From 0f0cb3e1522e198d18ead1ef60637647ad49e993 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Fri, 9 Jan 2026 18:05:24 +0000 Subject: [PATCH 01/23] ci(release): Switch from action-prepare-release to Craft This PR migrates from the deprecated action-prepare-release to the new Craft GitHub Actions (reusable workflow or composite action). Changes: - Migrate .github/workflows/release.yaml to Craft reusable workflow - Update .craft.yml with versioning.policy: calver --- .craft.yml | 28 ++++++++++--------- .github/workflows/changelog-preview.yml | 13 +++++++++ .github/workflows/release.yaml | 37 ++++++------------------- 3 files changed, 36 insertions(+), 42 deletions(-) create mode 100644 .github/workflows/changelog-preview.yml diff --git a/.craft.yml b/.craft.yml index 839f1161..22df2390 100644 --- a/.craft.yml +++ b/.craft.yml @@ -6,17 +6,19 @@ statusProvider: name: github config: contexts: - - 'build-amd64' - - 'build-arm64' - - 'assemble-image' + - 'build-amd64' + - 'build-arm64' + - 'assemble-image' targets: - - name: github - - id: release - name: docker - source: ghcr.io/getsentry/vroom - target: getsentry/vroom - - id: latest - name: docker - source: ghcr.io/getsentry/vroom - target: getsentry/vroom - targetFormat: '{{{target}}}:latest' +- name: github +- id: release + name: docker + source: ghcr.io/getsentry/vroom + target: getsentry/vroom +- id: latest + name: docker + source: ghcr.io/getsentry/vroom + target: getsentry/vroom + targetFormat: '{{{target}}}:latest' +versioning: + policy: calver diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml new file mode 100644 index 00000000..1ed10213 --- /dev/null +++ b/.github/workflows/changelog-preview.yml @@ -0,0 +1,13 @@ +name: Changelog Preview +on: + pull_request: + types: + - opened + - synchronize + - reopened + - edited + - labeled +jobs: + changelog-preview: + uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 + secrets: inherit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a68bfbd8..adefc0ab 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,40 +1,19 @@ name: release - on: workflow_dispatch: inputs: version: - description: Version to release (optional) + description: Version to release (or "auto") required: false force: - description: Force a release even when there are release-blockers (optional) + description: Force a release even when there are release-blockers required: false - schedule: - # We want the release to be at 9-10am Pacific Time - # We also want it to be 1 hour before the on-prem release - - cron: "0 17 15 * *" - + - cron: "0 17 15 * *" jobs: release: - runs-on: ubuntu-latest - name: "Release a new vroom version" - steps: - - name: Get auth token - id: token - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 - with: - app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} - private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v5.0.0 - with: - token: ${{ steps.token.outputs.token }} - fetch-depth: 0 - - name: Prepare release - uses: getsentry/action-prepare-release@v1 - env: - GITHUB_TOKEN: ${{ steps.token.outputs.token }} - with: - version: ${{ github.event.inputs.version }} - force: ${{ github.event.inputs.force }} - calver: true + uses: getsentry/craft/.github/workflows/release.yml@v2 + with: + version: ${{ inputs.version }} + force: ${{ inputs.force }} + secrets: inherit From cd0b9c53432a6b2f36d82147da328738dde4e1f5 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Fri, 9 Jan 2026 23:19:59 +0000 Subject: [PATCH 02/23] ci(release): Restore GitHub App token authentication The previous migration incorrectly removed the GitHub App token authentication step. This commit restores it by switching to the composite action pattern which preserves the auth flow. --- .github/workflows/release.yaml | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index adefc0ab..1d1e5da0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -12,8 +12,23 @@ on: - cron: "0 17 15 * *" jobs: release: - uses: getsentry/craft/.github/workflows/release.yml@v2 - with: - version: ${{ inputs.version }} - force: ${{ inputs.force }} - secrets: inherit + runs-on: ubuntu-latest + name: Release a new version + steps: + - name: Get auth token + id: token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} + private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} + - uses: actions/checkout@v4 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + - name: Prepare release + uses: getsentry/craft@v2 + env: + GITHUB_TOKEN: ${{ steps.token.outputs.token }} + with: + version: ${{ inputs.version }} + force: ${{ inputs.force }} From 3a3f5a78c1a5d6125c084a8187e8206c866ceb8d Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 00:18:58 +0000 Subject: [PATCH 03/23] fix: Pin actions to SHA and add permissions blocks --- .github/workflows/changelog-preview.