[Core] feat: rc release workflow

[IdansPort]

User description

Description

What -
Added a new GitHub Actions workflow (release-rc.yml) for releasing Release Candidate
versions of the Ocean framework.

Why -
To enable companies to test pre-release core changes before they're merged to main.
This allows early validation of new features and bug fixes in production-like environments
without affecting the stable release channel.

How -

• Created a manual dispatch workflow that accepts a source branch and RC version
• Validates version format (X.Y.Z-rcN) and ensures pyproject.toml matches
• Publishes core package to PyPI as a pre-release version (e.g., port-ocean==0.38.0-rc1)
• Creates git tag and GitHub pre-release
• Builds Docker images for ALL integrations with rc- prefix (e.g.,
  ghcr.io/port-labs/port-ocean-aws:rc-0.38.0-rc1)
• Temporarily modifies integration dependencies to use exact RC version (not committed)
• Includes a summary job that reports all artifacts and links

Type of change

Please leave one option from the following and delete the rest:

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• New Integration (non-breaking change which adds a new integration)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Non-breaking change (fix of existing functionality that will not change current behavior)
• Documentation (added/updated documentation)

All tests should be run against the port production environment(using a testing org).

Core testing checklist

• Integration able to create all default resources from scratch
• Resync finishes successfully
• Resync able to create entities
• Resync able to update entities
• Resync able to detect and delete entities
• Scheduled resync able to abort existing resync and start a new one
• Tested with at least 2 integrations from scratch
• Tested with Kafka and Polling event listeners
• Tested deletion of entities that don't pass the selector

Integration testing checklist

• Integration able to create all default resources from scratch
• Completed a full resync from a freshly installed integration and it completed successfully
• Resync able to create entities
• Resync able to update entities
• Resync able to detect and delete entities
• Resync finishes successfully
• If new resource kind is added or updated in the integration, add example raw data, mapping and expected result to the examples folder in the integration directory.
• If resource kind is updated, run the integration with the example data and check if the expected result is achieved
• If new resource kind is added or updated, validate that live-events for that resource are working as expected
• Docs PR link here

Preflight checklist

• Handled rate limiting
• Handled pagination
• Implemented the code in async
• Support Multi account

Screenshots

Include screenshots from your environment showing how the resources of the integration will look.

API Documentation

Provide links to the API documentation used for this integration.

---

PR Type

Enhancement

---

Description

• Added GitHub Actions workflow for releasing RC versions

• Validates version format and pyproject.toml consistency

• Publishes core package to PyPI as pre-release

• Creates git tags and GitHub pre-releases

• Builds Docker images for all integrations with rc- prefix

• Generates comprehensive release summary with artifacts

---

Diagram Walkthrough

flowchart LR
  A["Manual Dispatch<br/>RC Version Input"] --> B["Validate Inputs<br/>Version Format & Tag"]
  B --> C["Publish Core RC<br/>to PyPI"]
  C --> D["Tag Source Branch<br/>& Create Release"]
  C --> E["Prepare Integration<br/>Matrix"]
  E --> F["Build RC Docker<br/>Images"]
  D --> G["Generate Release<br/>Summary"]
  F --> G

Loading

File Walkthrough

Relevant files

Enhancement

release-rc.yml Complete RC release workflow implementation                            .github/workflows/release-rc.yml Created comprehensive GitHub Actions workflow for RC releases triggered via manual dispatch Validates RC version format X.Y.Z-rcN and ensures pyproject.toml version matches Publishes core package to PyPI and waits for availability with retry logic Creates annotated git tags and GitHub pre-releases with auto-generated release notes Builds Docker images for all integrations with rc- prefix, temporarily updating dependencies Includes summary job that reports all job statuses and published artifacts +297/-0

