Release Workflow (codex-workspace-launcher)
This repo publishes the launcher image from the docker branch (see .github/workflows/publish.yml).
This project-specific workflow extends the base release-workflow with two non-negotiables:
- •Record the pinned upstream pair (
VERSIONS.env) in the release entry inCHANGELOG.md. - •Run local real-Docker E2E (full matrix) and abort if it fails.
Contract
Prereqs:
- •Run in this repo root.
- •Working tree is clean before running the E2E gate.
- •Docker is available (E2E is real Docker):
docker infosucceeds. - •E2E environment is configured (via
direnv/.envrc+.env, or equivalent).- •At minimum, repo-backed cases require
CWS_E2E_PUBLIC_REPO. - •Auth-heavy cases require additional secrets/mounts (see
DEVELOPMENT.md).
- •At minimum, repo-backed cases require
- •
gitavailable onPATH. - •Optional (recommended):
ghavailable +gh auth statussucceeds (for tagging / releases / branch ops).
Inputs:
- •Release version:
vX.Y.Z - •Optional: release date (
YYYY-MM-DD; defaults to today) - •Optional: E2E image tag (defaults to
cws-launcher:e2e)
Outputs:
- •
CHANGELOG.mdupdated with a## vX.Y.Z - YYYY-MM-DDentry that includes:- •
### Upstream pins- •
- zsh-kit: <ZSH_KIT_REF> - •
- codex-kit: <CODEX_KIT_REF>
- •
- •
- •Local E2E run result (pass required; artifacts under
out/tests/e2e/) - •Optionally:
- •Git tag
vX.Y.Zpushed - •
dockerbranch fast-forwarded tomainto trigger publish
- •Git tag
Stop conditions:
- •Local E2E fails: stop immediately; do not publish; report the failure output and ask how to proceed.
- •Changelog audit fails (missing pins / bad version heading / placeholders): stop; fix before publishing.
Key rule: E2E gate is mandatory
Run E2E before publishing and before any irreversible actions.
Recommended: run via direnv exec . so your .env is applied:
sh
set -euo pipefail set -a; source ./VERSIONS.env; set +a direnv exec . ./scripts/bump_versions.sh \ --zsh-kit-ref "$ZSH_KIT_REF" \ --codex-kit-ref "$CODEX_KIT_REF" \ --image-tag cws-launcher:e2e \ --run-e2e
Notes:
- •
--run-e2eforcesCWS_E2E=1,CWS_E2E_FULL=1, and setsCWS_E2E_IMAGE=<image-tag>. - •Destructive
rm --all --yescoverage remains gated byCWS_E2E_ALLOW_RM_ALL=1.
Workflow
- •
Decide version + date
- •Version:
vX.Y.Z - •Date:
YYYY-MM-DD(default:date +%Y-%m-%d)
- •Version:
- •
Run mandatory local E2E gate (real Docker)
- •Use the command in “Key rule: E2E gate is mandatory” above.
- •If it fails: stop and report (use
.codex/skills/release-workflow/references/OUTPUT_TEMPLATE_BLOCKED.md).
- •
Prepare the changelog (records upstream pins)
- •Use the helper that moves
## Unreleasedinto a new release entry and injects pins fromVERSIONS.env:- •
./scripts/release_prepare_changelog.sh --version vX.Y.Z
- •
- •Review
CHANGELOG.md(fill out wording; remove- Noneif you added real bullets).
- •Use the helper that moves
- •
Run required repo checks (per
DEVELOPMENT.md)- •
.venv/bin/python -m ruff format --check . - •
.venv/bin/python -m ruff check . - •
.venv/bin/python -m pytest -m script_smoke
- •
- •
Commit the release notes
- •Suggested message:
chore(release): vX.Y.Z - •Do not run
git commitdirectly; use the repo’s Semantic Commit helper (seeAGENTS.md).
- •Suggested message:
- •
Audit (strict)
- •Run after committing (audit requires a clean working tree):
- •
./scripts/release_audit.sh --version vX.Y.Z --branch main --strict
- •
- •Run after committing (audit requires a clean working tree):
- •
(Optional) Tag the release
- •Create:
git tag vX.Y.Z - •Push:
git push origin vX.Y.Z - •Optional GitHub Release:
- •Extract notes from
CHANGELOG.mdand publish withgh release create.
- •Extract notes from
- •Create:
- •
Publish images (this repo’s publish trigger)
- •Fast-forward
dockertomainand push:- •
git fetch origin - •
git checkout docker - •
git merge --ff-only origin/main - •
git push origin docker - •
git checkout main
- •
- •Fast-forward
- •
Verify publish
- •Follow
docs/runbooks/INTEGRATION_TEST.md(record the workflow run URL + tags evidence).
- •Follow
Helper scripts (project)
- •Prepare changelog + inject upstream pins:
scripts/release_prepare_changelog.sh - •Audit changelog entry (pins + basic release checks):
scripts/release_audit.sh - •Build + verify + local E2E (full matrix):
scripts/bump_versions.sh --run-e2e
Output templates
- •Success:
.codex/skills/release-workflow/references/OUTPUT_TEMPLATE.md - •Blocked:
.codex/skills/release-workflow/references/OUTPUT_TEMPLATE_BLOCKED.md