ci: run release-please via CLI instead of the googleapis action#324
Merged
Conversation
03180ce to
70d3124
Compare
70d3124 to
b21deb7
Compare
NiteshDhanpal
approved these changes
Jun 18, 2026
The googleapis/release-please-action isn't on the org Actions allow-list, so the release-please workflow added in #321 failed at startup (no release PR cut). Run the release-please CLI under actions/setup-node (allow-listed) instead — same manifest-mode behavior (release-pr + github-release), no third-party action. Verified the CLI commands/flags against release-please@16. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
b21deb7 to
53686f4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Rewrites the release-please workflow (added in #321) to run the release-please CLI under
actions/setup-node, instead ofgoogleapis/release-please-action.Why
After #321 merged, the workflow failed at startup on every push to
main(startup_failure, no logs, no release PR cut). The merged YAML is valid and the action SHA resolves — the cause is the org Actions allow-list:googleapis/release-please-actionisn't on it. (Every other workflow here uses onlyactions/,astral-sh/,docker/,stainless-api/,codecov/,dorny/; the Actions-policy API is admin-only/403 for me, so I couldn't read it directly, but the signature is unambiguous.)Fix
Run
npx release-please@16 release-pr+github-release(manifest mode — same as the action did internally) underactions/setup-node@v4, which is allow-listed (actions/*is used throughout the repo). No third-party action → allow-list-proof.Verified the CLI commands (
release-pr/github-release;manifest-pr/manifest-releaseare deprecated aliases) and flags (--token,--repo-url,--config-file,--manifest-file) againstrelease-please@16.After merge
Runs on
main; once afeat/fixlands (or viaworkflow_dispatch) it opens the first release PR → merging that cuts the firstvX.Y.Ztag. Config + manifest are unchanged from #321.🧑💻🤖 — posted via Claude Code
Greptile Summary
Rewrites the release-please workflow to run the CLI via
npxunderactions/setup-node@v4instead of the blockedgoogleapis/release-please-action. The two CLI commands (release-pr+github-release) replicate what the action did internally, andissues: writeis added so the CLI can applyautorelease:*labels.googleapis/release-please-action@5c625bfb5…with twonpx --yes release-please@16invocations that run sequentially in one step; the existing--config-file/--manifest-filepaths are unchanged.issues: writepermission so the CLI can label release PRs via the GitHub Issues API without a permissions error.Confidence Score: 5/5
Safe to merge — the change is a like-for-like replacement of a blocked action with equivalent CLI commands, and all required permissions are granted.
The rewrite correctly mirrors what the action did internally:
release-propens/updates the release PR,github-releasecuts the tag and release when that PR is merged. Theissues: writepermission is present for label management. The twonpxinvocations run in one shell step underset -eo pipefail, so a failure in either surfaces as a visible job failure rather than a silent skip. The only suggestions are around pinning (@v4tag and@16floating version) which are hygiene items, not correctness issues.No files require special attention.
Important Files Changed
googleapis/release-please-actionwith equivalentnpx release-please@16CLI calls underactions/setup-node@v4; addsissues: writepermission for label management.Sequence Diagram
%%{init: {'theme': 'neutral'}}%% sequenceDiagram participant GH as GitHub (push to main) participant Runner as ubuntu-latest runner participant NPX as npx release-please@16 participant GHAPI as GitHub API GH->>Runner: trigger workflow Runner->>Runner: "actions/setup-node@v4 (Node 20)" Runner->>NPX: release-pr --token --repo-url --config-file --manifest-file NPX->>GHAPI: fetch config + manifest (via API, no checkout needed) GHAPI-->>NPX: release-please-config.json, .release-please-manifest.json NPX->>GHAPI: create/update release PR (contents:write, pull-requests:write) NPX->>GHAPI: "apply autorelease:* labels (issues:write)" GHAPI-->>NPX: done NPX-->>Runner: exit 0 Runner->>NPX: github-release --token --repo-url --config-file --manifest-file NPX->>GHAPI: check for merged release PRs alt Release PR was merged NPX->>GHAPI: create tag + GitHub Release (contents:write) GHAPI-->>NPX: release created else No merged release PR NPX-->>Runner: no-op, exit 0 end%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%% sequenceDiagram participant GH as GitHub (push to main) participant Runner as ubuntu-latest runner participant NPX as npx release-please@16 participant GHAPI as GitHub API GH->>Runner: trigger workflow Runner->>Runner: "actions/setup-node@v4 (Node 20)" Runner->>NPX: release-pr --token --repo-url --config-file --manifest-file NPX->>GHAPI: fetch config + manifest (via API, no checkout needed) GHAPI-->>NPX: release-please-config.json, .release-please-manifest.json NPX->>GHAPI: create/update release PR (contents:write, pull-requests:write) NPX->>GHAPI: "apply autorelease:* labels (issues:write)" GHAPI-->>NPX: done NPX-->>Runner: exit 0 Runner->>NPX: github-release --token --repo-url --config-file --manifest-file NPX->>GHAPI: check for merged release PRs alt Release PR was merged NPX->>GHAPI: create tag + GitHub Release (contents:write) GHAPI-->>NPX: release created else No merged release PR NPX-->>Runner: no-op, exit 0 endComments Outside Diff (1)
.github/workflows/release-please.yml, line 12-14 (link)The CLI still applies and removes release-please labels on release PRs, and those calls go through GitHub's Issues API. This workflow only grants
contents: writeandpull-requests: write, so the job can fail with a permissions error when it tries to add or remove labels likeautorelease: pending. Addissues: writehere so the CLI has the same label permissions the release flow needs.Prompt To Fix With AI
Reviews (3): Last reviewed commit: "ci: run release-please via CLI instead o..." | Re-trigger Greptile