Skip to content

Comments

Replace third-party release actions with gh CLI#4610

Merged
k8s-ci-robot merged 2 commits intomasterfrom
copilot/remove-third-party-release-action
Feb 24, 2026
Merged

Replace third-party release actions with gh CLI#4610
k8s-ci-robot merged 2 commits intomasterfrom
copilot/remove-third-party-release-action

Conversation

Copy link
Contributor

Copilot AI commented Feb 21, 2026
edited
Loading

Removes dependency on two third-party GitHub Actions (ncipollo/release-action@v1, repo-sync/pull-request@v2) in the release workflow due to software supply chain concerns. Both are replaced with equivalent gh CLI invocations, which ships pre-installed on GitHub Actions runners.

Changes

  • ncipollo/release-action@v1gh release create with --generate-notes
  • repo-sync/pull-request@v2gh pr create
  • Both steps use GH_TOKEN: ${{ secrets.PAT_TOKEN }} for authentication
- name: Pull Request
  env:
    GH_TOKEN: ${{ secrets.PAT_TOKEN }}
  run: |
    gh pr create \
      --base ${{ github.ref_name }} \
      --head automated-release-${{ github.event.inputs.releaseVersion }} \
      --title "Automated Release: ${{ github.event.inputs.releaseVersion }}" \
      --body ""

- name: Publish Release
  env:
    GH_TOKEN: ${{ secrets.PAT_TOKEN }}
  run: |
    gh release create v${{ github.event.inputs.releaseVersion }} \
      --title "v${{ github.event.inputs.releaseVersion }}" \
      --generate-notes
Original prompt

This section details on the original issue you should resolve

<issue_title>Remove third-party release-action</issue_title>
<issue_description>The release-action in our current Github workflow is from a third party, I would rather not depend on a third-party action for something like releases due to software supply chain concerns. Instead

Can we switch to using the gh tool as documented here:

https://github.com/ruby/ruby-dev-builder/blob/b0bf59a17c17985d4692243d4689c273f6348fa5/.github/workflows/build.yml#L177-L181
</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 21, 2026
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 21, 2026
@brendandburns
Replace third-party release/PR actions with gh CLI commands
e9f8ad7 
Co-authored-by: brendandburns <5751682+brendandburns@users.noreply.github.com>
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 21, 2026
Copilot AI changed the title [WIP] Remove third-party release-action from workflow Replace third-party release actions with gh CLI Feb 21, 2026
@brendandburns brendandburns marked this pull request as ready for review February 24, 2026 16:03
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 24, 2026
@brendandburns
Copy link
Contributor

brendandburns commented Feb 24, 2026

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 24, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 24, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brendandburns, Copilot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 24, 2026
@k8s-ci-robot k8s-ci-robot merged commit b569d3e into master Feb 24, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brendandburns brendandburns Awaiting requested review from brendandburns

@yue9944882 yue9944882 Awaiting requested review from yue9944882

Assignees

@brendandburns brendandburns

Copilot code review Copilot

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remove third-party release-action

3 participants

@brendandburns @k8s-ci-robot