Add live Slack notifications to release workflow#4046
Merged
Conversation
Post a single message to Slack when a release starts, then update it with threaded replies as each sub-job completes (PyPI publish, release notes, downstream testing, post-release PR, CLI skill sync). A final job updates the original message with overall success/failure status and adds an emoji reaction. Each thread reply includes relevant links (PyPI history, GitHub releases, downstream compare URLs, PR links). The Slack announcement file is uploaded as a thread attachment. All Slack steps use continue-on-error so failures never block the release. Notifications are skipped during dry runs. Requires: SLACK_BOT_TOKEN secret (chat:write, reactions:write, files:write scopes) and SLACK_CHANNEL_ID repository variable. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- Include needs.prepare.result in the failure detection loop. If prepare fails after posting the Slack message (e.g. during git push), message_ts is set but nothing was published — without this check, the final message would incorrectly report success. - Add continue-on-error: true to match every other Slack step, so a Slack API failure doesn't cause the workflow to report as failed. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
In bash double quotes, \n is a literal backslash + n, not a newline. When passed through jq --arg, Slack receives the two-character string \n instead of a newline, breaking the block quote rendering. Use $'\n' concatenation to inject a real newline character. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
hanouticelina
approved these changes
Apr 8, 2026
Contributor
hanouticelina
left a comment
hanouticelina
left a comment
There was a problem hiding this comment.
conceptually looks good to me ✅
paulinebm
reviewed
Apr 8, 2026
paulinebm
reviewed
Apr 8, 2026
| - name: Install dependencies | ||
| run: pip install PyGithub | ||
|
|
||
| - name: Install OpenCode |
Contributor
There was a problem hiding this comment.
it will be nice to check the version installed before and verify hash/checksum to avoid supply chain attack
paulinebm
reviewed
Apr 8, 2026
| pull-requests: write | ||
|
|
||
| jobs: | ||
| # ============================================================ |
Contributor
There was a problem hiding this comment.
permissions:
contents: write
paulinebm
reviewed
Apr 8, 2026
| # ============================================================ | ||
| # 2. PUBLISH — PyPI (huggingface_hub) | ||
| # ============================================================ | ||
| publish-pypi: |
Contributor
There was a problem hiding this comment.
probably enough
permissions:
contents: read
paulinebm
reviewed
Apr 8, 2026
| # 3. PUBLISH — PyPI (hf CLI) | ||
| # ============================================================ | ||
| publish-hf-cli: | ||
| needs: prepare |
Contributor
There was a problem hiding this comment.
probably enough
permissions:
contents: read
paulinebm
reviewed
Apr 8, 2026
| # to the final version (removing prerelease flag). | ||
| # ============================================================ | ||
| release-notes: | ||
| needs: prepare |
Contributor
There was a problem hiding this comment.
probably enough
permissions:
contents: write
paulinebm
reviewed
Apr 8, 2026
| # 4b. SLACK MESSAGE — generate Slack announcement for prereleases | ||
| # ============================================================ | ||
| slack-message: | ||
| needs: [prepare, release-notes] |
Contributor
There was a problem hiding this comment.
permissions:
contents: read
paulinebm
reviewed
Apr 8, 2026
| # 5. DOWNSTREAM TESTING — test RC in transformers, datasets, etc. | ||
| # ============================================================ | ||
| test-downstream: | ||
| needs: [prepare, publish-pypi] |
Contributor
There was a problem hiding this comment.
permissions:
contents: read
paulinebm
reviewed
Apr 8, 2026
| # ============================================================ | ||
| # 6. POST-RELEASE — open PR to bump main to next dev version | ||
| # ============================================================ | ||
| post-release: |
Contributor
There was a problem hiding this comment.
permissions:
contents: none ? due to github app (to verify)
paulinebm
reviewed
Apr 8, 2026
| # ============================================================ | ||
| # 7. SYNC HF CLI SKILL — update skill docs in skills repo | ||
| # ============================================================ | ||
| sync-hf-cli-skill: |
Contributor
There was a problem hiding this comment.
permissions:
contents: read
paulinebm
reviewed
Apr 8, 2026
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: write |
Contributor
There was a problem hiding this comment.
permissions:
contents: write => better to remove from here and add separately on each job (read or write)
pull-requests: write +> IMO not needed
permissions: {}
Wauplin
added a commit
that referenced
this pull request
Apr 9, 2026
Apply least-privilege permissions per job instead of broad top-level write access. Pin OpenCode install to a specific version. Move workflow inputs to env blocks to prevent script injection. Addresses security review from paulinebm in #4046. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Contributor
Author
|
@paulinebm I have addressed all the security issues you've mentioned in a separate PR: #4072 |
Wauplin
added a commit
that referenced
this pull request
Apr 9, 2026
* Harden release workflow permissions and inputs Apply least-privilege permissions per job instead of broad top-level write access. Pin OpenCode install to a specific version. Move workflow inputs to env blocks to prevent script injection. Addresses security review from paulinebm in #4046. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * Verify OpenCode binary checksum after install Use repository variables OPENCODE_VERSION and OPENCODE_SHA256 to pin the version and verify the binary integrity via sha256sum. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --------- Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note from myself: follow-up on the on-going work to streamline
huggingface_hubreleases. This PR adds a Slack Bot that will send messages to#hub-client-library-internalwith status of each step. This will make it more straightforward to retrieve URLs and generated messages.I have added
SLACK_BOT_TOKENas a secret andSLACK_CHANNEL_IDas a variable in this repo settings.Bot will be this one: https://api.slack.com/apps/A0AQJJYFFBM/general
Summary
.mdfile as a thread attachmentslack-completejob updates the original message ("started" → "completed"/"failed") and adds a ✅ or ❌ reactioncontinue-on-error: true— Slack issues never block the releasemessage_tsis empty (Slack init failed)Setup required
SLACK_BOT_TOKEN— Slack Bot User OAuth Token with scopes:chat:write,reactions:write,files:writeSLACK_CHANNEL_ID— target Slack channel ID🤖 Generated with Claude Code
Note
Medium Risk
Modifies the release GitHub Actions workflow to add Slack messaging and a new completion job; while Slack steps are non-blocking, changes touch the release pipeline and could affect execution flow/needs outputs if misconfigured.
Overview
Adds live Slack notifications to the
release.ymlworkflow: thepreparejob now posts a “release started” message and exports itsmessage_tsfor threading.Each major job (PyPI publishes, release notes, prerelease Slack announcement generation incl. file upload, downstream RC branches, post-release bump PR, and CLI skill sync) posts a ✅/❌ threaded status update, and a new
slack-completejob updates the original message with final success/failure plus a reaction. The post-release step also captures the created PR URL for linking in Slack, and the workflow docs now list required Slack secret/variable.Written by Cursor Bugbot for commit 91d22cd. This will update automatically on new commits. Configure here.