@cleocode/cleo 2026.5.105 → 2026.5.107

package/templates/workflows/release-fanout.yml.tmpl

@@ -1,214 +0,0 @@
-# CLEO release pipeline — Best-effort fanout workflow.
-#
-# Generated from packages/cleo/templates/workflows/release-fanout.yml.tmpl by
-# `cleo init --workflows` (T9531). DO NOT EDIT the rendered file directly —
-# extend via `.workflow-overrides.yml` per SPEC-T9345 R-260.
-#
-# Implements SPEC-T9345-release-pipeline-v2.md §5.3 (R-240 — R-244, R-260 —
-# R-263). Triggers on `release: published` (the GitHub Release event, NOT
-# `release: created` which fires on drafts). Each downstream job is an
-# independent best-effort fanout — every job carries `continue-on-error:
-# true` so a failed docs deploy, docker retag, sentinel notify, studio
-# rebuild, or nightly trigger CANNOT mark the release itself as failed.
-# These jobs MUST NOT be configured as required status checks (R-244).
-#
-# Placeholders (replaced at scaffold time — see workflows/README.md):
-#   <NODE_VERSION>             Node.js version            (e.g. "22.x")
-#   <INSTALL_CMD>              Install command            (e.g. "pnpm install --frozen-lockfile")
-#   <DOCS_BUILD_CMD>           Docs build command         (e.g. "pnpm --filter @cleocode/docs run build")
-#   <ENABLE_DOCS_DEPLOY>       Toggle docs-deploy job     ("true" | "false")
-#   <ENABLE_DOCKER_RETAG>      Toggle docker-retag job    ("true" | "false")
-#   <ENABLE_SENTINEL_NOTIFY>   Toggle sentinel-notify job ("true" | "false")
-#   <ENABLE_STUDIO_DEPLOY>     Toggle studio-deploy job   ("true" | "false")
-#   <ENABLE_NIGHTLY_TRIGGER>   Toggle nightly-trigger job ("true" | "false")
-#   <DOCKER_IMAGE>             Docker image name          (e.g. "cleocode/cleo")
-#   <DOCKER_HUB_USER>          Docker Hub login user      (e.g. "cleocode")
-#   <SENTINEL_WEBHOOK_URL>     Sentinel webhook URL       (HTTPS)
-#   <STUDIO_DEPLOY_HOOK>       Studio deploy hook URL     (HTTPS)
-# (Angle-brackets in this doc comment are intentional — they avoid being
-#  substituted by the {{...}} regex pass. The placeholders below use {{...}}.)
-
-name: Release Fanout
-
-# R-240: trigger on `release: published` ONLY. Draft releases (which fire
-# `release: created`) MUST NOT trigger the fanout — operators expect this
-# to run AFTER the publish + tag workflow has shipped the artifacts.
-on:
-  release:
-    types: [published]
-
-# R-241: workflow-level grants the minimum read scope. Per-job permissions
-# escalate ONLY for the jobs that need them (e.g. `pages: write` for docs
-# deploy). No top-level write scope — fanout is intentionally read-only at
-# the workflow level.
-permissions:
-  contents: read
-
-# R-243: serialize fanouts against the same release tag. cancel-in-progress
-# is FALSE so an in-flight fanout completes rather than losing partial
-# work (e.g. a half-pushed docker tag).
-concurrency:
-  group: fanout-${{ github.event.release.tag_name }}
-  cancel-in-progress: false
-
-# R-262: bash everywhere — no cross-platform shell drift across the fanout
-# jobs (they all run on ubuntu-latest but the contract is explicit).
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  # R-242 (1/5): deploy generated documentation site to GitHub Pages.
-  # continue-on-error: true so a docs-build regression cannot fail the
-  # release. Disabled by default — flip {{ENABLE_DOCS_DEPLOY}} to "true"
-  # at scaffold time. The flag is hoisted into env so the `if:` becomes a
-  # dynamic expression (avoids actionlint constant-expression warning).
-  docs-deploy:
-    name: Deploy docs to GitHub Pages
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    timeout-minutes: 15
-    env:
-      ENABLE_DOCS_DEPLOY: '{{ENABLE_DOCS_DEPLOY}}'
-    if: ${{ env.ENABLE_DOCS_DEPLOY == 'true' }}
-    # R-241 (per-job): pages: write + id-token: write granted ONLY for the
-    # docs-deploy job — other fanout jobs MUST NOT inherit GitHub Pages
-    # write scope.