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml index 1ed10213..5883c004 100644 --- a/.github/workflows/changelog-preview.yml +++ b/.github/workflows/changelog-preview.yml @@ -7,6 +7,10 @@ on: - reopened - edited - labeled +permissions: + contents: write + pull-requests: write + jobs: changelog-preview: uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 From 513d88c6f9738b4b0523bcd8d6212bdf593ddb27 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 01:18:39 +0000 Subject: [PATCH 04/23] fix: Use correct action version SHAs (restore original versions) --- .github/workflows/changelog.yaml | 2 +- .github/workflows/codeql.yaml | 2 +- .github/workflows/release.yaml | 2 +- .github/workflows/validate-pipelines.yaml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/changelog.yaml b/.github/workflows/changelog.yaml index f8d49759..0fe79371 100644 --- a/.github/workflows/changelog.yaml +++ b/.github/workflows/changelog.yaml @@ -8,7 +8,7 @@ jobs: name: changelog runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5.0.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index f20f9337..d93f286e 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -40,7 +40,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 1d1e5da0..51338923 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -21,7 +21,7 @@ jobs: with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/validate-pipelines.yaml b/.github/workflows/validate-pipelines.yaml index d8be8269..c471c1b5 100644 --- a/.github/workflows/validate-pipelines.yaml +++ b/.github/workflows/validate-pipelines.yaml @@ -17,7 +17,7 @@ jobs: outputs: gocd: ${{ steps.changes.outputs.gocd }} steps: - - uses: actions/checkout@v5.0.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Check for relevant file changes uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: changes @@ -39,7 +39,7 @@ jobs: id-token: "write" steps: - - uses: actions/checkout@v5.0.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - id: 'auth' uses: google-github-actions/auth@v3 with: From 7aff20f2b60b0ea0e373ee5d37d334a2248f380c Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Sat, 10 Jan 2026 01:48:22 +0000 Subject: [PATCH 05/23] fix: Use correct action version SHAs (restore original versions) --- .github/workflows/changelog.yaml | 2 +- .github/workflows/codeql.yaml | 2 +- .github/workflows/release.yaml | 2 +- .github/workflows/validate-pipelines.yaml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/changelog.yaml b/.github/workflows/changelog.yaml index 0fe79371..242ef511 100644 --- a/.github/workflows/changelog.yaml +++ b/.github/workflows/changelog.yaml @@ -8,7 +8,7 @@ jobs: name: changelog runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 # v5 - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index d93f286e..c1c4ca55 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -40,7 +40,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 # v5 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 51338923..bba12c3f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -21,7 +21,7 @@ jobs: with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 # v5 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/validate-pipelines.yaml b/.github/workflows/validate-pipelines.yaml index c471c1b5..42e1edc9 100644 --- a/.github/workflows/validate-pipelines.yaml +++ b/.github/workflows/validate-pipelines.yaml @@ -17,7 +17,7 @@ jobs: outputs: gocd: ${{ steps.changes.outputs.gocd }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 # v5 - name: Check for relevant file changes uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: changes @@ -39,7 +39,7 @@ jobs: id-token: "write" steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 # v5 - id: 'auth' uses: google-github-actions/auth@v3 with: From 1aa54d2f40fad0a79b0d0a8250f525134eb63083 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Mon, 12 Jan 2026 12:21:43 +0000 Subject: [PATCH 06/23] fix: Clean up action version comments --- .github/workflows/changelog.yaml | 2 +- .github/workflows/ci.yaml | 4 ++-- .github/workflows/codeql.yaml | 2 +- .github/workflows/image.yaml | 8 ++++---- .github/workflows/release.yaml | 4 ++-- .github/workflows/validate-pipelines.yaml | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/changelog.yaml b/.github/workflows/changelog.yaml index 242ef511..0fe79371 100644 --- a/.github/workflows/changelog.yaml +++ b/.github/workflows/changelog.yaml @@ -8,7 +8,7 @@ jobs: name: changelog runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0b544c57..40f689e7 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -23,7 +23,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 @@ -78,7 +78,7 @@ jobs: test-vroom: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 - uses: actions/setup-go@v6 diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index c1c4ca55..d93f286e 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -40,7 +40,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 # v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 391dc1d5..36bcec0f 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -19,7 +19,7 @@ jobs: if: github.repository_owner == 'getsentry' name: build-${{ matrix.platform }} steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 @@ -54,7 +54,7 @@ jobs: - build-image if: ${{ github.event_name != 'pull_request' }} steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - run: docker login --username '${{ github.actor }}' --password-stdin ghcr.io <<< "$GHCR_TOKEN" env: GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -106,7 +106,7 @@ jobs: needs: - assemble-image steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Push built docker image shell: bash run: | @@ -149,7 +149,7 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v4.2.