fix(release): backmerge

[bedatty]

GitHub Actions Shared Workflows

---

Description

Type of Change

• feat: New workflow or new input/output/step in an existing workflow
• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

None.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @develop or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run:

Related Issues

Closes #

---

• refactor(pr-validation): modularize workflow into composites under src/validate/

Extract all inline business logic from pr-validation.yml into 7 reusable composite actions under src/validate/. Add dry_run input, fix script injection risks (use env vars instead of direct interpolation), fix notify ref for external callers, and update conventions to prohibit workflow_dispatch on reusable workflows due to injection risk.

• fix(pr-validation): address CodeRabbit and CodeQL review findings

• Fix code-injection: move needs.*.result and inputs.dry_run to env vars in pr-checks-summary job (use process.env instead of ${{ }} interpolation)
• Wire MANAGE_TOKEN into auto-labeler job (was hardcoded to github.token)
• Include pr-changelog in Slack notification status and failed_jobs
• Handle empty git diff output in pr-size (CHANGED_LINES defaults to 0)
• Support all * wildcard patterns in pr-source-branch (not just /*)
• Fix broken markdown links in docs (add -workflow suffix)
• Fix docs examples to use @v1.2.3 placeholder instead of @v1.x.x
• Update jobs table with non-draft condition for all gated jobs

• fix(helm-update-chart): use VALUES_KEY for template file paths instead of COMP_NAME

The workflow was using COMP_NAME to build configmap/secret template paths (e.g. templates/plugin-br-pix-indirect-btg-worker-inbound/configmap.yaml) but the actual directory structure uses VALUES_KEY names (e.g. templates/inbound/configmap.yaml).

This caused the if [ -f ] check to silently fail, resulting in detected env vars never being injected into configmap/secret templates.

Changes:

• Use VALUES_KEY for CONFIGMAP_FILE and SECRET_FILE paths
• Update create_secret_template to take VALUES_KEY as single arg
• Add ::warning:: annotations when template files are not found

Closes #167

• fix(helm-update-chart): quote GITHUB_OUTPUT and GITHUB_STEP_SUMMARY references

Resolves SC2086 (double quote to prevent globbing) and SC2129 (group redirects) shellcheck warnings flagged by the PR lint analysis.

• fix(helm-update-chart): resolve CodeQL medium findings

• Pin crazy-max/ghaction-import-gpg and mikefarah/yq to commit SHAs
• Move inputs.base_branch to env var to prevent code injection in step summary
• Add inline comment dismissing untrusted-checkout false positive

• docs(rules): enforce commit SHA pinning for third-party actions

Update all rules and commands (Claude, Cursor, AGENTS.md) to require third-party actions to be pinned by commit SHA instead of mutable tags. LerianStudio org actions remain pinned by release tag.

• refactor(pr-validation): extract pr-checks-summary composite and use branch refs for testing

• fix(pr-validation): add missing README and fix broken doc link

• refactor(pr-validation): optimize to 2-tier fail-fast model

Consolidate 9 parallel jobs into 4 with a 2-tier architecture:

• Tier 1 (blocking-checks): title, source-branch, description — no checkout, fail-fast
• Tier 2 (advisory-checks): metadata, size, labels, changelog — shared checkout, only runs if Tier 1 passes

Reduces runner cost (9 → 4 runners, 3 checkouts → 1) while providing faster feedback on blocking validation failures.

• fix(pr-changelog): remove comment logic — changelog is auto-generated

CHANGELOG.md is now generated by semantic-release, so the reminder comment is unnecessary noise. Removed the comment step, github-token and dry-run inputs from the composite.

• fix(pr-validation): default enforce_source_branches to true

The composite already auto-skips when the target branch is not in target_branches_for_source_check (default: main), so enabling by default is safe and avoids silent misconfiguration.

