feat(workflow): add event-driven CI-ready gate for publish#7664
Merged
Conversation
Add a ci-ready.yml workflow that handles repository_dispatch events from target repos when their CI passes. It adds a "ci-ready" label to the publish issue, replacing the "ci-pending" label set at issue creation. Modify publish.yml with a gate step that checks label state: - Old repos (no ci-pending/ci-ready): publish with polling (unchanged) - New repos with both accepted + ci-ready: publish with --no-status-check - New repos with accepted but no ci-ready: comment and wait for CI - ci-ready without accepted: wait for approval Add concurrency control to prevent duplicate publish runs when both labels arrive near-simultaneously. This is Phase 1 of a cross-repo change. Phase 2 (getsentry/craft#789) adds the ci_ready input and signal-ready action.
Use contains(labels, accepted) so the job only runs when accepted is present. The || still allows ci-ready to trigger the job, but only when accepted is already on the issue — preventing wasted runs.
All label state is available in github.event.issue.labels at event time. The publish job if-condition now directly encodes the decision matrix: - accepted + no ci-pending → run - accepted + ci-ready → run (with --no-status-check) - accepted + ci-pending → skip (waiting-for-ci job comments instead) - anything without accepted → skip This removes the gate step that was re-fetching labels via gh issue view and all the step-level should_publish guards.
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
…imit GITHUB_TOKEN events are suppressed by GitHub and would not trigger publish.yml. Use the sentry-internal-app token (same pattern as auto-approve.yml) so the ci-ready label addition fires the labeled event that publish.yml listens for. Also add --limit 200 to gh issue list to handle repos with many open issues (default is 30).
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
- ci-ready.yml: add issues:read permission and explicit GH_TOKEN for the find-issue step (repository_dispatch does not auto-expose the token to gh CLI) - publish.yml: add GH_TOKEN to waiting-for-ci job comment step
gh CLI auto-reads GITHUB_TOKEN in GitHub Actions. Only override with GH_TOKEN when we need a different token (the GitHub App token for label changes that must trigger downstream workflows).
Issue numbers are unique but do not prevent parallel publishes when
duplicate issues exist for the same repo@version. The title
("publish: getsentry/foo@1.2.3") is the natural identity of the
release and ensures only one publish runs per repo@version.
The ci-ready signal is tied to a specific SHA but someone could push to the release branch after CI passes. Letting craft poll the status is safer — and since CI is already done by the time publish starts, the first poll iteration returns immediately anyway.
Jeffreyhung
approved these changes
Apr 1, 2026
Comment on lines
+81
to
+82
| app-id: ${{ vars.SENTRY_INTERNAL_APP_ID }} | ||
| private-key: ${{ secrets.SENTRY_INTERNAL_APP_PRIVATE_KEY }} |
Member
There was a problem hiding this comment.
niche: probably better to use release-bot here to unify the app usage, release bot is also managed more tightly and less likely to break or affected by other changes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ci-ready.ymlworkflow that handlesrepository_dispatchevents from target repos when CI passespublish.ymlwith a gate step that checks label state before publishingci-pendingandci-readylabelsContext
craft publishcurrently polls GitHub's commit status API every 30 seconds for up to 60 minutes. This polling time is billed as GitHub Actions minutes and steals from our available capacity — a publish job that waits 45 minutes for CI burns 45 minutes of runner time doing nothing butsleep 30in a loop. For repos like sentry-native (~1h 23m CI), this also exhausts the 1-hour GitHub App token lifetime, causing expired-token failures.This PR replaces the polling wait with an event-driven label state machine. Instead of starting the publish runner and idling until CI passes, the job doesn't start at all until CI signals readiness — zero wasted runner minutes.
ci-pendingci-readyacceptedGate Decision Matrix
acceptedci-pendingci-readyCross-Repo Dependency
This is Phase 1 of a three-phase rollout:
Old repos (without ci_ready: true) are completely unaffected — they keep the existing polling behavior.