mentions release branches in multiple places but is inconsistent about their lifecycle:

• Line 42: "Merge the release branch"
• Line 286: "A release branch has been created for your review"
• Line 666: Suggests branches "can be... discarded after the release is published"

Issues:

• Should the branch be merged? If so, to which target branch?
• Can it be discarded? Then why create it?
• What's the purpose if the changelog goes into GitHub Releases?

This matches Gemini's feedback - the lifecycle and purpose need clarification.

Recommendation: Add a clear section explaining:

### Release Branch Lifecycle

The `release/<tag-name>` branch serves as a staging area for changelog refinement:

1. **Created automatically** by the workflow from the tagged commit
2. **Edit the changelog** on this branch if needed
3. **Two options after publishing the GitHub Release:**
   - **Merge to main** to keep the refined changelog in the repository, OR
   - **Delete the branch** if you updated the GitHub Release directly
4. **Do not merge to version branches** - these are temporary staging branches

7. CHANGELOG.md Update Process Needs Clarification

Location: RELEASE.md:71-86

The documentation says the workflow "reads CHANGELOG.md" and "generates release notes," but:

• It's unclear when/how CHANGELOG.md should be updated
• The workflow doesn't actually read CHANGELOG.md (it uses git diff)
• Line 246 mentions updating CHANGELOG.md "before" tagging, but this contradicts the automated process description

Recommendation: Clarify the pre-release manual steps:

### Before Tagging a Release

1. **Update `./CHANGELOG.md`** manually:
   - Move items from `[Unreleased]` to a new version section
   - Add tested upgrade paths
   - Commit and push to main

2. **Create and push the tag** (automation takes over from here)

8. Missing Rollback/Cleanup Instructions for Failed Releases

Location: RELEASE.md:528-558 (Troubleshooting section)

The troubleshooting section covers validation errors but doesn't address:

• What to do if the workflow fails mid-release
• How to clean up a failed release attempt
• Whether to delete the release branch if the workflow fails

Recommendation: Add a "Failed Release Cleanup" section:

### Failed Release Cleanup

If the release workflow fails:

1. Check workflow logs to identify the failure point
2. Delete the failed tag: `git push origin :refs/tags/app/v0.2.0`
3. Delete the release branch: `git push origin :refs/heads/release/app/v0.2.0`
4. Fix the underlying issue
5. Re-tag and push again

9. Workflow Permissions Could Be More Restrictive

Location: .github/workflows/release.yml:7, 14, 168, 218, 249

Top-level permissions are empty (permissions: {}), which is good. However, job-level permissions grant contents: write broadly.

Current:

generate-changelog:
  permissions:
    contents: write  # Allows all git write operations

Recommendation: Consider if more restrictive permissions are possible. GitHub's contents: write is unfortunately atomic and can't be split further, but document why write access is needed.

---

Low Priority / Nice-to-Have

10. Hardcoded Multi-line Output Delimiters

Location: .github/workflows/release.yml:60-75, 123-127

Uses generic delimiters like EOF_COMMITS, EOF_STATS which could conflict with content.

Recommendation: Use random delimiters:

DELIMITER="EOF_$(openssl rand -hex 8)"
{
  echo "commits<<$DELIMITER"
  cat git-commits.txt
  echo "$DELIMITER"
} >> $GITHUB_OUTPUT

11. No Timeout for Claude AI Step

Location: .github/workflows/release.yml:77-113

The Claude AI changelog generation has no timeout, which could hang the workflow.

Recommendation: Add a timeout:

- name: Generate changelog with Claude
  timeout-minutes: 5
  id: claude
  uses: anthropics/claude-code-action@v1

12. Docker Build Missing Cache Configuration

Location: .github/workflows/release.yml:233-242

The Docker build doesn't configure layer caching, which could slow down builds.

Recommendation: Add cache configuration:

- name: Build and push Docker image
  uses: docker/build-push-action@v6
  with:
    cache-from: type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ needs.parse-tag.outputs.image-name }}:buildcache
    cache-to: type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ needs.parse-tag.outputs.image-name }}:buildcache,mode=max

13. Missing Validation for CHANGELOG.md Existence

Location: .github/workflows/release.yml:142-146

if [ -f "CHANGELOG.md" ]; then
  # Add generated changelog
fi

The workflow silently continues if CHANGELOG.md doesn't exist. Since the documentation emphasizes CHANGELOG.md as critical, this should fail loudly.

