Skip to content

ci(release): auto-sync core/wren lock after wren-core-py publish#2431

Open
ttw225 wants to merge 5 commits into
Canner:mainfrom
ttw225:chore/auto-sync-wren-core-py-lock
Open

ci(release): auto-sync core/wren lock after wren-core-py publish#2431
ttw225 wants to merge 5 commits into
Canner:mainfrom
ttw225:chore/auto-sync-wren-core-py-lock

Conversation

@ttw225

@ttw225 ttw225 commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

What

When wren-core-py is published to PyPI, core/wren still pins the previous engine in its pyproject.toml floor and uv.lock. This automates the downstream bump that was done by hand before (e.g. #2385).

A reusable workflow sync-wren-core-py-lock.yml is called from release-please.yml after publish-wren-core-py succeeds (so a failed publish is never bumped). It raises the wren-core-py floor, relocks core/wren, verifies the resolved version, and opens a PR.

Notes

  • The PR won't auto-run CI. It's opened with GH_TOKEN: ${{ github.token }}, and GitHub does not trigger on: pull_request runs for PRs created by GITHUB_TOKEN (loop-prevention). The in-workflow uv lock --check + resolved-version check give pre-merge confidence, and a maintainer can nudge CI on the PR. Can move to a PAT / App token later if auto-CI is preferred.
  • Actions pinned to @v4 intentionally, to match the existing workflows; the github-actions Dependabot config owns version bumps repo-wide.
  • vs Dependabot: the weekly uv group relocks uv.lock eventually; this adds the floor bump (which Dependabot can't do) and release-time immediacy in an isolated PR.

Follows existing patterns

  • Reusable workflow invoked from release-please.yml, same as the publish-* jobs.
  • Bot commit + gh pr create, same as sync-docs.yml.

Summary by CodeRabbit

  • New Features
    • Automatically syncs the Python core dependency lockfile after a new Python core release is published.
    • Creates/updates a dedicated sync branch and opens a pull request when lock files change.
  • Bug Fixes
    • Validates the released version format before syncing to prevent incorrect updates.
    • Retries lock updates to reduce failures caused by delays in newly published package availability.
  • Maintenance
    • Adds a controlled post-release workflow that only runs when a release is newly created.

When wren-core-py is published to PyPI, core/wren still pins the previous
engine in its pyproject floor and uv.lock. Add a sync-wren-core-py-lock
reusable workflow, called from release-please after publish-wren-core-py
succeeds, that bumps the wren-core-py floor, relocks core/wren, verifies
the resolved version, and opens a PR for review.

Automates the manual downstream bump previously done by hand (e.g. Canner#2385).
@github-actions github-actions Bot added the ci label Jul 3, 2026
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: e991f186-0fa7-4df3-92a3-fbbae8f5096a

📥 Commits

Reviewing files that changed from the base of the PR and between df887b9 and e6aa148.

📒 Files selected for processing (1)
  • .github/workflows/sync-wren-core-py-lock.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/sync-wren-core-py-lock.yml

Walkthrough

Adds a post-publish workflow that relocks core/wren to the released wren-core-py version, checks for lockfile changes, and opens a sync PR when updates are produced.

Changes

Post-release lock sync automation

Layer / File(s) Summary
Trigger sync job after publish
.github/workflows/release-please.yml
Adds sync-wren-core-py-lock after publish-wren-core-py, gated on wren-core-py--release_created, and passes the released version to the reusable workflow with write permissions.
Resolve version and relock
.github/workflows/sync-wren-core-py-lock.yml
Adds the reusable workflow entry points, repository/version checks, version validation, concurrency, uv setup, and a retrying uv add --no-sync relock step for core/wren.
Check lock changes and open PR
.github/workflows/sync-wren-core-py-lock.yml
Runs uv lock --check, detects changes to core/wren/pyproject.toml and core/wren/uv.lock, then commits, pushes, and opens or reuses a sync PR on main.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
    participant release_please as release-please
    participant publish_wren_core_py as publish-wren-core-py
    participant sync_wren_core_py_lock as sync-wren-core-py-lock
    participant workflow as sync-wren-core-py-lock.yml
    participant github as GitHub PR

    release_please->>publish_wren_core_py: publish release
    publish_wren_core_py->>sync_wren_core_py_lock: release_created == true
    sync_wren_core_py_lock->>workflow: invoke with released version
    workflow->>workflow: validate version and run uv add --no-sync
    workflow->>workflow: run uv lock --check and detect changes
    alt changes detected
        workflow->>github: create or reuse sync PR
    else no changes
        workflow-->>sync_wren_core_py_lock: exit without PR
    end
Loading

Possibly related PRs

  • Canner/WrenAI#2216: Modifies the release-please GitHub Actions flow that this PR extends with a post-publish sync job.
  • Canner/WrenAI#2351: Also touches automated uv.lock version synchronization tied to release handling.
  • Canner/WrenAI#2383: Addresses keeping core/wren lockfiles aligned with wren-core-py release/version flow.

