chore(ci): automate weekly release via pipeline schedule
What
Automates the weekly CLI release so a new version is cut every Sunday without manual tagging.
A scheduled pipeline can't be the release, because every release/distribution job gates on $CI_COMMIT_TAG and a scheduled pipeline runs on the main branch ref. So the schedule's job is to create a tag, which then triggers the existing tag-driven release pipeline unchanged.
Changes
scripts/release/create-release-tag.sh(new) — finds the latestvX.Y.Ztag, skips the week if there are only merge commits since it, otherwise bumps the version per Conventional Commits (afeat→ minor, otherwise a patch) and creates an annotated tag via the GitLab API usingglab..gitlab-ci.yml- New
tag-releasejob, gated on$CI_PIPELINE_SOURCE == "schedule" && $RELEASE_SCHEDULE == "true". Uses theregistry.gitlab.com/gitlab-org/cli:latestimage (already used bynotify-issues-on-release). - Added the
schedulesource toworkflow.rules. - Added a
.skip-on-release-scheduleguard to the heavy/side-effecting jobs (tests, builds, snapcraft edge) so the weekly schedule only cuts the tag — the resulting tag pipeline re-runs full validation and gates the actual release.
- New
docs/release_process.md— documents the automated flow and the one-time setup; the old steps are now under "Manual release".
Notes / review callouts
- Existing daily build is preserved. The skip guard keys on the
RELEASE_SCHEDULEvariable, not the genericschedulesource — otherwise it would have disabled the dailymainbuild's integration tests. The daily build doesn't setRELEASE_SCHEDULE, so it runs as before. - Tag creation via API. The tag is created with
glab api, authenticated by the existingGITLAB_TOKEN_RELEASE(passed asGITLAB_TOKEN). This keeps the token in the request auth rather than a git remote URL, and dogfoods glab in its own release pipeline. It must not beCI_JOB_TOKEN— tags created with it do not trigger a pipeline, so the release would never run. - Versioning: a Conventional-Commits-based bump — a
feat(incl.feat(scope):/feat!:) since the last tag bumps the minor version, otherwise it's a patch release. Major bumps are intentionally not automated (a deliberatev2should be cut manually).
One-time setup for the automated release
These steps configure the project and cannot be done in this MR:
- The
tag-releasejob creates the tag withglab, authenticated by the existingGITLAB_TOKEN_RELEASEvariable (passed asGITLAB_TOKENto the job). That token already hasapiscope and the Maintainer role, which is sufficient to create a tag and trigger a pipeline. Do not switch it toCI_JOB_TOKEN— tags created with it do not trigger new pipelines, so the release would never run. - Ensure the user/bot backing
GITLAB_TOKEN_RELEASEis allowed to create the protectedv*tags (Settings → Repository → Protected tags). - Create a pipeline schedule (Settings → CI/CD → Pipeline schedules):
- Description:
Weekly release - Interval pattern:
0 7 * * 0(every Sunday; adjust the hour/timezone as needed) - Target branch:
main - Variable:
RELEASE_SCHEDULE=true
- Description:
Edited by Jay McCure