build(release): migrate to Craft #1232
Conversation
- Remove @changesets/cli and @svitejs/changesets-changelog-github-compact - Remove changeset:add, changeset:consume, changeset:publish scripts - Delete prepare-publish.yml workflow
- Add .craft.yml with auto versioning and changelog generation - Add scripts/bump-version.sh to update package versions - Add .github/release.yml for conventional commit changelog categories Craft will automatically determine version bumps from conventional commits (feat: → minor, fix: → patch, feat!: → major).
- Update build.yml to trigger on release/** branches - Add release.yml using Craft's reusable release workflow - Update publish.yml to trigger on changelog changes - Add changelog-preview.yml for PR changelog comments
- Update changesets.mdx to explain conventional commits - Update releases.mdx to document new Craft release process
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
Semver Impact of This PR🟢 Patch (bug fixes) 📋 Changelog PreviewThis is how your changes will appear in the changelog. New Features ✨
Bug Fixes 🐛Ui
Other
Documentation 📚Website
Other
Build / dependencies / internal 🔧Release
Other
Other
🤖 This preview updates automatically when you update the PR. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Preview Changelog | ||
| uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
To fix the problem, add an explicit permissions block that restricts the default GITHUB_TOKEN access for this workflow. Because this workflow is only orchestrating a reusable workflow and does not itself perform any direct repository mutations, a safe and conservative default is contents: read. This adheres to the principle of least privilege while still allowing typical read operations (like fetching code) if needed by the reusable workflow.
The best way to fix this without changing existing functionality is:
- Add a
permissionsblock at the root level of.github/workflows/changelog-preview.yml, alongsidenameandon, so that it applies to all jobs in the workflow (including thechangelog-previewjob). - Set
contents: readas the minimal permission. If the reusable workflow needs additional scopes (for example,pull-requests: write), those should be added there, but we will not assume extra needs beyondcontents: readsince we cannot see the implementation of the reusable workflow and we must avoid altering behavior more than necessary.
Concretely:
- In
.github/workflows/changelog-preview.yml, after thename: Changelog Previewline, insert:
permissions:
contents: readNo imports or additional methods are required, as this is a YAML configuration change only.
| @@ -3,6 +3,8 @@ | ||
| # https://getsentry.github.io/craft/ | ||
|
|
||
| name: Changelog Preview | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, reopened, edited, labeled, unlabeled] |
![sentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- Update .craft.yml with proper npm and github targets - Simplify publish.yml to only handle Docker and Electron - NPM publishing and GitHub releases now handled by getsentry/publish - Trigger post-release workflow on release:published event The release flow is now: 1. release.yml -> craft prepare -> creates publish issue 2. getsentry/publish -> craft publish -> npm + GitHub release 3. publish.yml -> Docker tagging + Electron signing
BYK
left a comment
BYK
left a comment
There was a problem hiding this comment.
Nice! Follow up:
- Also remove that annoying PR template please
- Me to do NPM org/token shenenigans
Explains how the Craft + getsentry/publish release flow works, including the Post-Release workflow for Docker and Electron.
- Introduced a new GitHub Actions workflow for building the Electron app on macOS. - Added steps for setting up dependencies, downloading the Electron build, and validating the build files. - Implemented storage of Electron binaries as artifacts for future use. - Updated the .craft.yml to include tagging for Electron binaries in the release process. - Removed the obsolete post-release workflow file.
| name: github | ||
| config: | ||
| contexts: | ||
| - "Build" |
There was a problem hiding this comment.
Status context mismatch may prevent Craft release
Medium Severity
The statusProvider.contexts configuration specifies "Build" as the required status context. However, GitHub Actions status checks are typically named using the format {workflow-name} / {job-name}. Since the workflow is named "Build & Test" and the job is named "Build", the actual status check context will be "Build & Test / Build". If Craft requires an exact match, it won't detect when the build completes, potentially blocking releases. The context should likely be "Build & Test / Build" or use a pattern that matches the full status check name.
| with: | ||
| version: ${{ inputs.version }} | ||
| force: ${{ inputs.force }} | ||
| merge_target: ${{ inputs.merge_target }} |
There was a problem hiding this comment.
Release workflow missing pnpm setup for version script
High Severity
The release workflow invokes the Craft action which runs preReleaseCommand: bash scripts/bump-version.sh. This script uses pnpm version to update the package version. However, the workflow doesn't include pnpm/action-setup or actions/setup-node steps before calling Craft. GitHub-hosted runners don't have pnpm pre-installed, so the pnpm version command will fail with "command not found", causing releases to fail.
Additional Locations (1)
| with: | ||
| version: ${{ inputs.version }} | ||
| force: ${{ inputs.force }} | ||
| merge_target: ${{ inputs.merge_target }} |
There was a problem hiding this comment.
Release workflow missing pnpm setup for version bump
High Severity
The release.yml workflow invokes Craft which runs preReleaseCommand: bash scripts/bump-version.sh, but the workflow doesn't set up pnpm before running Craft. The bump-version.sh script executes pnpm version on line 19, which will fail because pnpm is not pre-installed on GitHub Actions runners. The build.yml workflow correctly uses pnpm/action-setup@v4 before any pnpm commands, but this setup step is missing from release.yml. This will cause all releases to fail with "pnpm: command not found".
This PR migrates our release management from Changesets to Craft, Sentry's release tool.
Why Craft?
Changes
Removed
@changesets/cliand@svitejs/changesets-changelog-github-compactdependenciespackage.jsonprepare-publish.ymlworkflowAdded
.craft.yml- Craft configuration with auto versioning and npm/github targetsscripts/bump-version.sh- Version bump script called by Craft.github/release.yml- Changelog categories for conventional commits.github/workflows/release.yml- Craft release workflow.github/workflows/changelog-preview.yml- PR changelog previewsUpdated
.github/workflows/build.yml- Trigger on release/** branches.github/workflows/publish.yml- Trigger on changelog changes instead of changeset commit messagesNew Release Flow
Tested locally:
