Skip to content

feat: draft releases, version verification, and reusable workflows #287

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
SoulPancake wants to merge 2 commits into
base: main
Choose a base branch
from
+32 −23
Open

feat: draft releases, version verification, and reusable workflows #287

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
52e10e3
feat: draft releases, version verification, and reusable workflows
SoulPancake May 4, 2026
e249cb8
fix: address comment
SoulPancake May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 29 additions & 14 deletions .github/workflows/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,11 +60,37 @@ jobs:
token: ${{ secrets.CODECOV_TOKEN }}
slug: openfga/python-sdk

publish:
verify-version:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
needs: [test]

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Verify versions match
run: |
TAG_VERSION="${GITHUB_REF#refs/tags/v}"
MANIFEST_VERSION=$(jq -r '.["."]' .release-please-manifest.json)
PYPROJECT_VERSION=$(python3 -c 'import tomllib; print(tomllib.load(open("pyproject.toml", "rb"))["project"]["version"])')

echo "Tag: $TAG_VERSION | Manifest: $MANIFEST_VERSION | pyproject.toml: $PYPROJECT_VERSION"

if [[ "$TAG_VERSION" != "$MANIFEST_VERSION" ]]; then
echo "ERROR: Tag version does not match manifest version"
exit 1
fi
if [[ "$PYPROJECT_VERSION" != "$MANIFEST_VERSION" ]]; then
echo "ERROR: pyproject.toml version does not match manifest version"
exit 1
fi
echo "All versions verified: $TAG_VERSION"

publish:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
needs: [verify-version]

permissions:
id-token: write # Required for PyPI trusted publishing

Expand All @@ -91,20 +117,9 @@ jobs:
- name: Publish package
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0

create-release:
runs-on: ubuntu-latest
undraft-release:
if: startsWith(github.ref, 'refs/tags/v')
needs: [publish]
permissions:
contents: write

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0

- uses: Roang-zero1/github-create-release-action@57eb9bdce7a964e48788b9e78b5ac766cb684803 # v3.0.1
with:
version_regex: ^v[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
uses: openfga/sdk-generator/.github/workflows/undraft-release.yml@main
Comment thread
SoulPancake marked this conversation as resolved.
Comment on lines +120 to +125
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 5, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check whether undraft-release.yml declares required inputs
gh api repos/openfga/sdk-generator/contents/.github/workflows/undraft-release.yml \
  --jq '.content' | base64 -d | grep -A 20 'on:'

Repository: openfga/python-sdk

Length of output: 109

🏁 Script executed:

# First, check if there's any documentation or references to the workflow in the current repo
find . -type f -name "*.md" -o -name "*.yaml" -o -name "*.yml" | head -20

Repository: openfga/python-sdk

Length of output: 626

🌐 Web query:

openfga/sdk-generator GitHub repository undraft-release workflow

💡 Result:

I could not find any “undraft-release” GitHub Actions workflow (or an “undraft-release” workflow job/action) in the openfga/sdk-generator repository using up-to-date web search results. What I did find instead: - openfga/sdk-generator is a generator repo (Mustache-based) responsible for generating OpenFGA SDKs from the OpenFGA OpenAPIv2 document, and it references that it contains workflows under.github/workflows/main.yml for CI checks, but nothing surfaced about an “undraft-release” workflow in the surfaced results. - Release automation in the OpenFGA SDK ecosystem appears to be handled via release-please and reusable workflows (example: documented in the Go SDK’s RELEASE.md and referenced by release automation PRs in SDK repos), rather than “undraft-release”. If you can share the exact repository URL, branch, or the filename where you believe “undraft-release” exists (or paste the workflow snippet), I can pinpoint it precisely.

Citations:

🏁 Script executed:

cat -n .github/workflows/main.yaml | sed -n '110,135p'

Repository: openfga/python-sdk

Length of output: 607

🏁 Script executed:

# Search for any references to undraft-release in the codebase
rg "undraft-release" .

Repository: openfga/python-sdk

Length of output: 44

🏁 Script executed:

# Check if sdk-generator has this workflow (try different patterns)
# First, let's see what workflows are typically in similar org repos
rg "openfga/sdk-generator" . --type yaml

Repository: openfga/python-sdk

Length of output: 44

🏁 Script executed:

# Look at release-please.yml to understand release workflow
cat -n .github/workflows/release-please.yml

Repository: openfga/python-sdk

Length of output: 1838

🏁 Script executed:

# Search for any documentation about releases or undraft in markdown files
rg -i "undraft|undraft-release" . --type md

Repository: openfga/python-sdk

Length of output: 44

🌐 Web query:

openfga sdk-generator undraft-release workflow GitHub Actions

💡 Result:

