ci: release process with breaking changes

[auricom]

Overview

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Feb 4, 2026, 8:40 AM

[claude]

Claude finished @auricom's task in 2m 46s —— View job

---

Comprehensive Code Review

I've completed a thorough review of the release process changes in this PR. The changes introduce a well-structured release workflow with AI-generated release notes and comprehensive documentation. Below are my findings organized by category.

---

🔒 Security Issues (High Priority)

1. Unpinned Third-Party Actions

Severity: High | Files: .github/workflows/release-github.yml:168, 179

The workflow uses unpinned third-party actions with tag references instead of commit SHAs:

uses: anthropics/claude-code-action@v1        # Line 168
uses: softprops/action-gh-release@v2          # Line 179

Risk: Tag-based references are mutable and can be modified by action maintainers (or attackers with compromised accounts), potentially introducing malicious code into your CI/CD pipeline.

Recommendation: Pin actions to specific commit SHAs with comments indicating the version:

uses: anthropics/claude-code-action@a1b2c3d4  # v1
uses: softprops/action-gh-release@e5f6g7h8    # v2

Note: actions/checkout@v6 is from GitHub's official actions and is generally considered safe, but for maximum security, even these should be pinned.

Fix this →

2. Secrets Management

Status: ✅ Good | File: .github/workflows/release-github.yml:170

The workflow properly uses GitHub Secrets for the Claude API token:

claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

Verification needed: Ensure this secret is:

• Stored as a GitHub Secret (not hardcoded)
• Has minimal scope/permissions
• Is rotated periodically
• Is documented in team onboarding

---

🏗️ Workflow Architecture & Error Handling

3. Robust Tag Validation

Status: ✅ Excellent | File: .github/workflows/release-github.yml:19-32

The semver validation regex is comprehensive and handles:

• Standard versions: v1.2.3
• Pre-release versions: v1.2.3-rc.4, v1.2.3-beta.1
• Build metadata: v1.2.3-alpha.1+build.123

The error messages are clear and actionable. Well done!

4. Missing Error Handling in Shell Scripts

Severity: Medium | File: .github/workflows/release-github.yml:63-86

The "Get list of Docker images" step lacks error handling and validation:

for app_dir in apps/*/; do
  if [ -f "${app_dir}Dockerfile" ]; then
    APP_NAME=$(basename "$app_dir")
    IMAGE_NAME="ev-node-${APP_NAME}"
    IMAGES="${IMAGES}ghcr.io/${{ github.repository_owner }}/${IMAGE_NAME}:${{ steps.extract-version.outputs.tag }}\n"
  fi
done

Issues:

• No validation that apps/ directory exists
• Silent failure if no Dockerfiles are found (empty IMAGES variable)
• No logging of which apps were discovered

Recommendation:

# Add error handling
if [ ! -d "apps" ]; then
  echo "::error::apps/ directory not found"
  exit 1
fi

IMAGE_COUNT=0
for app_dir in apps/*/; do
  if [ -f "${app_dir}Dockerfile" ]; then
    APP_NAME=$(basename "$app_dir")
    IMAGE_NAME="ev-node-${APP_NAME}"
    IMAGES="${IMAGES}ghcr.io/${{ github.repository_owner }}/${IMAGE_NAME}:${{ steps.extract-version.outputs.tag }}\n"
    IMAGE_COUNT=$((IMAGE_COUNT + 1))
    echo "::notice::Found app: $APP_NAME"
  fi
done

if [ $IMAGE_COUNT -eq 0 ]; then
  echo "::warning::No Docker images found in apps/"
fi

echo "::notice::Total Docker images found: $IMAGE_COUNT"

Fix this →

5. Insufficient Previous Tag Fallback

Severity: Low | File: .github/workflows/release-github.yml:49-61

The previous tag detection falls back to initial commit, which could generate very large changelogs for first releases:

if [ -z "$PREV_TAG" ]; then
  echo "::notice::No previous tag found, using initial commit"
  PREV_TAG=$(git rev-list --max-parents=0 HEAD)
fi

Recommendation: Consider adding a flag or input to specify the changelog starting point for first releases, or limit the changelog to the last N commits.

---

📚 Documentation Quality

6. Excellent Documentation Structure

Status: ✅ Outstanding | File: RELEASE.md

The updated RELEASE.md is comprehensive and well-organized with:

• Clear separation between GitHub Releases, Docker releases, and Go modules
• Step-by-step instructions for each scenario
• Dependency graph for Go module releases
• Troubleshooting section
• Best practices section

This is a model documentation file!