-    permissions:
-      contents: read
-      pages: write
-      id-token: write
-    steps:
-      # R-263: third-party Actions pinned to major+minor.
-      - name: Checkout
-        uses: actions/checkout@v4.1
-        with:
-          fetch-depth: 1
-        timeout-minutes: 5
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v4.0
-        with:
-          node-version: '{{NODE_VERSION}}'
-        timeout-minutes: 3
-
-      - name: Install dependencies
-        run: {{INSTALL_CMD}}
-        timeout-minutes: 5
-
-      - name: Build docs
-        run: {{DOCS_BUILD_CMD}}
-        timeout-minutes: 10
-
-      - name: Configure Pages
-        uses: actions/configure-pages@v5.0
-        timeout-minutes: 2
-
-      - name: Upload Pages artifact
-        uses: actions/upload-pages-artifact@v3.0
-        with:
-          path: docs/dist
-        timeout-minutes: 5
-
-      - name: Deploy to GitHub Pages
-        uses: actions/deploy-pages@v4.0
-        timeout-minutes: 5
-
-  # R-242 (2/5): retag the published docker image to `latest`. Failure here
-  # does NOT roll back the release — operators can re-run manually.
-  docker-retag:
-    name: Retag docker image to latest
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    timeout-minutes: 10
-    env:
-      ENABLE_DOCKER_RETAG: '{{ENABLE_DOCKER_RETAG}}'
-      DOCKER_IMAGE: '{{DOCKER_IMAGE}}'
-      DOCKER_HUB_USER: '{{DOCKER_HUB_USER}}'
-      VERSION: ${{ github.event.release.tag_name }}
-    if: ${{ env.ENABLE_DOCKER_RETAG == 'true' }}
-    steps:
-      - name: Log in to Docker Hub
-        run: |
-          set -euo pipefail
-          echo "${{ secrets.DOCKER_HUB_TOKEN }}" | \
-            docker login -u "$DOCKER_HUB_USER" --password-stdin
-        timeout-minutes: 3
-
-      - name: Pull, retag, push
-        run: |
-          set -euo pipefail
-          docker pull "${DOCKER_IMAGE}:${VERSION}"
-          docker tag "${DOCKER_IMAGE}:${VERSION}" "${DOCKER_IMAGE}:latest"
-          docker push "${DOCKER_IMAGE}:latest"
-        timeout-minutes: 5
-
-  # R-242 (3/5): POST a `release.published` event to the Sentinel webhook
-  # so downstream monitoring can pick the release up. Best-effort — a
-  # webhook outage MUST NOT mark the release as failed.
-  sentinel-notify:
-    name: Notify Sentinel of release
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    timeout-minutes: 5
-    env:
-      ENABLE_SENTINEL_NOTIFY: '{{ENABLE_SENTINEL_NOTIFY}}'
-      SENTINEL_WEBHOOK_URL: '{{SENTINEL_WEBHOOK_URL}}'
-      SENTINEL_TOKEN: ${{ secrets.SENTINEL_TOKEN }}
-      VERSION: ${{ github.event.release.tag_name }}
-      RELEASE_URL: ${{ github.event.release.html_url }}
-    if: ${{ env.ENABLE_SENTINEL_NOTIFY == 'true' }}
-    steps:
-      - name: POST release.published to Sentinel
-        run: |
-          set -euo pipefail
-          curl -fSL -X POST "$SENTINEL_WEBHOOK_URL" \
-            -H 'Content-Type: application/json' \
-            -H "Authorization: Bearer ${SENTINEL_TOKEN}" \
-            -d "{\"event\":\"release.published\",\"version\":\"${VERSION}\",\"url\":\"${RELEASE_URL}\"}"
-        timeout-minutes: 3
-
-  # R-242 (4/5): trigger a Studio rebuild via deploy hook. Studio runs
-  # outside this repo, so this job is a fire-and-forget POST.