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build and push image to single-region registry uses: getsentry/action-build-and-push-images@b172ab61a5f7eabd58bd42ce231b517e79947c01 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index bba12c3f..8a0c758b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -17,11 +17,11 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 diff --git a/.github/workflows/validate-pipelines.yaml b/.github/workflows/validate-pipelines.yaml index 42e1edc9..c471c1b5 100644 --- a/.github/workflows/validate-pipelines.yaml +++ b/.github/workflows/validate-pipelines.yaml @@ -17,7 +17,7 @@ jobs: outputs: gocd: ${{ steps.changes.outputs.gocd }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Check for relevant file changes uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: changes @@ -39,7 +39,7 @@ jobs: id-token: "write" steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 # v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - id: 'auth' uses: google-github-actions/auth@v3 with: From 41958755ee15aee51c94868c61dc0a0df1680425 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 22:46:56 +0000 Subject: [PATCH 07/23] Update Craft SHA to 1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8a0c758b..06cf5902 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -26,7 +26,7 @@ jobs: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@v2 + uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: From 196d8ab9c963c23175e9210103f4ef71ba79c4ff Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:08:47 +0000 Subject: [PATCH 08/23] Add explicit permissions block to image.yaml --- .github/workflows/image.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 36bcec0f..be9c1d77 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -6,6 +6,10 @@ on: - main - release/** +permissions: + contents: write + pull-requests: write + jobs: build-image: runs-on: ${{ matrix.os }} From 9acf39c66189befc6ad0bf3680bf01fcad07f05b Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:08:51 +0000 Subject: [PATCH 09/23] Add explicit permissions block to release-ghcr-version-tag.yaml --- .github/workflows/release-ghcr-version-tag.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release-ghcr-version-tag.yaml b/.github/workflows/release-ghcr-version-tag.yaml index d68ad83d..2674e8a3 100644 --- a/.github/workflows/release-ghcr-version-tag.yaml +++ b/.github/workflows/release-ghcr-version-tag.yaml @@ -4,6 +4,10 @@ on: release: types: [prereleased, released] +permissions: + contents: write + pull-requests: write + jobs: release-ghcr-version-tag: runs-on: ubuntu-latest From b6f71c75072e21eb6407163d88b908a7d89b7ae1 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:08:52 +0000 Subject: [PATCH 10/23] Add explicit permissions block to release.yaml --- .github/workflows/release.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 06cf5902..0cbb859b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,6 +10,10 @@ on: required: false schedule: - cron: "0 17 15 * *" +permissions: + contents: write + pull-requests: write + jobs: release: runs-on: ubuntu-latest From 75f1a9c8a72cdce5e4fc6c8b7c9df1dc46ebb055 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:18:25 +0000 Subject: [PATCH 11/23] Revert permissions changes to image.yaml --- .github/workflows/image.yaml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index be9c1d77..391dc1d5 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -6,10 +6,6 @@ on: - main - release/** -permissions: - contents: write - pull-requests: write - jobs: build-image: runs-on: ${{ matrix.os }} @@ -23,7 +19,7 @@ jobs: if: github.repository_owner == 'getsentry' name: build-${{ matrix.platform }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 @@ -58,7 +54,7 @@ jobs: - build-image if: ${{ github.event_name != 'pull_request' }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0 - run: docker login --username '${{ github.actor }}' --password-stdin ghcr.io <<< "$GHCR_TOKEN" env: GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -110,7 +106,7 @@ jobs: needs: - assemble-image steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0 - name: Push built docker image shell: bash run: | @@ -153,7 +149,7 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v4.2.2 - name: Build and push image to single-region registry uses: getsentry/action-build-and-push-images@b172ab61a5f7eabd58bd42ce231b517e79947c01 From 48f74723e02b1f2504e614f0d0f45680982e5b42 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:18:28 +0000 Subject: [PATCH 12/23] Revert permissions changes to release-ghcr-version-tag.yaml --- .github/workflows/release-ghcr-version-tag.