7. Missing Critical Context in Quick Steps

Severity: Medium | File: RELEASE.md:18-25

The GitHub Release quick steps say "Ensure CHANGELOG.md is updated" but don't specify what that means:

# 1. Ensure CHANGELOG.md is updated for the version

Issues:

• Doesn't explain that entries must be moved from [Unreleased] to a version section
• Doesn't specify the required format
• The workflow will fail silently if the version isn't found

Recommendation: Add explicit details:

# 1. Update CHANGELOG.md before triggering the workflow:
#    - Move changes from [Unreleased] to a new version section: ## v1.2.3
#    - Include sections: Added, Changed, Fixed, Removed, Security (as applicable)
#    - Mark breaking changes with **BREAKING:** prefix
#    - Commit and push to main branch

Fix this →

8. Unclear Workflow Dependency Ordering

Severity: Medium | File: RELEASE.md:28-36

The "How It Works" section lists steps but doesn't clarify critical timing requirements:

Missing information:

• Step 4 (AI generation) requires CHANGELOG.md to already be updated and committed
• The workflow runs on workflow_dispatch (manual trigger) but doesn't check if CHANGELOG.md is updated
• No mention of what happens if CHANGELOG.md doesn't contain the version section

Recommendation: Add a prerequisites subsection before "How It Works":

### Prerequisites

Before running the workflow, you must:

1. **Update CHANGELOG.md** on the main branch with the version you're releasing
2. **Ensure the version section exists** - the workflow reads from CHANGELOG.md
3. **Have all Docker images built** - the workflow lists images that should be available

Fix this →

9. Inconsistent Terminology

Severity: Low | File: RELEASE.md (multiple locations)

The document uses inconsistent terminology:

• "GitHub Release" vs "Github Release" (inconsistent capitalization)
• "workflow_dispatch" vs "workflow dispatch" vs "manual workflow"
• "apps/evm/" vs "apps/evm/" (inconsistent code formatting)

Recommendation: Standardize on:

• "GitHub" (capital H) everywhere
• "manual workflow" in prose, "workflow_dispatch" in technical contexts
• Always use backticks for paths, commands, and code

---

⚡ Performance & Efficiency

10. Inefficient Changelog Prompt Construction

Severity: Low | File: .github/workflows/release-github.yml:87-164

The changelog prompt is constructed using a heredoc, then modified with sed, then appended to again:

cat > claude-prompt.txt << 'EOF_PROMPT'
...
EOF_PROMPT

sed -i "s/\$VERSION/${VERSION}/g" claude-prompt.txt
sed -i "s/\$TAG/${TAG}/g" claude-prompt.txt

echo "${{ steps.get-images.outputs.images }}" | while IFS= read -r image; do
  echo "- $image" >> claude-prompt.txt
done

cat >> claude-prompt.txt << 'EOF_PROMPT'
...
EOF_PROMPT

Recommendation: Use variable substitution directly in bash (though the current approach is more readable for complex prompts, so this is a minor optimization):

cat > claude-prompt.txt << EOF
Read the file CHANGELOG.md and find the section for version ${VERSION} (tag ${TAG}).
...
EOF

However, the current approach is acceptable because it keeps the prompt template readable and avoids escaping issues. No action needed unless performance becomes a concern.

---

🧪 Testing & Reliability

11. No Validation of AI-Generated Output

Severity: Medium | File: .github/workflows/release-github.yml:166-176

The workflow uses AI to generate release notes but doesn't validate the output before creating the release:

- name: Generate release notes with Claude
  id: claude-release
  uses: anthropics/claude-code-action@v1
  with:
    claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
    prompt: ${{ steps.changelog-prompt.outputs.prompt }}

Issues:

• No check that the AI actually returned valid JSON
• No validation that required fields (release_notes, release_date) are non-empty
• No fallback if AI generation fails
• No way to preview before creating the draft release

Recommendation: Add a validation step:

- name: Validate Claude output
  run: |
    OUTPUT='${{ steps.claude-release.outputs.structured_output }}'
    
    if [ -z "$OUTPUT" ]; then
      echo "::error::Claude did not return any output"
      exit 1
    fi
    