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Overbroad secret scope Description: PyPI credentials are exported as global workflow environment variables (PYPI_PASSWORD, PYPI_USERNAME), making them available to all jobs/steps and increasing the blast radius of accidental leakage via logs or via any compromised step in the workflow. release-rc.yml [14-17] Referred Code env: PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} PYPI_USERNAME: ${{ secrets.PYPI_USERNAME }}
	Unpinned action versions Description: Third-party GitHub Actions are referenced by mutable tags (e.g., actions/checkout@v5, actions/setup-python@v5, pypa/gh-action-pypi-publish@release/v1, softprops/action-gh-release@v1) rather than pinned commit SHAs, which creates a supply-chain risk if an upstream tag is moved or compromised. release-rc.yml [26-138] Referred Code uses: actions/checkout@v5 with: ref: ${{ inputs.source_branch }} fetch-depth: 1 - name: Validate version format and pyproject.toml id: validate run: | VERSION="${{ inputs.rc_version }}" # Validate RC version format (X.Y.Z-rcN) if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+-rc[0-9]+$ ]]; then echo "::error::Invalid RC version format. Expected: X.Y.Z-rcN (e.g., 0.38.0-rc1)" exit 1 fi # Check version in pyproject.toml matches PYPROJECT_VERSION=$(grep -E '^version = ".*"' pyproject.toml | cut -d'"' -f2) if [[ "$PYPROJECT_VERSION" != "$VERSION" ]]; then echo "::error::Version in pyproject.toml ($PYPROJECT_VERSION) doesn't match input ($VERSION). Please update pyproject.toml on the source branch first." exit 1 ... (clipped 92 lines)
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Fragile shell scripts: Multiple run: scripts lack strict bash settings and robust checks (e.g., set -euo pipefail and explicit validation of command outputs), risking silent/partial failures when grep, jq, find, sed, or curl/jq pipelines fail or return empty results. Referred Code run: | VERSION="${{ inputs.rc_version }}" # Validate RC version format (X.Y.Z-rcN) if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+-rc[0-9]+$ ]]; then echo "::error::Invalid RC version format. Expected: X.Y.Z-rcN (e.g., 0.38.0-rc1)" exit 1 fi # Check version in pyproject.toml matches PYPROJECT_VERSION=$(grep -E '^version = ".*"' pyproject.toml | cut -d'"' -f2) if [[ "$PYPROJECT_VERSION" != "$VERSION" ]]; then echo "::error::Version in pyproject.toml ($PYPROJECT_VERSION) doesn't match input ($VERSION). Please update pyproject.toml on the source branch first." exit 1 fi echo "version=$VERSION" >> $GITHUB_OUTPUT echo "Version validation passed: $VERSION" - name: Check tag doesn't exist run: | ... (clipped 202 lines) Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing actor logging: The workflow summary logs RC version and source branch but does not explicitly record the triggering user/actor and outcomes in a centralized audit log, requiring verification that GitHub audit logs/retention satisfy audit trail requirements. Referred Code summary: name: RC Release Summary runs-on: ubuntu-latest needs: [validate-inputs, publish-core-rc, tag-source-branch, build-rc-integrations] if: always() steps: - name: Generate summary run: | echo "## RC Release Summary" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "**Version:** ${{ inputs.rc_version }}" >> $GITHUB_STEP_SUMMARY echo "**Source Branch:** ${{ inputs.source_branch }}" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### Job Results" >> $GITHUB_STEP_SUMMARY echo "| Job | Status |" >> $GITHUB_STEP_SUMMARY echo "|-----|--------|" >> $GITHUB_STEP_SUMMARY echo "| Validate Inputs | ${{ needs.validate-inputs.result }} |" >> $GITHUB_STEP_SUMMARY echo "| Publish Core RC | ${{ needs.publish-core-rc.result }} |" >> $GITHUB_STEP_SUMMARY echo "| Tag Source Branch | ${{ needs.tag-source-branch.result }} |" >> $GITHUB_STEP_SUMMARY echo "| Build RC Integrations | ${{ needs.build-rc-integrations.result }} |" >> $GITHUB_STEP_SUMMARY ... (clipped 7 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Broad secret exposure: PyPI secrets are set at workflow-wide env, making them available to all jobs/steps and requiring verification that this aligns with least-privilege secret handling and that no downstream steps/actions can inadvertently exfiltrate them. Referred Code env: PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} PYPI_USERNAME: ${{ secrets.PYPI_USERNAME }} Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

In general, the fix is to explicitly declare minimal GITHUB_TOKEN permissions in the workflow, rather than relying on repository or organization defaults. Since the shown jobs only need to read repository contents (for actions/checkout) and do not write to the repository, we can set contents: read at the workflow level. This will apply to all jobs unless they override permissions individually.

The single best way to fix this without changing functionality is to add a root-level permissions block directly under the name: Release RC line (before on:). Set contents: read as the starting point; no other scopes appear necessary for the code shown. This keeps behavior the same while documenting and constraining the token. No new imports, actions, or commands are required; it is purely a YAML configuration change in .github/workflows/release-rc.yml.

To fix the problem, add an explicit permissions block specifying the minimal required GITHUB_TOKEN scope. Since the publish-core-rc job only needs to read the repository contents (to check out and build) and does not push code or modify GitHub resources, it can safely use contents: read. Other scopes (issues, pull-requests, packages, etc.) are not used here.

