fix(release-please): fix PR titles and auto-update lockfiles (#474)

yesudeep · web-flow · commit 3a5976c62d59 · 2026-01-29T18:17:02.000-08:00
* fix(release-please): use static scope to avoid whitespace bug

Release-please has a bug where it inserts an extra space before the
component name when using ${component} in the scope position of the
pull-request-title-pattern, resulting in titles like:
  chore( dotprompt-codemirror): release 0.1.1

Change the pattern to use a static 'release' scope and put the component
in the description instead:
  chore(release): dotprompt-codemirror 0.1.1

* fix(ci): disable broken update-lockfiles job for separate PRs

The update-lockfiles job was designed for combined release PRs but we use
separate-pull-requests: true. With separate PRs, the 'pr' output is not set
(only 'prs' array is set), so the job condition was never true.

Disable the job for now until we rework it to handle separate PRs properly.

* fix(ci): auto-update Python lockfiles for release-please PRs

When a release-please PR bumps the version in pyproject.toml, the uv.lock
file becomes out of sync. This change detects release-please PRs (branches
starting with 'release-please--') and automatically updates the lockfiles
before running the check.

The workflow will:
1. Detect if the PR is from release-please
2. Run 'uv lock' and export requirements
3. Commit and push the updated lockfiles
4. Then run the normal lockfile verification

* fix(ci): auto-update maven_install.json for release-please PRs

Similar to the Python lockfile fix, this updates the Bazel workflow to
automatically commit maven_install.json changes when running on a
release-please PR branch.

The workflow will:
1. Detect if the PR is from release-please
2. Run 'bazelisk run @maven//:pin' as before
3. For release-please PRs: commit and push the updated maven_install.json
4. For regular PRs: fail if maven_install.json was modified (existing behavior)

* fix(ci): add lockfile checks for Rust, JS, and Go workflows

Add lockfile verification to all language workflows with automatic
updates for release-please PRs:

**Rust workflow:**
- Add cargo-lock-check job that runs 'cargo check --locked'
- Auto-update Cargo.lock for release-please PRs via 'cargo update'

**JS workflow:**
- Add pnpm-lock-check job that runs 'pnpm install --frozen-lockfile'
- Auto-update pnpm-lock.yaml for release-please PRs
- Expand path triggers to include packages/** and pnpm files

**Go workflow:**
- Add go-mod-tidy-check job that verifies go.mod/go.sum are tidy
- Auto-update go.sum for release-please PRs via 'go mod tidy'

All workflows now follow the same pattern:
1. Detect if PR is from release-please (branch starts with release-please--)
2. For release-please PRs: update lockfiles and commit/push
3. Verify lockfiles are up to date (fails for regular PRs if outdated)
diff --git a/.github/workflows/bazel.yml b/.github/workflows/bazel.yml
@@ -22,7 +22,9 @@ on:
   pull_request:
     branches: [ main ]
 
-permissions: read-all # Needed for security checks, adjust if necessary
+permissions:
+  contents: write
+  pull-requests: write
 
 jobs:
   build_and_test:
@@ -37,6 +39,9 @@ jobs:
     steps:
       - name: Checkout Code
         uses: actions/checkout@v6
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.RELEASE_PLEASE_TOKEN || github.token }}
 
       # Bazel needs a JDK. Setup Java from matrix.
       - name: Setup Java JDK ${{ matrix.java-version }}
@@ -77,10 +82,34 @@ jobs:
              bazel-action-${{ github.ref }}-${{ hashFiles('**/MODULE.bazel.lock', '**/maven_install.json', '**/pnpm-lock.yaml') }}
              bazel-action-
 
+      - name: Check if this is a release-please PR
+        id: check-release-please
+        run: |
+          if [[ "${{ github.head_ref }}" == release-please--* ]]; then
+            echo "is_release_please=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_release_please=false" >> $GITHUB_OUTPUT
+          fi
+
       - name: Pin Java dependencies
         run: bazelisk run @maven//:pin
 
+      - name: Commit maven_install.json updates for release-please PR
+        if: steps.check-release-please.outputs.is_release_please == 'true' && matrix.java-version == 17
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          if ! git diff --quiet maven_install.json; then
+            git add maven_install.json
+            git commit -m "chore: update maven_install.json"
+            git push
+            echo "maven_install.json updated and pushed"
+          else
+            echo "No maven_install.json changes needed"
+          fi
+
       - name: Check for changes in maven_install.json
+        if: steps.check-release-please.outputs.is_release_please != 'true'
         id: git-check
         run: |
           if [[ -n "$(git status --porcelain maven_install.json)" ]]; then
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -20,6 +20,10 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   check-paths:
     runs-on: ubuntu-latest
@@ -38,6 +42,64 @@ jobs:
             spec/**
             .github/workflows/go.yml
 