    RELEASE_NOTES=$(echo "$OUTPUT" | jq -r '.release_notes // empty')
    RELEASE_DATE=$(echo "$OUTPUT" | jq -r '.release_date // empty')
    
    if [ -z "$RELEASE_NOTES" ]; then
      echo "::error::release_notes field is missing or empty"
      exit 1
    fi
    
    if [ -z "$RELEASE_DATE" ]; then
      echo "::error::release_date field is missing or empty"
      exit 1
    fi
    
    # Validate date format (YYYY-MM-DD)
    if ! echo "$RELEASE_DATE" | grep -qE '^[0-9]{4}-[0-9]{2}-[0-9]{2}$'; then
      echo "::error::Invalid date format: $RELEASE_DATE (expected YYYY-MM-DD)"
      exit 1
    fi
    
    echo "::notice::Validation passed"

Fix this →

12. Limited Allowed Tools for Claude

Status: ✅ Good Practice | File: .github/workflows/release-github.yml:173

The workflow restricts Claude to only reading CHANGELOG.md:

allowed_tools: "Read(CHANGELOG.md)"

This is excellent security practice - principle of least privilege! The AI can't modify files or read sensitive information.

13. Missing Testing for Multi-Platform Docker Builds

Severity: Low | File: .github/workflows/release-apps.yml:96

The Docker workflow builds for multiple platforms but doesn't test them:

platforms: linux/amd64,linux/arm64

Recommendation: Consider adding smoke tests for each platform in a separate job that runs after the build. However, this may be overkill depending on your testing strategy elsewhere.

---

🎯 Go Module Release Process

14. Excellent Dependency Graph Visualization

Status: ✅ Outstanding | File: RELEASE.md:135-152

The ASCII dependency graph is clear and makes the release order obvious. Great visual aid!

15. Missing go.mod File Verification

Severity: Medium | File: RELEASE.md:179-248

The Go module release process mentions removing replace directives but doesn't provide:

• A way to verify all replace directives are removed before releasing
• A checklist or script to automate this verification
• Explanation of why replace directives are problematic for releases

Recommendation: Add a verification section:

#### Before Starting: Verification Checklist

Run this command to find any `replace` directives:

\`\`\`bash
find . -name "go.mod" -exec grep -l "^replace" {} \;
\`\`\`

If any are found, remove them and commit the changes:

\`\`\`bash
# Review and remove replace directives manually
# They prevent consumers from getting the correct transitive dependencies
vim ./path/to/go.mod

git add . && git commit -m "Remove replace directives for release"
git push origin main
\`\`\`

Fix this →

16. Unclear Go Proxy Propagation Time

Severity: Low | File: RELEASE.md:198, 456

The document mentions "5-10 minutes" in one place and "5-30 minutes" in another, and "up to 30 minutes" in the troubleshooting section. This inconsistency could cause confusion.

Recommendation: Use consistent timing guidance:

• Normal case: 5-10 minutes
• Worst case: up to 30 minutes
• Clarify that the Go proxy caches aggressively and the timing is out of your control

---

🔐 Permissions & Access Control

17. Appropriate Workflow Permissions

Status: ✅ Excellent | File: .github/workflows/release-github.yml:10-12

The workflow uses least-privilege permissions:

permissions:
  contents: write      # Needed to create releases
  id-token: write     # Needed for OIDC token

The release-apps.yml workflow similarly uses minimal permissions at the job level. Great security practice!

18. No Pull Request Triggers (By Design)

Status: ✅ Good | File: .github/workflows/release-github.yml:2-8

The GitHub Release workflow only triggers on workflow_dispatch (manual), which is correct for release workflows. This prevents accidental releases.

---

📝 Additional Observations

19. Breaking Changes Documentation

Status: ✅ Strong | File: RELEASE.md:110-123

The release notes template includes clear sections for breaking changes with actionable steps. The CHANGELOG.md examples I reviewed show this pattern is already being followed (e.g., forced inclusion changes in v1.0.0-rc.1).

20. No Rollback Instructions for GitHub Releases

Severity: Low | File: RELEASE.md:458-459

The rollback section mentions that Go module tags should never be deleted, but doesn't provide instructions for rolling back or deleting GitHub Releases.