-  studio-deploy:
-    name: Trigger Studio rebuild
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    timeout-minutes: 20
-    env:
-      ENABLE_STUDIO_DEPLOY: '{{ENABLE_STUDIO_DEPLOY}}'
-      STUDIO_DEPLOY_HOOK: '{{STUDIO_DEPLOY_HOOK}}'
-      STUDIO_DEPLOY_TOKEN: ${{ secrets.STUDIO_DEPLOY_TOKEN }}
-      VERSION: ${{ github.event.release.tag_name }}
-    if: ${{ env.ENABLE_STUDIO_DEPLOY == 'true' }}
-    steps:
-      - name: POST to Studio deploy hook
-        run: |
-          set -euo pipefail
-          curl -fSL -X POST "$STUDIO_DEPLOY_HOOK" \
-            -H "Authorization: Bearer ${STUDIO_DEPLOY_TOKEN}" \
-            -H 'Content-Type: application/json' \
-            -d "{\"version\":\"${VERSION}\"}"
-        timeout-minutes: 10
-
-  # R-242 (5/5): dispatch the nightly e2e workflow against the freshly
-  # published release version. Decoupled from the release path — a failed
-  # dispatch is logged but does NOT fail the release.
-  nightly-trigger:
-    name: Dispatch nightly e2e for release
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    timeout-minutes: 3
-    env:
-      ENABLE_NIGHTLY_TRIGGER: '{{ENABLE_NIGHTLY_TRIGGER}}'
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      VERSION: ${{ github.event.release.tag_name }}
-    if: ${{ env.ENABLE_NIGHTLY_TRIGGER == 'true' }}
-    steps:
-      - name: Dispatch nightly e2e
-        run: |
-          set -euo pipefail
-          gh workflow run nightly-e2e.yml \
-            --repo "${{ github.repository }}" \
-            -f release_version="$VERSION"
-        timeout-minutes: 2

package/templates/workflows/release-prepare.yml.tmpl

@@ -1,296 +0,0 @@
-# CLEO release pipeline — Prepare bump-PR workflow.
-#
-# Generated from packages/cleo/templates/workflows/release-prepare.yml.tmpl by
-# `cleo init --workflows` (T9531). DO NOT EDIT the rendered file directly —
-# extend via `.workflow-overrides.yml` per SPEC-T9345 R-260.
-#
-# Implements SPEC-T9345-release-pipeline-v2.md §5.1 (R-200 — R-210, R-260 —
-# R-263). Triggers ONLY on workflow_dispatch; runs preflight (lint +
-# typecheck + test + build) BEFORE creating any commit; prepares the
-# release/<version> branch and opens the bump-PR via `gh pr create`.
-#
-# Placeholders (replaced at scaffold time — see workflows/README.md):
-#   <NODE_VERSION>     Node.js version    (e.g. "22.x")
-#   <INSTALL_CMD>      Install command    (e.g. "pnpm install --frozen-lockfile")
-#   <LINT_CMD>         tool:lint          (ADR-061 resolved)
-#   <TYPECHECK_CMD>    tool:typecheck     (ADR-061 resolved)
-#   <TEST_CMD>         tool:test          (ADR-061 resolved)
-#   <BUILD_CMD>        tool:build         (ADR-061 resolved)
-#   <BRANCH_PREFIX>    Release branch prefix (default: "release")
-#   <PR_LABEL>         GitHub label applied to bump-PR (default: "release")
-# (Angle-brackets in this doc comment are intentional — they avoid being
-#  substituted by the {{...}} regex pass. The placeholders below use {{...}}.)
-
-name: Release Prepare
-
-# R-200: workflow_dispatch only — MUST NOT trigger on push to any branch.
-# R-201: required input `version`; optional `plan-blob-sha256`, `epic`, `channel`.
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        description: 'Version to release (e.g. v2026.6.0)'
-        type: string
-        required: true
-      plan-blob-sha256:
-        description: 'SHA256 of pre-computed plan JSON (optional)'
-        type: string
-        required: false
-      epic:
-        description: 'Epic task ID (e.g. T9999) used by `cleo release plan`'
-        type: string
-        required: false
-      channel:
-        description: 'Release channel'
-        type: choice
-        required: false
-        default: latest
-        options:
-          - latest
-          - beta
-          - alpha
-          - rc
-
-# R-202: contents:write (commit + branch), pull-requests:write (gh pr create),
-# id-token:write (signed tags only). MUST NOT request packages:write — npm
-# publish belongs to release-publish.yml.
