UID2-6762: Consolidate release-notes pipeline onto shared_create_releases#229
Merged
Conversation
…ases Extend the shared_create_releases composite action to support all five publish platforms (Docker, Maven, PyPI, NuGet, iOS) and consolidate every inline mikepenz/release-changelog-builder step in the shared workflows onto the composite. Net result: one canonical release-notes pipeline (Build Changelog -> Delete Draft Releases -> Create Release draft) in a single composite action, with each workflow calling it via a single ~7-line step instead of ~30 lines of duplicated inline mikepenz/delete-draft/softprops blocks. Side-effect fixes: - PyPI template no longer emits a Maven <dependency> block (uses pip install instead) and links to the version-specific PyPI page - NuGet template no longer emits a Maven <dependency> block (uses dotnet add package) and links to the version-specific NuGet page - Every workflow now has Delete Draft Releases (previously only shared-publish-java-to-docker-versioned had it) - shared-publish-to-docker-versioned bumped from @v2 to @V3 for consistency with the rest of the repo Decision and rationale documented in UID2-6762 (mikepenz over GitHub- native: PR-line author suppression for public-facing release pages).
jon8787
force-pushed
the
jon-UID2-6762-consolidate-release-notes
branch
from
d72d8eb to
b944b53
Compare
workflow_dispatch harness exercising each platform branch of the composite against an existing v3 tag so we can inspect the resulting draft-release body before merge. Delete this file and any draft releases it produces once verification is complete.
| new_version: ${{ steps.version.outputs.new_version }} | ||
| github_token: ${{ secrets.GITHUB_TOKEN }} | ||
| publish_platform: PyPI | ||
| repo: ${{ env.REPO }} |
Contributor
There was a problem hiding this comment.
I think env.REPO will pass uid2-client-python and shared_create_releases will run pip install uid2-client-python==<version> which will fail since the project is registered as uid2-client on PyPI
Contributor
Author
There was a problem hiding this comment.
Good catch — and the same pattern affects 4 of the Maven callers too (uid2-attestation-azure → attestation-azure, similar for -gcp, -aws, and uid2-client-java → uid2-client). 5 of 9 callers ship broken install snippets today.
Fixed in 31313d1 by extracting the real package identifier from the manifest at release time:
- PyPI: greps the top-level
name = "..."frompyproject.toml - Maven: uses
mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdoutas the canonical source
Both fail loudly if extraction returns empty. NuGet stays hardcoded (workflow already only handles UID2.Client); Docker / iOS unaffected.
This also makes uid2-attestation-api and uid2-shared (currently correct by coincidence — repo name happens to equal artifactId) robust against future renames.
The PyPI install snippet and Maven dependency block in release notes previously used `github.event.repository.name`, which differs from the actual published package name in 5 of 9 consumer repos: PyPI: uid2-client-python repo → uid2-client package Maven: uid2-attestation-azure → attestation-azure Maven: uid2-attestation-gcp → attestation-gcp Maven: uid2-attestation-aws → attestation-aws Maven: uid2-client-java → uid2-client Result: \`pip install\` / \`<dependency>\` snippets shown on the GitHub Releases page produced 404s when copy-pasted. Fix: read the real package identifier from each manifest at release time. PyPI greps the top-level \`name = \"...\"\` from pyproject.toml; Maven uses \`mvn help:evaluate -Dexpression=project.artifactId\` as the canonical source. Both fail loudly if extraction returns empty. Fixes Behnam's review comment on PR #229.
BehnamMozafari
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extend the
shared_create_releasescomposite action to support all five publish platforms (Docker, Maven, PyPI, NuGet, iOS) and consolidate every inlinemikepenz/release-changelog-builderstep in the shared workflows onto the composite.actions/shared_create_releases/action.yaml— Build Changelog → Delete Draft Releases → Create Release (draft).mikepenzorsoftprops/action-gh-releasereferences remain outside the composite.Closes UID2-6762 (decision and rationale documented in the ticket comments: mikepenz over GitHub-native, primarily to suppress
@AUTHORfrom the public-facing release pages viapr_template).Side-effect fixes (bugs found during the audit)
<dependency>block — usespip install <pkg>==<version>and links to the version-specific PyPI page.<dependency>block — usesdotnet add packageand links to the version-specific NuGet page.Delete Draft Releasesnow runs for every platform (previously onlyshared-publish-java-to-docker-versionedhad it).shared-publish-to-docker-versionedbumped composite reference from@v2to@v3for consistency with the rest of the repo.Coordination with PR #228
PR #228 (UID2-6764, SLSA build provenance) touches
shared-publish-java-to-docker-versioned.yamljust above this PR's edit area (adds anAttest build provenancestep betweenPush to Dockerand the release-notes block). No line conflict but I'll rebase this PR after #228 merges to preserve the attestation step. This PR should land after #228 andupdate-major-version-tags.yamlshould be run onmainimmediately after merge to promotev3— same post-merge requirement as #228.Caller-repo impact
None directly. Consumers reference
IABTechLab/uid2-shared-actions/.github/workflows/...@v3(floating major tag) and will pick up the change automatically oncev3is re-promoted. The 6 ticket-scope repos (operator, core, admin, optout, databricks, snowflake) get verified opportunistically as Behnam's caller-repo follow-up PRs from #228 cut their next real publish.Test plan
mikepenz/softprops/action-gh-release/ inlinedelete_draft_releasesreferences remain outside the compositemainafter PR UID2-6764: Add SLSA build provenance attestations to docker publish workflows #228 merges; preserve Behnam'sAttest build provenancestep inshared-publish-java-to-docker-versioned.yamlupdate-major-version-tags.yamlonmainto promotev3(same post-merge requirement as PR UID2-6764: Add SLSA build provenance attestations to docker publish workflows #228)🤖 Generated with Claude Code