The best minimally invasive fix is to add a job-level permissions block under publish-core-rc:. This documents the job’s needs and prevents it from inheriting broader repository or organization defaults. Concretely, in .github/workflows/release-rc.yml, within the publish-core-rc job definition (around lines 80–84), add:

  publish-core-rc:
    name: Publish RC core to PyPI
    needs: validate-inputs
    runs-on: ubuntu-latest
    permissions:
      contents: read

No imports, methods, or additional definitions are needed; this is a pure workflow configuration change and does not alter the functional behavior of the job, only the permissions of GITHUB_TOKEN.

In general, the fix is to explicitly declare minimal GITHUB_TOKEN permissions for any job or workflow that omits them, rather than relying on repository defaults. For this specific case, the prepare-matrix job checks out the repository and reads files via shell commands; it does not push commits, create tags, releases, or interact with packages. Therefore, it only requires contents: read.

The best fix without changing existing functionality is to add a permissions block to the prepare-matrix job with contents: read. This keeps the job’s behavior unchanged while ensuring that, even if the repo/org default token permissions are broader, this job will only have read access to repository contents. Concretely, in .github/workflows/release-rc.yml, under the prepare-matrix job (around line 190), insert:

permissions:
  contents: read

aligned with the existing job keys (name, runs-on, needs, etc.). No imports or additional definitions are needed, as this is pure workflow configuration.

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Use Poetry to update dependencies Replace the fragile sed command with poetry add to robustly update the port-ocean dependency in pyproject.toml. .github/workflows/release-rc.yml [234-248] - name: Update integration to use RC core version run: | RC_VERSION="${{ inputs.rc_version }}" INTEGRATION_DIR="${{ steps.prepare_tags.outputs.context_dir }}" - PYPROJECT_FILE="$INTEGRATION_DIR/pyproject.toml" - echo "Updating $PYPROJECT_FILE to use port-ocean==$RC_VERSION" + echo "Updating $INTEGRATION_DIR/pyproject.toml to use port-ocean==$RC_VERSION" - # Replace the port_ocean dependency line with exact RC version - # Match patterns like: port_ocean = {version = "^0.37.1", extras = ["cli"]} - # Replace with: port_ocean = {version = "==X.Y.Z-rcN", extras = ["cli"]} - sed -i "s/port_ocean = {version = \"[^\"]*\"/port_ocean = {version = \"==$RC_VERSION\"/g" "$PYPROJECT_FILE" + cd "$INTEGRATION_DIR" + poetry add "port-ocean==$RC_VERSION" echo "Updated pyproject.toml:" - grep "port_ocean" "$PYPROJECT_FILE" + grep "port_ocean" "pyproject.toml" Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that using sed to modify the pyproject.toml file is brittle and replaces it with the more robust and idiomatic poetry add command, improving the workflow's reliability.	Medium
	Clarify Docker image placeholder Clarify the Docker image placeholder in the summary output by changing {integration} to to avoid confusion. .github/workflows/release-rc.yml [293-296] - name: Generate summary run: | echo "### Published Artifacts" >> $GITHUB_STEP_SUMMARY echo "- **PyPI:** \`pip install port-ocean==${{ inputs.rc_version }}\`" >> $GITHUB_STEP_SUMMARY - echo "- **Docker Images:** \`ghcr.io/port-labs/port-ocean-{integration}:rc-${{ inputs.rc_version }}\`" >> $GITHUB_STEP_SUMMARY + echo "- **Docker Images:** \`ghcr.io/port-labs/port-ocean-<integration>:rc-${{ inputs.rc_version }}\`" >> $GITHUB_STEP_SUMMARY echo "- **GitHub Release:** [v${{ inputs.rc_version }}](https://github.com/${{ github.repository }}/releases/tag/v${{ inputs.rc_version }})" >> $GITHUB_STEP_SUMMARY [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 2 __ Why: This is a minor stylistic suggestion to improve the clarity of a placeholder in the summary output, which has a very low impact on functionality.	Low
Possible issue	Avoid unintended dependency updates Remove the || poetry lock fallback to ensure the workflow fails fast on dependency conflicts instead of potentially introducing unintended package updates. .github/workflows/release-rc.yml [250-255] - name: Regenerate poetry.lock with RC core run: | cd ${{ steps.prepare_tags.outputs.context_dir }} echo "Regenerating poetry.lock for ${{ steps.prepare_tags.outputs.type }}..." - poetry lock --no-update || poetry lock + poetry lock --no-update echo "poetry.lock regenerated successfully" Apply / Chat Suggestion importance[1-10]: 6 __ Why: The suggestion correctly points out that the fallback to poetry lock could mask dependency issues or cause unintended upgrades, and recommends failing fast for a more predictable and stable build process.	Low
Update