• fix(pr-description): validate real content instead of raw length

Rewrite pr-description composite to:

• Extract content under "## Description" heading and strip HTML comments
• Fail if description section is empty or below min-length
• Fail if no "Type of Change" checkbox is checked
• Remove github-token input (no API calls needed)
• Consolidate two github-script steps into one

Also pin amannn/action-semantic-pull-request to commit SHA in pr-title.

• feat(pr-metadata): auto-assign PR author instead of warning

Replace the warning-only assignee and linked issues checks with an actionable auto-assign: if no assignee is set, assign the PR author automatically. Bot accounts are skipped.

• fix(pr-size): skip label update when unchanged and remove XL comment

• Check current labels before removing/adding — skip entirely if the correct size label is already set
• Only remove stale size labels that actually exist on the PR
• Remove the XL comment (generic noise on every sync)

• fix(pr-labels): pin actions/labeler to commit SHA

• refactor(pr-validation): remove changelog check and pin all actions by SHA

• Remove pr-changelog from workflow, summary, and inputs — CHANGELOG.md is auto-generated by semantic-release
• Pin actions/github-script@v8 and actions/checkout@v6 to commit SHAs across all validate composites

• fix(pr-checks-summary): use markdown tables grouped by tier

Display results as two tables (Blocking / Advisory) instead of flat lines. Skipped checks now use ⏭️ instead of ⚠️ for clarity.

• fix(pr-validation): address CodeRabbit review findings

• Remove stale check_changelog references from docs and examples
• Remove pr-changelog from jobs table and pr-checks-summary README
• Fix related-workflow links to current doc naming
• Make missing "Type of Change" section an error, not a warning
• Add null-safety for pr.assignees in pr-metadata
• Add dry-run gate to pr-metadata auto-assign
• Fix yamllint inline-comment spacing in pr-labels

• fix(pr-validation): sync defaults, fix caller, update docs

• Align min_description_length default to 30 (matches composite)
• Remove stale check_changelog from self-pr-validation.yml
• Update metadata feature description in docs
• Validate min-length input against NaN in pr-description

• fix(pr-validation): pin composite refs to v1.19.1-beta.2

• fix(lint): enforce SHA pinning for externals, warnings for internals

fix(lint): enforce SHA pinning for externals, warnings for internals

• fix(pr-validation): pin composite refs to v1.20.0

• fix(pr-blocking-collect): add README and pin ref to v1.20.0

• fix(pr-blocking-collect): use branch ref for testing

• docs(pr-blocking-collect): fix terminology — step outputs, not job outputs

• fix(pr-validation): pin composite refs to v1.20.0 (fix(pr-validation): pin composite refs to v1.20.0 #172)

• fix(pr-validation): pin composite refs to v1.20.0

• fix(pr-blocking-collect): add README and pin ref to v1.20.0

• fix(pr-blocking-collect): use branch ref for testing

• docs(pr-blocking-collect): fix terminology — step outputs, not job outputs

• feat(release): fallback to PR when backmerge push fails

When the semantic-release backmerge plugin fails to push directly to develop (non-fast-forward), create a PR from main→develop instead of failing the entire release. The release tag and GitHub release are already published at this point.

• Add continue-on-error to semantic-release step
• If release published but step failed → create backmerge PR
• If release not published and step failed → propagate error
• Check for existing backmerge PR to avoid duplicates

• fix(pr-validation): pin composite refs to v1.20.1

• feat(release): extract backmerge fallback into reusable composite

Create src/config/backmerge-pr composite that creates a PR when the semantic-release backmerge push fails (non-fast-forward). Checks for existing open PRs to avoid duplicates. Replace inline shell in release.yml with the composite call.

• fix(release): use @develop ref for backmerge-pr composite

• fix(backmerge-pr): use heredoc to avoid indentation in PR body

• fix(pr-description): validate checkboxes only, not description content

Simplify pr-description to only check:

• At least one "Type of Change" checkbox is marked
• At least one "Testing" checkbox is marked

Remove min-length content validation that was blocking PRs with valid template usage (e.g., merge PRs with CodeRabbit summaries).