+  go-mod-tidy-check:
+    needs: check-paths
+    if: needs.check-paths.outputs.any_changed == 'true'
+    runs-on: ubuntu-latest
+    name: go.sum Check
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.RELEASE_PLEASE_TOKEN || github.token }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: stable
+
+      - name: Check if this is a release-please PR
+        id: check-release-please
+        run: |
+          if [[ "${{ github.head_ref }}" == release-please--* ]]; then
+            echo "is_release_please=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_release_please=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Update go.sum for release-please PR
+        if: steps.check-release-please.outputs.is_release_please == 'true'
+        working-directory: go
+        run: |
+          echo "Updating go.sum for release-please PR..."
+          go mod tidy
+
+      - name: Commit go.sum updates
+        if: steps.check-release-please.outputs.is_release_please == 'true'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          if ! git diff --quiet go/go.sum go/go.mod; then
+            git add go/go.sum go/go.mod
+            git commit -m "chore: update go.mod and go.sum"
+            git push
+            echo "go.sum updated and pushed"
+          else
+            echo "No go.sum changes needed"
+          fi
+
+      - name: Check go.mod and go.sum are tidy
+        working-directory: go
+        run: |
+          go mod tidy
+          if ! git diff --quiet go.sum go.mod; then
+            echo "❌ go.mod or go.sum is not tidy. Run 'go mod tidy' in the go/ directory."
+            git diff go.sum go.mod
+            exit 1
+          fi
+          echo "✅ go.mod and go.sum are tidy"
+
   format-check:
     needs: check-paths
     if: needs.check-paths.outputs.any_changed == 'true'
@@ -97,12 +159,12 @@ jobs:
 
   go-checks-all:
     if: always()
-    needs: [format-check, tests]
+    needs: [go-mod-tidy-check, format-check, tests]
     runs-on: ubuntu-latest
     steps:
       - name: Check overall status
         run: |
-          if [[ "${{ needs.format-check.result }}" == "failure" || "${{ needs.tests.result }}" == "failure" ]]; then
+          if [[ "${{ needs.go-mod-tidy-check.result }}" == "failure" || "${{ needs.format-check.result }}" == "failure" || "${{ needs.tests.result }}" == "failure" ]]; then
             echo "Go checks failed"
             exit 1
           fi
diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml
@@ -20,6 +20,10 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   check-paths:
     runs-on: ubuntu-latest
@@ -36,8 +40,66 @@ jobs:
           files: |
             js/**
             spec/**
+            packages/**
+            pnpm-lock.yaml
+            pnpm-workspace.yaml
             .github/workflows/js.yml
 
+  pnpm-lock-check:
+    needs: check-paths
+    if: needs.check-paths.outputs.any_changed == 'true'
+    runs-on: ubuntu-latest
+    name: pnpm-lock.yaml Check
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.RELEASE_PLEASE_TOKEN || github.token }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "22"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v2
+        with:
+          version: 10
+
+      - name: Check if this is a release-please PR
+        id: check-release-please
+        run: |
+          if [[ "${{ github.head_ref }}" == release-please--* ]]; then
+            echo "is_release_please=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_release_please=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Update lockfiles for release-please PR
+        if: steps.check-release-please.outputs.is_release_please == 'true'
+        run: |
+          echo "Updating pnpm-lock.yaml for release-please PR..."
+          pnpm install --lockfile-only
+
+      - name: Commit lockfile updates
+        if: steps.check-release-please.outputs.is_release_please == 'true'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          if ! git diff --quiet pnpm-lock.yaml js/pnpm-lock.yaml; then
+            git add pnpm-lock.yaml js/pnpm-lock.yaml 2>/dev/null || true
+            git commit -m "chore: update pnpm lockfiles" || echo "No changes to commit"
+            git push || echo "Nothing to push"
+            echo "Lockfiles updated and pushed"
+          else
+            echo "No lockfile changes needed"
+          fi
+
+      - name: Check pnpm-lock.yaml is up to date
+        run: |
+          pnpm install --frozen-lockfile
+          echo "✅ pnpm-lock.yaml is up to date"
+
   format-check:
     needs: check-paths
     if: needs.check-paths.outputs.any_changed == 'true'
@@ -100,12 +162,12 @@ jobs:
 
   js-checks-all:
     if: always()
-    needs: [format-check, test]
+    needs: [pnpm-lock-check, format-check, test]
     runs-on: ubuntu-latest
     steps:
       - name: Check overall status
         run: |
-          if [[ "${{ needs.format-check.result }}" == "failure" || "${{ needs.test.result }}" == "failure" ]]; then
+          if [[ "${{ needs.pnpm-lock-check.result }}" == "failure" || "${{ needs.format-check.result }}" == "failure" || "${{ needs.test.result }}" == "failure" ]]; then
             echo "JS checks failed"
             exit 1
           fi
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -42,14 +42,53 @@ jobs:
     needs: check-paths
     if: needs.check-paths.outputs.any_changed == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
+        with:
+          # Use the PR head ref to allow pushing back to the branch
+          ref: ${{ github.head_ref }}
+          # Use a token that can push to the branch (for release-please PRs)
+          token: ${{ secrets.RELEASE_PLEASE_TOKEN || github.token }}
 