-permissions:
-  contents: write
-  pull-requests: write
-  id-token: write
-
-# R-207: concurrent prepare runs against the same version queue rather than
-# collide. cancel-in-progress=false preserves in-flight work.
-concurrency:
-  group: release-prepare-${{ inputs.version }}
-  cancel-in-progress: false
-
-# R-262: bash everywhere — no cross-platform shell drift.
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  # R-204: lint + typecheck + test + build BEFORE any commit. Failure here
-  # MUST fail the workflow and prevent `prepare` from running.
-  preflight:
-    name: Preflight (lint + typecheck + test + build)
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    steps:
-      # R-263: third-party Actions pinned to major+minor.
-      - name: Checkout
-        uses: actions/checkout@v4.1
-        with:
-          fetch-depth: 0
-        timeout-minutes: 5
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v4.0
-        with:
-          node-version: '{{NODE_VERSION}}'
-        timeout-minutes: 3
-
-      - name: Install dependencies
-        run: {{INSTALL_CMD}}
-        timeout-minutes: 5
-
-      - name: Lint
-        run: {{LINT_CMD}}
-        timeout-minutes: 5
-
-      - name: Typecheck
-        run: {{TYPECHECK_CMD}}
-        timeout-minutes: 5
-
-      - name: Test
-        run: {{TEST_CMD}}
-        timeout-minutes: 10
-
-      - name: Build
-        run: {{BUILD_CMD}}
-        timeout-minutes: 10
-
-      # R-208: status check `release-prepare/preflight` is reported by GitHub
-      # automatically against the bump-PR head SHA once the PR is open. No
-      # extra step is required — branch protection MUST require this check.
-
-  # R-203: prepare needs preflight.
-  # R-205: plan resolution → version bump → CHANGELOG → commit → push → bump-PR.
-  prepare:
-    name: Prepare bump-PR
-    runs-on: ubuntu-latest
-    needs: preflight
-    timeout-minutes: 20
-    outputs:
-      branch: ${{ steps.branch.outputs.name }}
-      branch_created: ${{ steps.push.outputs.created }}
-    env:
-      # R-210: only GITHUB_TOKEN required. NPM_TOKEN is publish-only.
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4.1
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
-        timeout-minutes: 5
-
-      - name: Configure git identity
-        run: |
-          git config user.email "actions@github.com"
-          git config user.name "GitHub Actions"
-        timeout-minutes: 1
-
-      - name: Cut release branch
-        id: branch
-        run: |
-          BRANCH="{{BRANCH_PREFIX}}/${{ inputs.version }}"
-          git checkout -b "$BRANCH"
-          echo "name=$BRANCH" >> "$GITHUB_OUTPUT"
-        timeout-minutes: 2
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v4.0
-        with:
-          node-version: '{{NODE_VERSION}}'
-        timeout-minutes: 3
-
-      - name: Install dependencies
-        run: {{INSTALL_CMD}}
-        timeout-minutes: 5
-
-      # R-205(a)/(b): resolve plan — call `cleo release plan` if sha is empty,
-      # otherwise verify the existing plan blob via sha256.
-      - name: Resolve release plan
-        id: plan
-        run: |
-          mkdir -p .cleo/release
-          PLAN_FILE=".cleo/release/${{ inputs.version }}.plan.json"
-          if [ -z "${{ inputs.plan-blob-sha256 }}" ]; then
-            echo "No plan-blob-sha256 input — generating fresh plan."
-            EPIC_ARGS=()
-            if [ -n "${{ inputs.epic }}" ]; then
-              EPIC_ARGS=(--epic "${{ inputs.epic }}")
-            fi
-            cleo release plan "${{ inputs.version }}" "${EPIC_ARGS[@]}" --json > "$PLAN_FILE"
-          else
-            echo "Verifying pre-computed plan against sha256=${{ inputs.plan-blob-sha256 }}"
-            if [ ! -f "$PLAN_FILE" ]; then
-              echo "::error::Plan file $PLAN_FILE not found — cannot verify sha256"
-              exit 1
-            fi
-            ACTUAL=$(sha256sum "$PLAN_FILE" | awk '{print $1}')
-            if [ "$ACTUAL" != "${{ inputs.plan-blob-sha256 }}" ]; then
-              echo "::error::Plan sha256 mismatch — expected ${{ inputs.plan-blob-sha256 }}, got $ACTUAL"
-              exit 1
-            fi
-          fi
-          echo "plan_file=$PLAN_FILE" >> "$GITHUB_OUTPUT"
-        timeout-minutes: 5
-
-      # R-205(c): bump version files via `cleo version-bump`.
