Skip to content

ci: gate release on CI and Integration Tests passing#28

Merged
ternbusty merged 1 commit into
mainfrom
ci/release-gate-on-ci
May 10, 2026
Merged

ci: gate release on CI and Integration Tests passing#28
ternbusty merged 1 commit into
mainfrom
ci/release-gate-on-ci

Conversation

@ternbusty
Copy link
Copy Markdown
Owner

@ternbusty ternbusty commented May 10, 2026

Why

Right now the three workflows fire in parallel on every push to main:

  • ci.yml (lint + build + kotest)
  • integration.yml (ctr + verify scripts)
  • release.yml (release-please + binary upload)

release-please does not wait for ci.yml or integration.yml. If a broken commit lands on main and triggers a release PR merge, the binary upload happens regardless of whether ci or integration is green. A broken commit could produce a broken release.

What

Make ci.yml and integration.yml callable via workflow_call and drop their direct push: main triggers (PR triggers stay so PRs still get independent CI status). release.yml then invokes both as jobs, and release-please / binary-upload depend on them via needs:.

jobs:
  ci:
    uses: ./.github/workflows/ci.yml
  integration:
    uses: ./.github/workflows/integration.yml
  release-please:
    needs: [ci, integration]
    ...
  build-linux-x86_64:
    needs: release-please
    if: needs.release-please.outputs.releases_created == 'true'
    ...

Net behavior

  • PR opened against main: ci.yml + integration.yml run as before, independently.
  • Push to main: only the Release workflow runs, with ci -> integration -> release-please -> binary upload sequencing inside it. If ci or integration fails, release-please is skipped and no binary is uploaded.

The CI / Integration runs that previously appeared as separate top-level workflow runs on main now show up as nested jobs under "Release" in the Actions UI. PR runs are unchanged.

Test plan

  • PR-side CI / Integration runs continue to appear and gate the merge button (this PR itself is the test)
  • After merge, the Release workflow on main runs ci -> integration -> release-please in sequence, not in parallel
  • If a future broken commit lands, no release PR / binary is created

@ternbusty
ci: gate release on CI and Integration Tests passing
da0247e 
Before this change, release.yml ran in parallel with ci.yml and
integration.yml on every push to main. release-please created a release
PR (and on merge, the tag + binary) regardless of whether the build or
the containerd integration test was green. A broken commit could
produce a release with a broken binary.

Make ci.yml and integration.yml callable via workflow_call and remove
their direct push-to-main triggers (PR triggers stay so PRs still see
independent CI status). release.yml now invokes both as jobs and
release-please needs them, so the binary-build job only runs when both
have passed on the same commit.

Net behavior:
- PR opened against main: ci.yml + integration.yml run as before.
- Push to main: release.yml runs ci -> integration -> release-please ->
  binary upload, in that order. If ci or integration fails, no release
  PR is created and no binary is uploaded.
@ternbusty ternbusty merged commit b053071 into main May 10, 2026
2 checks passed
@ternbusty ternbusty deleted the ci/release-gate-on-ci branch May 10, 2026 03:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ternbusty