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
           enable-cache: true
 
+      - name: Check if this is a release-please PR
+        id: check-release-please
+        run: |
+          if [[ "${{ github.head_ref }}" == release-please--* ]]; then
+            echo "is_release_please=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_release_please=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Update lockfiles for release-please PR
+        if: steps.check-release-please.outputs.is_release_please == 'true'
+        working-directory: python
+        run: |
+          echo "Updating uv.lock for release-please PR..."
+          uv lock
+          ../scripts/export_requirements
+
+      - name: Commit lockfile updates
+        if: steps.check-release-please.outputs.is_release_please == 'true'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          if ! git diff --quiet python/uv.lock python/requirements.txt; then
+            git add python/uv.lock python/requirements.txt
+            git commit -m "chore: update Python lockfiles"
+            git push
+            echo "Lockfiles updated and pushed"
+          else
+            echo "No lockfile changes needed"
+          fi
+
       - name: Check uv.lock is up to date
         working-directory: python
         run: |
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -45,8 +45,10 @@ jobs:
   update-lockfiles:
     runs-on: ubuntu-latest
     needs: release-please
-    # Run when release-please creates/updates a PR (not when releases are created)
-    if: ${{ needs.release-please.outputs.pr != '' && needs.release-please.outputs.releases_created != 'true' }}
+    # DISABLED: This job was designed for combined PRs but we use separate-pull-requests: true
+    # The 'pr' output is not set when using separate PRs (only 'prs' array is set).
+    # TODO: Rework this to handle separate PRs or switch to combined PRs.
+    if: false
     steps:
       - uses: actions/checkout@v6
         with:
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -20,6 +20,10 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   check-paths:
     runs-on: ubuntu-latest
@@ -39,6 +43,55 @@ jobs:
             Cargo.lock
             .github/workflows/rust.yml
 
+  cargo-lock-check:
+    needs: check-paths
+    if: needs.check-paths.outputs.any_changed == 'true'
+    name: Cargo.lock Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.RELEASE_PLEASE_TOKEN || github.token }}
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Check if this is a release-please PR
+        id: check-release-please
+        run: |
+          if [[ "${{ github.head_ref }}" == release-please--* ]]; then
+            echo "is_release_please=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_release_please=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Update Cargo.lock for release-please PR
+        if: steps.check-release-please.outputs.is_release_please == 'true'
+        run: |
+          echo "Updating Cargo.lock for release-please PR..."
+          cargo update --workspace
+
+      - name: Commit Cargo.lock updates
+        if: steps.check-release-please.outputs.is_release_please == 'true'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          if ! git diff --quiet Cargo.lock; then
+            git add Cargo.lock
+            git commit -m "chore: update Cargo.lock"
+            git push
+            echo "Cargo.lock updated and pushed"
+          else
+            echo "No Cargo.lock changes needed"
+          fi
+
+      - name: Check Cargo.lock is up to date
+        run: |
+          cargo check --locked --workspace
+          echo "✅ Cargo.lock is up to date"
+
   format-check:
     needs: check-paths
     if: needs.check-paths.outputs.any_changed == 'true'
@@ -131,12 +184,12 @@ jobs:
 
   rust-checks-all:
     if: always()
-    needs: [format-check, clippy-lint, check-build-test]
+    needs: [cargo-lock-check, format-check, clippy-lint, check-build-test]
     runs-on: ubuntu-latest
     steps:
       - name: Check overall status
         run: |
-          if [[ "${{ needs.format-check.result }}" == "failure" || "${{ needs.clippy-lint.result }}" == "failure" || "${{ needs.check-build-test.result }}" == "failure" ]]; then
+          if [[ "${{ needs.cargo-lock-check.result }}" == "failure" || "${{ needs.format-check.result }}" == "failure" || "${{ needs.clippy-lint.result }}" == "failure" || "${{ needs.check-build-test.result }}" == "failure" ]]; then
             echo "Rust checks failed"
             exit 1
           fi
diff --git a/.release-please-config.json b/.release-please-config.json
@@ -6,7 +6,7 @@
   "prerelease": false,
   "include-component-in-tag": true,
   "include-v-in-tag": false,
-  "pull-request-title-pattern": "chore(${component}): release ${version}",
+  "pull-request-title-pattern": "chore(release): ${component} ${version}",
   "separate-pull-requests": true,
   "skip-github-release": false,
   "plugins": ["node-workspace"],
