Skip to content

ci: add release-please and conventional commit enforcement #333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gjtorikian wants to merge 4 commits into
base: main
Choose a base branch
from
Open

ci: add release-please and conventional commit enforcement #333

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9f7712a
ci: add release-please for automated releases
gjtorikian Mar 4, 2026
3c7397c
Pin to GitHub SHAs
gjtorikian Mar 4, 2026
dce4b2a
call it `lint_title`
gjtorikian Mar 4, 2026
91cf26c
fix: use extra-files with generic updater for Version.php
gjtorikian Mar 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .github/workflows/lint-pr-title.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: Lint PR Title

on:
pull_request_target:
types: [opened, edited, synchronize]

permissions:
pull-requests: read

jobs:
lint_title:
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
Copy link
Contributor

@greptile-apps greptile-apps bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unpinned action tag

amannn/action-semantic-pull-request@v5 uses a mutable tag, consistent with the regression noted in release-please.yml. Because this workflow runs on pull_request_target (which has access to repository secrets), an attacker who can push to the action's v5 tag could exfiltrate the GITHUB_TOKEN.

Pin to the SHA corresponding to the v5 release:

Suggested change
- uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
- uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5

(Replace the example SHA with the actual SHA from the action's repository.)

env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
25 changes: 25 additions & 0 deletions .github/workflows/release-please.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: Release Please

on:
push:
branches:
- main

permissions:
contents: write
pull-requests: write

jobs:
release-please:
runs-on: ubuntu-latest
steps:
- name: Generate token
id: generate-token
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
with:
app-id: ${{ vars.SDK_BOT_APP_ID }}
private-key: ${{ secrets.SDK_BOT_PRIVATE_KEY }}

- uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
Comment on lines +18 to +23
Copy link
Contributor

@greptile-apps greptile-apps bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mutable action tags replace SHA-pinned references

The removed workflows (release.yml, version-bump.yml) consistently pinned every third-party action to an immutable commit SHA (e.g., actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf). The new workflows switch to mutable tag references (@v2, @v4), which means a compromised or accidentally-overwritten tag could silently run malicious code with contents: write and pull-requests: write permissions during a push to main.

Pin both actions to their current SHAs to maintain the same security posture as the removed workflows:

Suggested change
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
with:
app-id: ${{ vars.SDK_BOT_APP_ID }}
private-key: ${{ secrets.SDK_BOT_PRIVATE_KEY }}
- uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
- name: Generate token
id: generate-token
uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2
with:
app-id: ${{ vars.SDK_BOT_APP_ID }}
private-key: ${{ secrets.SDK_BOT_PRIVATE_KEY }}
- uses: googleapis/release-please-action@a02a34c4d625b9a4a4de9c2a2a6c5fb5b41b9c0d # v4
with:
token: ${{ steps.generate-token.outputs.token }}

(Replace the example SHAs above with the actual current HEAD SHAs from each action's repository before merging.)

with:
token: ${{ steps.generate-token.outputs.token }}
41 changes: 0 additions & 41 deletions .github/workflows/release.yml
View file
Open in desktop

This file was deleted.

80 changes: 0 additions & 80 deletions .github/workflows/version-bump.yml
View file
Open in desktop

This file was deleted.

3 changes: 3 additions & 0 deletions .release-please-manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
".": "4.30.1"
}
2 changes: 1 addition & 1 deletion lib/Version.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,5 @@ final class Version
{
public const SDK_IDENTIFIER = 'WorkOS PHP';

public const SDK_VERSION = '4.30.1';
public const SDK_VERSION = '4.30.1'; // x-release-please-version
}
16 changes: 16 additions & 0 deletions release-please-config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
"packages": {
".": {
"release-type": "php",
"package-name": "workos/workos-php",
"changelog-path": "CHANGELOG.md",
"extra-files": [
{
"type": "generic",
"path": "lib/Version.php"
}
]
}
}
}