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/release-ghcr-version-tag.yaml b/.github/workflows/release-ghcr-version-tag.yaml index 2674e8a3..d68ad83d 100644 --- a/.github/workflows/release-ghcr-version-tag.yaml +++ b/.github/workflows/release-ghcr-version-tag.yaml @@ -4,10 +4,6 @@ on: release: types: [prereleased, released] -permissions: - contents: write - pull-requests: write - jobs: release-ghcr-version-tag: runs-on: ubuntu-latest From 2d3e2bc348bb0b33d700a393e25e047f5bf25fea Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Tue, 13 Jan 2026 23:18:31 +0000 Subject: [PATCH 13/23] Revert permissions changes to release.yaml --- .github/workflows/release.yaml | 50 ++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0cbb859b..a68bfbd8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,38 +1,40 @@ name: release + on: workflow_dispatch: inputs: version: - description: Version to release (or "auto") + description: Version to release (optional) required: false force: - description: Force a release even when there are release-blockers + description: Force a release even when there are release-blockers (optional) required: false + schedule: - - cron: "0 17 15 * *" -permissions: - contents: write - pull-requests: write + # We want the release to be at 9-10am Pacific Time + # We also want it to be 1 hour before the on-prem release + - cron: "0 17 15 * *" jobs: release: runs-on: ubuntu-latest - name: Release a new version + name: "Release a new vroom version" steps: - - name: Get auth token - id: token - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1 - with: - app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} - private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - with: - token: ${{ steps.token.outputs.token }} - fetch-depth: 0 - - name: Prepare release - uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce - env: - GITHUB_TOKEN: ${{ steps.token.outputs.token }} - with: - version: ${{ inputs.version }} - force: ${{ inputs.force }} + - name: Get auth token + id: token + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 + with: + app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} + private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} + - uses: actions/checkout@v5.0.0 + with: + token: ${{ steps.token.outputs.token }} + fetch-depth: 0 + - name: Prepare release + uses: getsentry/action-prepare-release@v1 + env: + GITHUB_TOKEN: ${{ steps.token.outputs.token }} + with: + version: ${{ github.event.inputs.version }} + force: ${{ github.event.inputs.force }} + calver: true From 3d6ac31364113f7ecc4377202149c7467fc64804 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 00:09:18 +0000 Subject: [PATCH 14/23] fix: revert extraneous changes to non-release workflow files --- .github/workflows/changelog.yaml | 2 +- .github/workflows/ci.yaml | 4 ++-- .github/workflows/codeql.yaml | 2 +- .github/workflows/validate-pipelines.yaml | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/changelog.yaml b/.github/workflows/changelog.yaml index 0fe79371..f8d49759 100644 --- a/.github/workflows/changelog.yaml +++ b/.github/workflows/changelog.yaml @@ -8,7 +8,7 @@ jobs: name: changelog runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@v5.0.0 - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 40f689e7..0b544c57 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -23,7 +23,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0 with: fetch-depth: 0 @@ -78,7 +78,7 @@ jobs: test-vroom: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0 with: fetch-depth: 0 - uses: actions/setup-go@v6 diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index d93f286e..f20f9337 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -40,7 +40,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + uses: actions/checkout@v5.0.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/validate-pipelines.yaml b/.github/workflows/validate-pipelines.yaml index c471c1b5..d8be8269 100644 --- a/.github/workflows/validate-pipelines.yaml +++ b/.github/workflows/validate-pipelines.yaml @@ -17,7 +17,7 @@ jobs: outputs: gocd: ${{ steps.changes.outputs.gocd }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@v5.0.0 - name: Check for relevant file changes uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: changes @@ -39,7 +39,7 @@ jobs: id-token: "write" steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: actions/checkout@v5.0.0 - id: 'auth' uses: google-github-actions/auth@v3 with: From fcd3b86371c1bb3f4b5fae2b894da6aef6870294 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 11:47:14 +0000 Subject: [PATCH 15/23] build(craft): Fix release workflows and config --- .craft.yml | 11 ++++++----- .github/workflows/release.yaml | 3 +-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.craft.yml b/.craft.yml index 22df2390..251f73f6 100644 --- a/.craft.yml +++ b/.craft.yml @@ -1,14 +1,13 @@ -minVersion: 1.0.0 -changelogPolicy: auto +minVersion: 2.18.0 artifactProvider: name: none statusProvider: name: github config: contexts: - - 'build-amd64' - - 'build-arm64' - - 'assemble-image' + - build-amd64 + - build-arm64 + - assemble-image targets: - name: github - id: release @@ -22,3 +21,5 @@ targets: targetFormat: '{{{target}}}:latest' versioning: policy: calver +changelog: + policy: auto diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a68bfbd8..7306f635 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -31,10 +31,9 @@ jobs: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/action-prepare-release@v1 + uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: version: ${{ github.event.inputs.version }} force: ${{ github.event.inputs.force }} - calver: true From 3d405f777793dae604f49b4bfdfcbbcc428648ad Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 13:17:51 +0000 Subject: [PATCH 16/23] build(craft): Update Craft action to c6e2f04 --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7306f635..6c652bda 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -31,7 +31,7 @@ jobs: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Prepare release - uses: getsentry/craft@1c58bfd57bfd6a967b6f3fc92bead2c42ee698ce + uses: getsentry/craft@c6e2f04939b6ee67030588afbb5af76b127d8203 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: From 3c3f252962d93d6f6cc881f43418b29e0416d886 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 21:49:27 +0000 Subject: [PATCH 17/23] chore: remove legacy changelog workflow --- .github/workflows/changelog.yaml | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 .github/workflows/changelog.yaml diff --git a/.github/workflows/changelog.yaml b/.github/workflows/changelog.yaml deleted file mode 100644 index f8d49759..00000000 --- a/.github/workflows/changelog.yaml +++ /dev/null @@ -1,18 +0,0 @@ -name: changelog -on: - pull_request: - types: [opened, synchronize, reopened, edited, ready_for_review] - -jobs: - build: - name: changelog - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v5.0.0 - - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - script: | - const changelog = require('./.github/actions/changelog/index.js') - await changelog({github, context, core}) From 3a287d6af090b7b93ff7bd252f718c791c828033 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 21:49:37 +0000 Subject: [PATCH 18/23] chore: remove legacy changelog action file .gitignore --- .github/actions/changelog/.gitignore | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 .github/actions/changelog/.gitignore diff --git a/.github/actions/changelog/.gitignore b/.github/actions/changelog/.gitignore deleted file mode 100644 index 504afef8..00000000 --- a/.github/actions/changelog/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -node_modules/ -package-lock.json From 5ed7b019dec0834d18608f4f2ebdbcbf9fb32f23 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 21:49:38 +0000 Subject: [PATCH 19/23] chore: remove legacy changelog action file README.md --- .github/actions/changelog/README.md | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 .github/actions/changelog/README.md diff --git a/.github/actions/changelog/README.md b/.github/actions/changelog/README.md deleted file mode 100644 index 78d58832..00000000 --- a/.github/actions/changelog/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Changelog Checker - -This is a custom script to check if the changelog files contain the entry for the current pull request. - - -### Development - -To make any contributions or changes to this code you must make sure that you have `node` installed. Once you have it, just -run `npm install` in this folder to install all the dependencies. - -The main entry point is `changelog.js` file. This file contain all the supported checks. From 199027b382d21777946e4f6f707f7fc19af02bf5 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 21:49:39 +0000 Subject: [PATCH 20/23] chore: remove legacy changelog action file index.js --- .github/actions/changelog/index.js | 96 ------------------------------ 1 file changed, 96 deletions(-) delete mode 100644 .github/actions/changelog/index.js diff --git a/.github/actions/changelog/index.js b/.github/actions/changelog/index.js deleted file mode 100644 index ac409983..00000000 --- a/.github/actions/changelog/index.js +++ /dev/null @@ -1,96 +0,0 @@ -module.exports = async ({github, context, core}) => { - const PR_LINK = `[#${context.payload.pull_request.number}](${context.payload.pull_request.html_url})`; - - function getCleanTitle(title) { - // remove fix(component): prefix - title = title.split(': ').slice(-1)[0].trim(); - // remove links to JIRA tickets, i.e. a suffix like [ISSUE-123] - title = title.split('[')[0].trim(); - // remove trailing dots - title = title.replace(/\.