Skip to content

Define a release procedure that gates on the security/e2e suite #101

Description

@nhuelstng

Context

Follow-up from #100 (which moved the model-free e2e tests onto the PR path via the e2e_fast tag). That PR deliberately did not touch the release flow — this issue tracks designing one.

Problem

release.yml is triggered on a v* tag and gates goreleaser on a single test job:

- run: go test -race -count=1 -timeout=10m ./...

That runs the untagged build, so it excludes all of internal/e2e/ (everything there is behind //go:build e2e / e2e_fast). Consequences for a release cut:

Nothing currently ties "this commit passed the security audit" to "this commit is being released."

What to decide

  • Minimum gate before goreleaser runs: at least go test -tags=e2e_fast (cheap, model-free). Wire it into release.yml's test job or as a needs: dependency.
  • Whether/how to require a recent full live e2e.yml pass for the released SHA (e.g. release only from a SHA the weekly suite already validated, or trigger a live run on the tag — noting the claude-code billing and macOS/codex --no-sandbox caveats).
  • Where the release procedure is documented (a RELEASING.md / checklist) so it's reproducible, not tribal knowledge.
  • Pre-release vs. final-release policy (e.g. allow -rc tags to skip the live suite but not final tags).

Non-goals

Refs #66, #100

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedExtra attention is neededquestionFurther information is requested

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions