ci: harden artifact release pipeline#2
Conversation
|
@codex review |
|
To use Codex here, create a Codex account and connect to github. |
Greptile SummaryThis PR hardens the CI/CD artifact release pipeline by removing unused workflows (relay deploy, issue labels, mobile preview, PR vouch/size), introducing a PR access gate, restoring semver tag releases for Android APK + Windows x64, and adding pagination-aware Greptile status/readiness scripts. Most application-layer changes are pure reformatting (line-wrap) with a handful of functional tweaks (unused-variable fixes for
Confidence Score: 5/5Safe to merge — the pipeline changes are well-scoped, the previously reported workflow dependency bugs are resolved, and all application-layer changes are reformatting only. All three previously flagged workflow issues (android_preflight exit-1 chain failure, silent PR close, per_page=100 truncation) are addressed in this PR. The publish_release always() condition correctly handles the Android-skip and Android-success paths without blocking Windows artifact publishing. The greptile-status.mjs and pr-babysitter-state.mjs pagination rewrites are correct. Application code changes across server, web, mobile, and e2e touch only line-length formatting with no behavioural difference. No files require special attention.
|
| Filename | Overview |
|---|---|
| .github/workflows/reusable-build-release-artifacts.yml | Addresses the previously flagged android_preflight/windows_x64 dependency issues; publish_release now uses always() with explicit conditions covering the Android-skip scenario; windows_x64 correctly guards on both android_preflight and build_wsl_node_pty results. |
| .github/workflows/pr-access-gate.yml | New workflow closing unauthorized PRs; now posts an explanatory comment before closing; app/wizzoapp entry removed; pull_request_target used correctly without checking out PR code. |
| .github/scripts/greptile-status.mjs | New standalone script with proper pagination; headRefReachedTimestamp logic correctly falls back to check-run timestamps; state machine covers approved/current/trigger-accepted/stale/unknown cases. |
| .github/scripts/pr-babysitter-state.mjs | Migrates Greptile signal detection to paginated REST API, adds isOutdated thread filtering, headRefOid-aware staleness check, and recognises GitHub APPROVED reviews as passing signals. |
| .github/workflows/release.yml | Stripped down to semver-tag-triggered release for Android APK + Windows x64 only; preflight typecheck/test gate retained; android_required: true hard-fails on missing EXPO_TOKEN as intended. |
| .github/workflows/main-artifacts-release.yml | Adds public_config job (environment: production); android_required: false so missing EXPO_TOKEN only skips Android; publish_release condition correctly gates Windows-only publishing. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[push to main / semver tag] --> B[metadata job]
A --> C[public_config job\nenvironment: production]
B --> D[preflight\ntypecheck + test\nrelease.yml only]
D --> E[publish_artifacts\nreusable-build-release-artifacts.yml]
C --> E
subgraph reusable-build-release-artifacts
E --> F[android_preflight\ncheck EXPO_TOKEN]
F -->|expo_token_present=true| G[android_apk\nEAS build]
F -->|result=success| H[build_wsl_node_pty\nlinux node-pty]
F -->|result=success AND\nbuild_wsl_node_pty=success| I[windows_x64\nElectron NSIS]
G -->|success| J[publish_release]
H --> I
I -->|success| J
F -->|expo_token_present=false\nandroid_required=false| K[android_apk SKIPPED]
K --> J
end
J --> L[GitHub Release\nAPK + Windows EXE]
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
A[push to main / semver tag] --> B[metadata job]
A --> C[public_config job\nenvironment: production]
B --> D[preflight\ntypecheck + test\nrelease.yml only]
D --> E[publish_artifacts\nreusable-build-release-artifacts.yml]
C --> E
subgraph reusable-build-release-artifacts
E --> F[android_preflight\ncheck EXPO_TOKEN]
F -->|expo_token_present=true| G[android_apk\nEAS build]
F -->|result=success| H[build_wsl_node_pty\nlinux node-pty]
F -->|result=success AND\nbuild_wsl_node_pty=success| I[windows_x64\nElectron NSIS]
G -->|success| J[publish_release]
H --> I
I -->|success| J
F -->|expo_token_present=false\nandroid_required=false| K[android_apk SKIPPED]
K --> J
end
J --> L[GitHub Release\nAPK + Windows EXE]
Reviews (14): Last reviewed commit: "ci: retrigger review gates" | Re-trigger Greptile
|
@greptileai why didn't you approve this now it's 5/5? |
|
Greptile only ever submits reviews with The PR is currently Tip: You can customize Greptile's behavior for this repo with |
|
@greptileai I enabled this "Auto-approve |
|
Good to know! With auto-approve enabled (requiring 5/5), Greptile will automatically approve PRs that pass review cleanly. There's one open (unresolved, non-outdated) thread remaining — the P2 on For auto-approve to trigger, that thread would need to be resolved (or the PR re-reviewed). A few options:
The outstanding thread is a legitimate but low-severity concern for a repo that's unlikely to hit 100+ reviews on a single PR. Happy to suggest a pagination fix if you want to address it properly. |
|
@codex review pls |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a7bb930636
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a06cad05c7
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
a06cad0 to
6c451fc
Compare
6c451fc to
cf2be1b
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cf2be1b9a0
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
cf2be1b to
3f581ad
Compare
|
@codex review |
3f581ad to
3f49524
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3f495246cd
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
adamfgr
left a comment
There was a problem hiding this comment.
Approved after local validation and external review pass. Current head has green CI, Greptile 5/5, resolved Codex review threads, and local Codex autoreview clean.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6328d7f4f5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
|
@greptileai This PR is 5/5 on the current head |
|
The root cause is clear: Greptile's last review was submitted against commit State on the current HEAD:
To unblock branch protection, you have two options:
The three outdated Codex threads will not block merge once the Greptile approval lands, as they are no longer pointing at current code and are not from a required reviewer. |
|
Codex Review: Didn't find any major issues. More of your lovely PRs please. Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
|
@codex review |
|
Codex Review: Didn't find any major issues. Keep it up! Reviewed commit: ℹ️ About Codex in GitHubCodex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback". |
|
@greptileai Current head is |
|
The review history confirms: Exact remaining requirements to unblock:
Sequence to unblock:
Tip: You can customize Greptile's behavior for this repo with |
|
@greptileai Correction: the relevant identity is the installed GitHub App, not the separate |
|
The tool call requires an explicit permission grant that wasn't provided in this context. Here is the precise answer to both parts of your question: Why the app hasn't submitted APPROVE: This is a product-level constraint, not a GitHub API or permission limitation. Submitting the approval: I attempted to submit authenticated as the |
What Changed
This hardens the release and review automation around the artifact-only pipeline:
EXPO_TOKENpreflight logs instead of opaque workflow-call failuresScope
This fork intentionally publishes Android APK and Windows x64 desktop artifacts only. It does not restore upstream macOS, Linux, hosted web, npm, or VPS deployment release surfaces.
Validation
git diff --checknode --check .github/scripts/greptile-status.mjsnode --check .github/scripts/pr-babysitter-state.mjscorepack pnpm --filter @t3tools/scripts typecheckcorepack pnpm --filter @t3tools/scripts testGITHUB_REPOSITORY=agriffiths-bots/t3code PR_NUMBER=1 node .github/scripts/greptile-status.mjsGITHUB_REPOSITORY=agriffiths-bots/t3code PR_NUMBER=1 node .github/scripts/pr-babysitter-state.mjs/home/adam/.codex/skills/autoreview/scripts/autoreview --mode branch --base origin/main --engine codex --prompt '<scope baseline>'Notes
GitHub repo settings were also hardened outside this PR:
mainbranch protection is enabledCheck,Test,Release Smoke,Close unauthorized PRscollaborators_onlyAndroid APK publishing still needs repository secret
EXPO_TOKENwith access to the EAS project used byapps/mobile. VerifyEXPO_OWNER,EXPO_PROJECT_ID, andEXPO_UPDATES_URLrepo variables if the defaults are not correct.