Recommendation: Add:

5. **GitHub Release Rollback**:
   - Draft releases can be deleted from the GitHub UI with no impact
   - Published releases can be deleted but this may confuse users
   - Better approach: Create a new patch release (e.g., v1.2.4) with fixes
   - If you must delete a published release, also delete the associated tag

Fix this →

---

✅ Summary & Priority Actions

High Priority (Address Before Merging)

1. Pin third-party GitHub Actions to commit SHAs instead of tags (security issue)
2. Add error handling to Docker image discovery script
3. Add validation for Claude AI output before creating releases

Medium Priority (Address Soon)

4. Clarify CHANGELOG.md update requirements in documentation
5. Add prerequisites section to GitHub Release workflow documentation
6. Add go.mod verification checklist for module releases

Low Priority (Nice to Have)

7. Standardize terminology and formatting in documentation
8. Clarify Go proxy propagation timing
9. Add GitHub Release rollback instructions
10. Consider adding multi-platform Docker image smoke tests

---

🎉 What's Working Well

• Comprehensive and well-organized documentation
• Clear separation of concerns between release types
• Excellent use of AI for release note generation
• Strong security practices (least-privilege permissions, secret management)
• Robust tag validation and error messaging
• Visual dependency graph for Go modules
• Detailed troubleshooting section

This is a significant improvement to the release process. Once the high-priority security and error-handling issues are addressed, this will be production-ready.

---

| Branch: claude/releases

[gemini-code-assist]

Summary of Changes

Hello @auricom, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly overhauls the project's release documentation by introducing a structured and comprehensive release process. It defines clear version support policies, details both automated and manual steps for creating and publishing releases, and establishes robust guidelines for changelog management and external communication. The changes aim to standardize release procedures, enhance transparency, and provide a clearer understanding of release content and upgrade compatibility for users and contributors.

Highlights

• Support Policy Definition: A new section clearly outlines the version support policy, specifying support for the current and previous major versions with security and critical bug fixes.
• Comprehensive Release Workflow: Detailed automated and manual steps for the release process are introduced, covering everything from tag pushes and automated changelog generation to manual review, GitHub Release publication, and public announcements.
• Structured Changelog Management: New guidelines for maintaining CHANGELOG.md are added, including a specific format, content categories (e.g., Added, Changed, Fixed, Security, Tested Upgrades), and the use of git-cliff for automated generation.
• Clear Communication Protocols: Templates and instructions are provided for consistent release announcements on GitHub, Slack, and Telegram, ensuring stakeholders are well-informed.
• Enhanced Release Scenarios & Checklists: The document now includes updated examples for various release scenarios (single app, multiple apps, Go modules, hotfixes) and a comprehensive checklist template to ensure all release steps are followed.
• Tested Upgrade Paths Emphasis: A new requirement and dedicated section highlight the importance of documenting tested upgrade paths within the changelog, improving clarity for users.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/release.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive and well-documented release process, including changelog management and automated workflows. The changes are primarily in RELEASE.md and provide detailed steps for both Docker image and Go module releases. My review focuses on improving the clarity of the new process. I've suggested clarifying the manual steps required before tagging a release and detailing the lifecycle of the temporary release branches created by the automation. Overall, this is a great step towards standardizing the release workflow.

[gemini-code-assist]

The process for refining the changelog could be clarified. The 'Quick Steps' (lines 254-258) show editing and pushing to the release/<tag-name> branch. However, it's not clear how these committed changes are then reflected in the final GitHub Release. Does the developer need to manually copy the refined changelog from the branch to the GitHub Release draft?

Additionally, step 6 here says 'Merge the release branch...'. It would be helpful to specify the merge target for this branch (e.g., a version branch like v0.3), or confirm if it should be discarded after the release is published (as suggested on line 666). Clarifying the lifecycle and purpose of the release/<tag-name> branch would prevent confusion.

[gemini-code-assist]

To improve clarity, it would be helpful to explicitly state that CHANGELOG.md needs to be manually updated before the automated workflow is triggered by a tag push. This involves moving changes from [Unreleased] to a new version section. While this is mentioned in other parts of the document (e.g., line 246), adding it here would make the Changelog Workflow section self-contained and easier to follow.

Suggested change

	The release workflow automatically generates changelogs from `./CHANGELOG.md`:
	The release workflow starts with a manual update to `./CHANGELOG.md`, after which automation takes over:

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.23%. Comparing base (432d5a7) to head (1f33fbf).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2998      +/-   ##
==========================================
- Coverage   56.24%   56.23%   -0.01%     
==========================================
  Files         118      118              
  Lines       12075    12075              
==========================================
- Hits         6791     6790       -1     
- Misses       4537     4539       +2     
+ Partials      747      746       -1     

Flag	Coverage Δ
combined	56.23% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.