I couldn’t find any evidence of an “undraft-release” GitHub Actions workflow (or a file named like that) in openfga/sdk-generator. What I did find is that OpenFGA SDK releases are being automated using release-please, with repository-level workflows that delegate to a reusable workflow hosted in sdk-generator. 1) openfga/sdk-generator repo context - sdk-generator describes generator templates and CI checks, and is positioned as the place where shared automation logic/workflows can live for generating SDKs across languages.[1] 2) SDK release automation approach in OpenFGA - The sdk-generator issue discussing automated/continuous delivery explicitly calls out a “manual trigger” via GitHub Actions and automation for preparation/versioning/execution, but it does not mention “undraft-release”.[2] 3) Evidence of release-please wiring to sdk-generator (not undraft-release) - The Go SDK release automation infrastructure adds a workflow that is triggered on pushes to main and manual dispatch, and it delegates to an external reusable workflow located at openfga/sdk-generator/.github/workflows/release-please.yml (with bump type options and secrets). This is described in openfga/go-sdk issue #291.[3] - The js-sdk PR #362 similarly states it adds a GitHub Actions workflow “.github/workflows/release-please.yml” that delegates to a reusable workflow from sdk-generator, with configurable bump type and explicit release version.[4] - The Go SDK RELEASE.md documents that the project uses release-please via a workflow_dispatch-triggered GitHub Actions workflow and instructs users to run the “release-please” workflow manually, choosing bump type options like patch/minor/explicit.[5] Conclusion - For the specific query “openfga sdk-generator undraft-release workflow GitHub Actions”: I found no source-backed indication that such a workflow exists in sdk-generator. - The release automation workflow in use (based on multiple OpenFGA SDK repo docs/PR descriptions) is release-please, with sdk-generator providing a reusable release-please workflow.[3][4][5]

Citations:

Remove the undraft-release job—the referenced workflow does not exist.

openfga/sdk-generator/.github/workflows/undraft-release.yml does not exist in the sdk-generator repository. This job will fail at runtime with a "workflow not found" error. OpenFGA SDK release automation uses release-please.yml, not undraft-release.yml.

If release automation post-publish is needed, replace this with a reference to the correct workflow (release-please.yml), or remove it entirely if intentionally unused.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/main.yaml around lines 120 - 125, The undraft-release job
references a non-existent workflow and will fail; update the job named
undraft-release by either removing the entire job block (undraft-release) or
changing its uses value from
openfga/sdk-generator/.github/workflows/undraft-release.yml@main to the correct
workflow file openfga/sdk-generator/.github/workflows/release-please.yml@main
(and ensure any conditional/needs/permissions still apply) so the workflow
points to an existing release automation.

Copy link
Copy Markdown
Member Author

@SoulPancake SoulPancake May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it is still in the PR, We will merge this after that is merged in the sdk generator to main

Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SoulPancake, thanks for the clarification! That makes sense — merging the undraft-release.yml workflow into openfga/sdk-generator first and then landing this PR is the right sequencing to avoid a runtime "workflow not found" error.

A couple of things worth keeping in mind for that sequencing:

  • Pin the reusable workflow to a commit SHA (e.g., openfga/sdk-generator/.github/workflows/undraft-release.yml@<sha>) rather than @main once it lands, for reproducibility and security — consistent with how the other actions in this workflow are pinned.
  • Consider adding a comment in the workflow file noting the dependency on the sdk-generator PR, so reviewers of this PR have context.

Copy link
Copy Markdown
Member Author

@SoulPancake SoulPancake May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will pin them eventually, still experimenting with the repo and other stuff etc.

11 changes: 2 additions & 9 deletions .github/workflows/pr-title-conventional-commit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,8 @@ on:
- main

jobs:
validate-pr-title:
name: Validate PR Title
runs-on: ubuntu-latest
pr-title-check:
permissions:
pull-requests: read
steps:
- name: PR Conventional Commit Validation
uses: ytanikin/pr-conventional-commits@639145d78959c53c43112365837e3abd21ed67c1 # v1.5.2
with:
task_types: '["feat","fix","docs","test","refactor","ci","perf","chore","revert","release"]'
add_label: 'false'
uses: openfga/sdk-generator/.github/workflows/pr-title-check.yml@main
Comment thread
SoulPancake marked this conversation as resolved.
Comment on lines +10 to +13
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 5, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check whether pr-title-check.yml declares required inputs
gh api repos/openfga/sdk-generator/contents/.github/workflows/pr-title-check.yml \
  --jq '.content' | base64 -d | grep -A 20 'on:'

Repository: openfga/python-sdk

Length of output: 109

🏁 Script executed:

# First, locate the pr-title-conventional-commit.yml file
find . -name "pr-title-conventional-commit.yml" -type f

Repository: openfga/python-sdk

Length of output: 115

🏁 Script executed:

