v0.3.59 release (redux redux)

[bradhe]

• Manage release files with our automation instead of by hand-editing the files.

Summary by CodeRabbit

• Chores
  • Reorganized release pipeline workflow to optimize job orchestration with improved security controls.
  • Extended CI configuration to include NPM package publishing in the distribution workflow.
  • Introduced automated announcement job that triggers upon successful release completion.

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub Actions release workflow refactored to correct job-to-workflow mappings, swap custom-publish-docker and custom-publish-npm job implementations, add a new announce job with conditional success criteria, and adjust publish job permissions. Distribution workspace configuration updated to include npm in the publish job pipeline.

Changes

Cohort / File(s)	Summary
Release Workflow Restructuring .github/workflows/release.yml	Job mappings corrected: custom-publish-docker now invokes publish-docker.yml and custom-publish-npm invokes publish-npm.yml. Permissions restricted to id-token: write and packages: write. New announce job added that depends on host and all publish jobs, runs only when host succeeds and publish jobs are skipped or successful, with credentials disabled checkout.
Distribution Configuration dist-workspace.toml	NPM publish job added to publish-jobs list alongside existing PyPI and Docker publish jobs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• v0.3.59 release (redux) #260: Modifies job-level permissions for the custom-publish-npm workflow, affecting the same permission declarations being updated in this PR.

Suggested reviewers

• socksy
• sammuti
• codingcyclist

Poem

🐰 A rabbit hops through workflows grand,
Publishing jobs now rearranged as planned,
With announce calls after success rings true,
And npm joins the pipeline crew! 🚀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'v0.3.59 release (redux redux)' is vague and generic, using unclear phrasing that doesn't convey meaningful information about the actual changes.	Use a more descriptive title that reflects the main change, such as 'Automate release workflow generation from dist configuration' or 'Update release workflow to regenerate from dist instead of manual edits'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socksy]

wish we could get rid of that announce job

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 315-317: The caller workflow's permissions block is missing the
contents read scope required by reusable publish jobs that call
actions/checkout; update the permissions object in the workflow (the block that
currently contains "id-token": "write" and "packages": "write") to also include
"contents": "read" so the reusable workflows can successfully run
actions/checkout@v6.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2319f1c4-b5dc-400b-bb0b-29f7b2c45bb7

📥 Commits

Reviewing files that changed from the base of the PR and between 23881cf and 1fc62c6.

📒 Files selected for processing (2)

• .github/workflows/release.yml
• dist-workspace.toml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Caller job permissions and reusable workflow mapping =="
rg -n -A6 -B2 'custom-publish-(docker|npm):|uses: \./\.github/workflows/publish-(docker|npm)\.yml|permissions:|"contents"|"id-token"|"packages"' .github/workflows/release.yml

echo
echo "== Callee workflows requiring checkout (and their permissions) =="
rg -n -A5 -B2 'permissions:|contents:\s*read|id-token:\s*write|packages:\s*write|uses:\s*actions/checkout@v6' .github/workflows/publish-docker.yml .github/workflows/publish-npm.yml

Repository: tower/tower-cli

Length of output: 3417

---

Add contents: read to caller permissions for reusable publish jobs.

Both called workflows perform actions/checkout@v6; without contents: read at the caller, checkout will fail due to reduced token scope in reusable workflow execution.

🔧 Proposed fix

   custom-publish-docker:
     ...
     permissions:
+      "contents": "read"
       "id-token": "write"
       "packages": "write"

   custom-publish-npm:
     ...
     permissions:
+      "contents": "read"
       "id-token": "write"
       "packages": "write"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 315 - 317, The caller workflow's
permissions block is missing the contents read scope required by reusable
publish jobs that call actions/checkout; update the permissions object in the
workflow (the block that currently contains "id-token": "write" and "packages":
"write") to also include "contents": "read" so the reusable workflows can
successfully run actions/checkout@v6.