+$/, ''); - - return title; - } - - function getChangelogDetails(title) { - return ` - For changes to the _vroom_, please add an entry to \`CHANGELOG.md\` under the following heading: - 1. **Features**: For new user-visible functionality. - 2. **Bug Fixes**: For user-visible bug fixes. - 3. **Internal**: For features and bug fixes in internal operation, especially processing mode. - To the changelog entry, please add a link to this PR (consider a more descriptive message): - \`\`\`md - - ${title}. (${PR_LINK}) - \`\`\` - If none of the above apply, you can opt out by adding _#skip-changelog_ to the PR description. - `; - } - - function logOutputError(title) { - core.info(''); - core.info('\u001b[1mInstructions and example for changelog'); - core.info(getChangelogDetails(title)); - core.info(''); - core.info('\u001b[1mSee check status:'); - core.info( - `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}` - ); - } - - async function containsChangelog(path) { - const {data} = await github.rest.repos.getContent({ - owner: context.repo.owner, - repo: context.repo.repo, - ref: context.ref, - path, - }); - const buf = Buffer.alloc(data.content.length, data.content, data.encoding); - const fileContent = buf.toString(); - return fileContent.includes(PR_LINK); - } - - async function checkChangelog(pr) { - if ((pr.body || '').includes('#skip-changelog')) { - core.info('#skip-changelog is set. Skipping the checks.'); - return; - } - - const hasChangelog = (await containsChangelog('CHANGELOG.md')); - - if (!hasChangelog) { - core.error('Please consider adding a changelog entry for the next release.', { - title: 'Missing changelog entry.', - file: 'CHANGELOG.md', - startLine: 3, - }); - const title = getCleanTitle(pr.title); - core.summary - .addHeading('Instructions and example for changelog') - .addRaw(getChangelogDetails(title)) - .write(); - core.setFailed('CHANGELOG entry is missing.'); - logOutputError(title); - return; - } - - core.summary.clear(); - core.info("CHANGELOG entry is added, we're good to go."); - } - - async function checkAll() { - const {data: pr} = await github.rest.pulls.get({ - owner: context.repo.owner, - repo: context.repo.repo, - pull_number: context.payload.pull_request.number, - }); - - // While in draft mode, skip the check because changelogs often cause merge conflicts. - if (pr.merged || pr.draft) { - return; - } - - await checkChangelog(pr); - } - - await checkAll(); -}; From b8e9c8acb6cc769d817696b15b66814c82e37b2b Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 21:49:40 +0000 Subject: [PATCH 21/23] chore: remove legacy changelog action file package.json --- .github/actions/changelog/package.json | 26 -------------------------- 1 file changed, 26 deletions(-) delete mode 100644 .github/actions/changelog/package.json diff --git a/.github/actions/changelog/package.json b/.github/actions/changelog/package.json deleted file mode 100644 index 70e3c894..00000000 --- a/.github/actions/changelog/package.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "name": "ChangelogChecker", - "version": "1.0.0", - "description": "Makes sure that the CHANGELOG.md has the entry for the current pull request.", - "main": "index.js", - "scripts": { - "format": "prettier --write index.js" - }, - "repository": { - "type": "git", - "url": "git+https://github.com/getsentry/relay.git" - }, - "author": "Oleksandr Kylymnychenko ", - "license": "MIT", - "bugs": { - "url": "https://github.com/getsentry/relay/issues" - }, - "homepage": "https://github.com/getsentry/relay#readme", - "dependencies": { - "@actions/core": "^1.10.0", - "@actions/github": "^5.1.1" - }, - "devDependencies": { - "prettier": "2.8.0" - } -} From 95b2134f9db6d1df5ec3e1850b337f7dc7de7dc8 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 21:49:41 +0000 Subject: [PATCH 22/23] chore: remove legacy changelog action file prettier.config.js --- .github/actions/changelog/prettier.config.js | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 .github/actions/changelog/prettier.config.js diff --git a/.github/actions/changelog/prettier.config.js b/.github/actions/changelog/prettier.config.js deleted file mode 100644 index e10965b6..00000000 --- a/.github/actions/changelog/prettier.config.js +++ /dev/null @@ -1,12 +0,0 @@ -/* eslint-env node */ -module.exports = { - bracketSpacing: false, - bracketSameLine: false, - printWidth: 90, - semi: true, - singleQuote: true, - tabWidth: 2, - trailingComma: 'es5', - useTabs: false, - arrowParens: 'avoid', -}; From eb2bd8e5bc371cc7265c136fa3305371797156ab Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 14 Jan 2026 22:22:03 +0000 Subject: [PATCH 23/23] chore: add unlabeled trigger to changelog-preview --- .github/workflows/changelog-preview.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml index 5883c004..30c6083c 100644 --- a/.github/workflows/changelog-preview.yml +++ b/.github/workflows/changelog-preview.yml @@ -7,6 +7,7 @@ on: - reopened - edited - labeled + - unlabeled permissions: contents: write pull-requests: write