# Also search for any references to pr-title-check in the repository
rg "pr-title-check" --type yaml

Repository: openfga/python-sdk

Length of output: 44

🏁 Script executed:

cat -n ./.github/workflows/pr-title-conventional-commit.yml

Repository: openfga/python-sdk

Length of output: 443

🏁 Script executed:

# Try to fetch the workflow file directly via curl
curl -s "https://raw.githubusercontent.com/openfga/sdk-generator/main/.github/workflows/pr-title-check.yml" | head -50

Repository: openfga/python-sdk

Length of output: 76

🏁 Script executed:

# Also check if there are any recent releases or tags in sdk-generator
curl -s "https://api.github.com/repos/openfga/sdk-generator/releases?per_page=5" | jq '.[0:3] | .[] | {tag_name, created_at}'

Repository: openfga/python-sdk

Length of output: 44

🏁 Script executed:

# Check the contents of the .github/workflows directory in sdk-generator
curl -s "https://api.github.com/repos/openfga/sdk-generator/contents/.github/workflows" | jq '.[] | .name'

Repository: openfga/python-sdk

Length of output: 95

🏁 Script executed:

# Check available branches in sdk-generator
curl -s "https://api.github.com/repos/openfga/sdk-generator/branches" | jq '.[] | .name' | head -10

Repository: openfga/python-sdk

Length of output: 429

🏁 Script executed:

# Search for pr-title-check files across all branches in sdk-generator
curl -s "https://api.github.com/search/code?q=repo:openfga/sdk-generator+filename:pr-title-check" | jq '.items | length'

Repository: openfga/python-sdk

Length of output: 64

🏁 Script executed:

# Also check if maybe the file exists with a different name that handles PR titles
curl -s "https://api.github.com/repos/openfga/sdk-generator/contents/.github/workflows" | jq '.'

Repository: openfga/python-sdk

Length of output: 2049

🏁 Script executed:

# Check what main.yaml contains - might be a reusable workflow
curl -s "https://raw.githubusercontent.com/openfga/sdk-generator/main/.github/workflows/main.yaml" | head -40

Repository: openfga/python-sdk

Length of output: 1031

🏁 Script executed:

# Also check if maybe pr-title-check is defined inline somewhere
curl -s "https://raw.githubusercontent.com/openfga/sdk-generator/main/.github/workflows/main.yaml" | grep -i "title\|name:" | head -20

Repository: openfga/python-sdk

Length of output: 660

Remove or replace the broken workflow reference: openfga/sdk-generator/.github/workflows/pr-title-check.yml does not exist.

The file pr-title-check.yml is not present in the openfga/sdk-generator repository (only main.yaml and release-please.yml exist in .github/workflows/). This workflow will fail at runtime. Either find the correct reusable workflow to use, implement PR title validation locally, or remove this job entirely.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-title-conventional-commit.yml around lines 10 - 13, The
referenced reusable workflow in the pr-title-check job ("uses:
openfga/sdk-generator/.github/workflows/pr-title-check.yml@main") is invalid and
will fail at runtime; update the pr-title-check job by either replacing the
"uses" target with the correct reusable workflow path/name (or correct
repository) or remove the pr-title-check job and implement equivalent PR title
validation steps locally (e.g., a local step that validates commits/PR title),
ensuring changes are applied to the job named pr-title-check and its "uses"
entry.

Copy link
Copy Markdown
Member Author

@SoulPancake SoulPancake May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it is still in the PR, We will merge this after that is merged in the sdk generator to main

Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SoulPancake, understood! That makes sense — this PR has a cross-repo dependency on the openfga/sdk-generator PR that introduces pr-title-check.yml. As long as that workflow lands in sdk-generator@main before this PR is merged, the reference will resolve correctly at runtime.

One suggestion: it might be worth adding a comment in the workflow file or the PR description linking to the sdk-generator PR, so reviewers and future maintainers are aware of the dependency order. This helps avoid accidentally merging this PR before the prerequisite is in place.

✏️ Learnings added 
Learnt from: SoulPancake
Repo: openfga/python-sdk PR: 287
File: .github/workflows/pr-title-conventional-commit.yml:10-13
Timestamp: 2026-05-05T13:18:36.072Z
Learning: In the `openfga/python-sdk` repository, the reusable workflow reference `openfga/sdk-generator/.github/workflows/pr-title-check.ymlmain` in `.github/workflows/pr-title-conventional-commit.yml` is intentionally referencing a file that does not yet exist in `openfga/sdk-generatormain`. It is being added via a separate PR in the sdk-generator repo, and this python-sdk PR is meant to be merged only after that sdk-generator PR lands on main. This is a deliberate cross-repo sequencing pattern, not a bug.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.


1 change: 1 addition & 0 deletions release-please-config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
"$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
"release-type": "python",
"pull-request-title-pattern": "release: v${version}",
"draft": true,
"packages": {
".": {
"package-name": "",
Expand Down
Loading