ci: automate releases with release-plz#754
Open
JamBalaya56562 wants to merge 1 commit into
Open
Conversation
Replace the manual bump/tag/changelog release process with release-plz (https://release-plz.dev), per maintainer feedback on aws#747. Flow: on push to main, release-plz opens a Release PR that bumps the Cargo.toml version and updates CHANGELOG.md (reusing the existing cliff.toml via changelog_config). Merging that PR creates the v<version> git tag, publishes a GitHub Release, and runs cargo publish. Key details: - Uses a GitHub App token (actions/create-github-app-token), NOT the default GITHUB_TOKEN. This is required so the GitHub Release created by release-plz triggers release.yaml (on: release: types: [released]) -- the default token cannot trigger other workflows, which would silently skip the layer build / deploy / Docker publish. - Re-enables crates.io publishing (the crate was left at 0.9.1 while the repo moved to 1.0.x because the manual process forgot to publish). Auth via crates.io trusted publishing (OIDC); release-plz performs the OIDC token exchange internally, so no separate auth action or long-lived CARGO_REGISTRY_TOKEN is needed (id-token: write only). - Deletes the changelog.yaml workflow, now superseded by release-plz. Maintainer prerequisites: enable 'Allow GitHub Actions to create and approve pull requests', install a GitHub App (Contents + Pull requests R/W) and set RELEASE_PLZ_APP_ID / RELEASE_PLZ_APP_PRIVATE_KEY, and register the crates.io trusted publisher for lambda_web_adapter (workflow filename: release-plz.yml). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refactor the release pipeline using
release-plz, per maintainer feedback on #747 (comment):#747 originally also reworked the
changelog.yamlworkflow (which pushed to the protectedmainbranch and always failed). Per the comment above, that PR was narrowed to the obviouscliff.tomlowner fix (awslabs→aws), and this follow-up implements the release-plz refactor.What this PR does
.github/workflows/release-plz.yml— a two-phase workflow: on push tomainit opens/updates a "Release PR" that bumpsCargo.toml+CHANGELOG.md; merging that PR tagsv<version>, publishes a GitHub Release (which triggers the existingrelease.yaml→ Lambda layers, gamma→prod, ECR), and runscargo publish.release-plz.tomlfor release-plz configuration (reuses the existingcliff.toml)..github/workflows/changelog.yaml(superseded).lambda_web_adapteris currently at 0.9.1 (Feb 2026) while the repo is at 1.0.1 — the manual process appears to have missed the 1.0.0 / 1.0.1 publishes. release-plz will resume from the next computed version.The workflow will not function end-to-end without the following one-time setup. None of these can be performed from the PR itself — they require maintainer / crates.io-owner access.
1. crates.io — configure Trusted Publishing for
lambda_web_adapterA crates.io owner of the crate must register this repo as a Trusted Publisher:
awsaws-lambda-web-adapterrelease-plz.ymlIf skipped or misconfigured, the first
release-plz releaserun will fail with a 401 from crates.io.2. GitHub repository secrets — GitHub App credentials
Install a GitHub App scoped to
aws/aws-lambda-web-adapterand add its credentials as repository secrets:RELEASE_PLZ_APP_ID— App IDRELEASE_PLZ_APP_PRIVATE_KEY— Private key (PEM, including the BEGIN/END lines)Required GitHub App repository permissions:
A fine-grained PAT with the equivalent scopes would also work, but a GitHub App is preferred (no human-user attribution, auto-rotating credentials).
3. Repository setting — allow Actions to open PRs
Settings → Actions → General → enable:
Without this, release-plz cannot open the Release PR and the workflow will fail.
Test plan
mainand confirm a Release PR is opened by the GitHub App bot.Cargo.tomlbump and CHANGELOG entry look correct.release.yamlfires on the published Release (Lambda layer build + ECR push succeed).Design notes (why this design — click to expand)
Why a GitHub App token (not the default
GITHUB_TOKEN)The default
GITHUB_TOKENcannot trigger other workflows (GitHub's loop-prevention rule). For this repository specifically, that means a Release published withGITHUB_TOKENwould not firerelease.yaml(on: release: types: [released]) — silently skipping the Lambda layer build, gamma/prod deploy, and public ECR Docker publish. The workflow therefore uses a GitHub App token viaactions/create-github-app-token.crates.io auth: OIDC trusted publishing (release-plz built-in)
Uses
id-token: writepermission only. release-plz performs the OIDC token exchange with crates.io internally, per the release-plz quickstart — so norust-lang/crates-io-auth-actionand no long-livedCARGO_REGISTRY_TOKENsecret are needed.What happens after merge (operator overview)
main, the workflow opens or updates a single Release PR (no actual release yet).mainwill:v<version>git tagrelease.yaml(Lambda layers, gamma→prod, ECR)🤖 Generated with Claude Code