Recommendation:

if [ ! -f "CHANGELOG.md" ]; then
  echo "::error::CHANGELOG.md not found - required for releases"
  exit 1
fi

---

Positive Highlights

✅ Excellent documentation structure - RELEASE.md is comprehensive and well-organized
✅ Good use of job dependencies - Workflow correctly sequences jobs
✅ Multi-platform builds - Docker images built for amd64 and arm64
✅ Draft releases - Safe default requiring manual approval before publishing
✅ Clear separation - Docker vs Go module releases well documented
✅ Communication templates - Helpful Slack/Telegram announcement templates
✅ Semantic versioning - Properly documented and encouraged
✅ Phase-based Go module release - Dependency order clearly explained

---

Summary

This PR introduces a solid foundation for automated releases. The main concerns are:

1. Security: Unpin the GitHub Actions (critical)
2. Documentation accuracy: Fix git-cliff vs Claude AI mismatch
3. Clarity: Clarify release branch lifecycle and CHANGELOG.md update process
4. Robustness: Add error handling to bash scripts

The documentation is comprehensive and the workflow design is sound. With the security and clarity issues addressed, this will significantly improve the release process.

---

Tasks

• Read and analyze .github/workflows/release.yml
• Read and analyze RELEASE.md
• Review workflow security and best practices
• Review documentation clarity and completeness
• Compile comprehensive feedback
• Post final review

---

[gemini-code-assist]

Summary of Changes

Hello @auricom, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly overhauls the project's release documentation by introducing a structured and comprehensive release process. It defines clear version support policies, details both automated and manual steps for creating and publishing releases, and establishes robust guidelines for changelog management and external communication. The changes aim to standardize release procedures, enhance transparency, and provide a clearer understanding of release content and upgrade compatibility for users and contributors.

Highlights

• Support Policy Definition: A new section clearly outlines the version support policy, specifying support for the current and previous major versions with security and critical bug fixes.
• Comprehensive Release Workflow: Detailed automated and manual steps for the release process are introduced, covering everything from tag pushes and automated changelog generation to manual review, GitHub Release publication, and public announcements.
• Structured Changelog Management: New guidelines for maintaining CHANGELOG.md are added, including a specific format, content categories (e.g., Added, Changed, Fixed, Security, Tested Upgrades), and the use of git-cliff for automated generation.
• Clear Communication Protocols: Templates and instructions are provided for consistent release announcements on GitHub, Slack, and Telegram, ensuring stakeholders are well-informed.
• Enhanced Release Scenarios & Checklists: The document now includes updated examples for various release scenarios (single app, multiple apps, Go modules, hotfixes) and a comprehensive checklist template to ensure all release steps are followed.
• Tested Upgrade Paths Emphasis: A new requirement and dedicated section highlight the importance of documenting tested upgrade paths within the changelog, improving clarity for users.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/release.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive and well-documented release process, including changelog management and automated workflows. The changes are primarily in RELEASE.md and provide detailed steps for both Docker image and Go module releases. My review focuses on improving the clarity of the new process. I've suggested clarifying the manual steps required before tagging a release and detailing the lifecycle of the temporary release branches created by the automation. Overall, this is a great step towards standardizing the release workflow.

[gemini-code-assist]

The process for refining the changelog could be clarified. The 'Quick Steps' (lines 254-258) show editing and pushing to the release/<tag-name> branch. However, it's not clear how these committed changes are then reflected in the final GitHub Release. Does the developer need to manually copy the refined changelog from the branch to the GitHub Release draft?

Additionally, step 6 here says 'Merge the release branch...'. It would be helpful to specify the merge target for this branch (e.g., a version branch like v0.3), or confirm if it should be discarded after the release is published (as suggested on line 666). Clarifying the lifecycle and purpose of the release/<tag-name> branch would prevent confusion.

[gemini-code-assist]

To improve clarity, it would be helpful to explicitly state that CHANGELOG.md needs to be manually updated before the automated workflow is triggered by a tag push. This involves moving changes from [Unreleased] to a new version section. While this is mentioned in other parts of the document (e.g., line 246), adding it here would make the Changelog Workflow section self-contained and easier to follow.

Suggested change

	The release workflow automatically generates changelogs from `./CHANGELOG.md`:
	The release workflow starts with a manual update to `./CHANGELOG.md`, after which automation takes over:

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.52%. Comparing base (66ac65a) to head (0c09500).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2998      +/-   ##
==========================================
- Coverage   59.25%   58.52%   -0.73%     
==========================================
  Files         106      111       +5     
  Lines       10023    10405     +382     
==========================================
+ Hits         5939     6090     +151     
- Misses       3456     3670     +214     
- Partials      628      645      +17     

Flag	Coverage Δ
combined	58.52% <ø> (-0.73%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.