• fix(pr-description): simplify to empty body check only

• fix(ci): use @develop ref for pr-description, sync backmerge-pr

Summary by CodeRabbit

• New Features

  • Added automatic PR fallback for backmerging when release automation encounters branch conflicts.
  • Enhanced release workflow with improved error handling and recovery.

• Improvements

  • Simplified PR description validation to check non-empty content only.

• Documentation

  • Updated release workflow and backmerge documentation with new failure-handling behavior.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a4b5ac8f-45b0-4857-bf11-09e71c5558e7

📥 Commits

Reviewing files that changed from the base of the PR and between 14e764a and de114d1.

📒 Files selected for processing (7)

• .github/workflows/pr-validation.yml
• .github/workflows/release.yml
• docs/release-workflow.md
• src/config/backmerge-pr/README.md
• src/config/backmerge-pr/action.yml
• src/validate/pr-description/README.md
• src/validate/pr-description/action.yml

---

Walkthrough

Updates PR validation workflow to use action develop branch and v1.20.1 versions while removing minimum description length enforcement. Release workflow gains conditional error handling with automated backmerge PR fallback. Introduces new backmerge-pr composite action and simplifies PR description validation to empty-check only.

Changes

Cohort / File(s)	Summary
PR Validation Refactor .github/workflows/pr-validation.yml, src/validate/pr-description/action.yml, src/validate/pr-description/README.md	Removed min_description_length workflow input (breaking change for callers). Updated PR description validation from v1.20.0 to develop branch. Simplified action logic: validation narrowed from template content/checkbox checks to empty-description check only. Bumped 8 action/workflow references to v1.20.1.
Release Workflow Enhancement .github/workflows/release.yml, docs/release-workflow.md	Added continue-on-error: true to semantic-release step with conditional fallback logic: "Backmerge PR fallback" step invokes new backmerge-pr workflow when release fails but publishes version; failure check enforces job exit on unpublished releases. Updated documentation to reflect PR fallback behavior.
Backmerge PR Action src/config/backmerge-pr/action.yml, src/config/backmerge-pr/README.md	New composite GitHub Action handles backmerge automation via PR creation. Queries existing open PRs to avoid duplicates, generates PR body with version info, executes gh pr create, and outputs pr-url and pr-number for downstream consumption. Requires contents: read and pull-requests: write permissions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch main

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	4 file(s)	✅ success
Action Lint	2 file(s)	✅ success
Pinned Actions	4 file(s)	❌ failure
Markdown Link Check	3 file(s)	✅ success
Spelling Check	7 file(s)	✅ success
Shell Check	4 file(s)	✅ success
README Check	4 file(s)	✅ success
Composite Schema	2 file(s)	✅ success

❌ Failures (1)

Pinned Actions

.github

• .github (line 88) — Process completed with exit code 1.
• .github (line 87) — Found 5 external action(s) not pinned by commit SHA. Pin using the full SHA with a version comment (e.g., @abc123 # v6).

.github/workflows/release.yml

• .github/workflows/release.yml (line 151) — External action not pinned by SHA: uses: cycjimmy/semantic-release-action@v6 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/release.yml (line 136) — External action not pinned by SHA: uses: actions/setup-node@v6 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/release.yml (line 124) — External action not pinned by SHA: uses: crazy-max/ghaction-import-gpg@v7 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/release.yml (line 113) — External action not pinned by SHA: uses: actions/checkout@v6 (use full commit SHA with a # vX.Y.Z comment)
• .github/workflows/release.yml (line 106) — External action not pinned by SHA: - uses: actions/create-github-app-token@v2 (use full commit SHA with a # vX.Y.Z comment)

---

_{🔍 View full scan logs}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

✅ No security issues found.

---

_{🔍 View full scan logs | 🛡️ Security tab}