-      - name: Bump version
-        run: cleo version-bump --version "${{ inputs.version }}"
-        timeout-minutes: 3
-
-      # R-205(d): regenerate CHANGELOG via the preserved `cleo release
-      # changelog` primitive, scoped to commits since the previous tag.
-      - name: Regenerate CHANGELOG
-        run: |
-          PREV_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
-          if [ -n "$PREV_TAG" ]; then
-            cleo release changelog --since "$PREV_TAG"
-          else
-            cleo release changelog
-          fi
-        timeout-minutes: 3
-
-      # R-205(e): commit with the canonical subject line.
-      - name: Commit prepare
-        run: |
-          git add -A
-          git commit -m "release: prepare ${{ inputs.version }}"
-        timeout-minutes: 2
-
-      - name: Push branch
-        id: push
-        run: |
-          git push origin "${{ steps.branch.outputs.name }}"
-          echo "created=true" >> "$GITHUB_OUTPUT"
-        timeout-minutes: 5
-
-      # R-205(f): open the bump-PR via `gh pr create`.
-      - name: Open bump-PR
-        run: |
-          gh pr create \
-            --base main \
-            --head "${{ steps.branch.outputs.name }}" \
-            --title "release: prepare ${{ inputs.version }}" \
-            --label "{{PR_LABEL}}" \
-            --body-file "${{ steps.plan.outputs.plan_file }}"
-        timeout-minutes: 5
-
-      # R-209(c): emit recovery hint into the job summary artifact.
-      - name: Emit recovery hint to job summary
-        if: always()
-        run: |
-          {
-            echo "## Release Prepare — ${{ inputs.version }}"
-            echo ""
-            echo "Branch: \`${{ steps.branch.outputs.name }}\`"
-            echo ""
-            echo "**Recovery command** (if anything went wrong):"
-            echo ""
-            echo "\`\`\`"
-            echo "cleo release plan ${{ inputs.version }} --epic ${{ inputs.epic }}; cleo release open ${{ inputs.version }}"
-            echo "\`\`\`"
-          } >> "$GITHUB_STEP_SUMMARY"
-        timeout-minutes: 1
-
-  # R-209(a)(b): on failure, delete the half-cut release branch and print
-  # the recovery command. continue-on-error so cleanup itself cannot fail
-  # the workflow further.
-  cleanup-on-failure:
-    name: Cleanup on failure
-    runs-on: ubuntu-latest
-    needs:
-      - preflight
-      - prepare
-    if: failure()
-    timeout-minutes: 10
-    env:
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4.1
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
-        timeout-minutes: 5
-
-      - name: Delete release branch (best-effort)
-        continue-on-error: true
-        run: |
-          BRANCH="{{BRANCH_PREFIX}}/${{ inputs.version }}"
-          if git ls-remote --exit-code --heads origin "$BRANCH" >/dev/null 2>&1; then
-            echo "Deleting remote branch $BRANCH"
-            git push origin --delete "$BRANCH" || true
-          else
-            echo "No remote branch $BRANCH to delete."
-          fi
-        timeout-minutes: 5
-
-      - name: Print recovery command
-        run: |
-          echo "::notice::Recovery: cleo release plan ${{ inputs.version }} --epic ${{ inputs.epic }}; cleo release open ${{ inputs.version }}"
-          {
-            echo "## Release Prepare FAILED — ${{ inputs.version }}"
-            echo ""
-            echo "Run this to recover:"
-            echo ""
-            echo "\`\`\`"
-            echo "cleo release plan ${{ inputs.version }} --epic ${{ inputs.epic }}; cleo release open ${{ inputs.version }}"
-            echo "\`\`\`"
-          } >> "$GITHUB_STEP_SUMMARY"
-        timeout-minutes: 1