Suggested reviewers: goldmedal

Poem

A rabbit hops with release-night cheer,
Relocking paths both far and near.
One PR blooms when changes gleam,
All snug and tidy in the stream. 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: automating the core/wren lock sync after wren-core-py is published.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/sync-wren-core-py-lock.yml (1)

58-65: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Fragile line-based lock parsing.

awk -F'"' '/^name = "wren-core-py"$/{getline; print $2}' assumes version is always the line immediately following name in the [[package]] block. This matches the current uv.lock format (per core/wren/uv.lock:3288-3293), but is brittle to any reordering of keys by future uv versions or manual edits, and would silently produce an empty/wrong locked value if the assumption breaks.

Consider a more robust extraction, e.g. via uv tree/uv pip show or a TOML-aware parser (python -c "import tomllib..."), to avoid depending on key ordering.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sync-wren-core-py-lock.yml around lines 58 - 65, The lock
verification step in sync-wren-core-py-lock.yml uses brittle awk-based parsing
that assumes the version line immediately follows the wren-core-py package name
in core/wren/uv.lock. Update the verification logic in the “Verify lock resolved
to the released version” step to extract the locked version with a TOML-aware or
tool-based approach instead of relying on key order, using the existing locked
and VERSION checks to validate the result.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/sync-wren-core-py-lock.yml:
- Around line 58-65: The lock verification step in sync-wren-core-py-lock.yml
uses brittle awk-based parsing that assumes the version line immediately follows
the wren-core-py package name in core/wren/uv.lock. Update the verification
logic in the “Verify lock resolved to the released version” step to extract the
locked version with a TOML-aware or tool-based approach instead of relying on
key order, using the existing locked and VERSION checks to validate the result.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 467c287f-a7fc-41c1-8f7e-0bf446c2ae4d

📥 Commits

Reviewing files that changed from the base of the PR and between 5ff51e4 and 6686034.

📒 Files selected for processing (2)
  • .github/workflows/release-please.yml
  • .github/workflows/sync-wren-core-py-lock.yml

ttw225 added 2 commits July 3, 2026 16:47
Add a workflow_dispatch trigger so the sync can be re-run by hand when the
automatic run after publish fails or is skipped. The version input is
optional: left blank it falls back to the wren-core-py version tracked in
.release-please-manifest.json, so a manual run needs no typing. This mirrors
rc-release.yml, where the version override is optional and auto-derived.
Add a concurrency group, skip when a sync PR is already open so --force
can't clobber a review, drop the redundant exact-version lock check, and
skip the final retry sleep.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/sync-wren-core-py-lock.yml (1)

92-114: 🩺 Stability & Availability | 🟠 Major | 🏗️ Heavy lift

Switch the PR token if these checks need to run automatically. PRs created with the default GITHUB_TOKEN enter GitHub’s approval-required state, so this repo’s pull_request workflows won’t start until a maintainer approves them. If those checks are required for merging, use a GitHub App installation token or PAT for the push/PR-create steps.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sync-wren-core-py-lock.yml around lines 92 - 114, The sync
PR creation in the Open sync PR step uses the default GH_TOKEN/GITHUB_TOKEN,
which leaves the resulting pull_request workflow in approval-required state.
Update the token used by the git push and gh pr create commands in this job to a
GitHub App installation token or PAT so the PR can trigger checks automatically;
keep the logic around BRANCH and gh pr list unchanged.
🧹 Nitpick comments (1)
.github/workflows/sync-wren-core-py-lock.yml (1)

60-61: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

astral-sh/setup-uv@v4 is far behind current releases.

Astral has since released v8.x and, per their own hardening guidance, no longer publishes moving major/minor tags — only immutable per-patch tags (or commit SHAs) going forward. Pinning to v4 misses several releases' worth of fixes and security hardening.

Consider bumping to a current immutable tag (e.g. astral-sh/setup-uv@v8.1.0) or pinning by commit SHA.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/sync-wren-core-py-lock.yml around lines 60 - 61, The
workflow step using astral-sh/setup-uv@v4 is outdated and should be updated to a
current immutable release pin. In the sync-wren-core-py-lock workflow, replace
the setup-uv action reference with a newer per-patch tag such as
astral-sh/setup-uv@v8.1.0, or pin it to a commit SHA, so the job uses the
maintained version of the action.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/sync-wren-core-py-lock.yml:
- Around line 39-43: The checkout step in the workflow leaves the write-scoped
GITHUB_TOKEN in the git credential store because actions/checkout defaults
persist-credentials to true. Update the Checkout main step to disable persisted
credentials, then explicitly provide auth for the later git push and gh pr
create steps in the same workflow, using the existing GH_TOKEN setup and the
checkout/commit/push commands as the points to adjust.
- Around line 28-33: Use a stable concurrency key in the sync-wren-core-py-lock
workflow, because sync runs can land in different groups when inputs.version is
empty on workflow_dispatch. Update the concurrency group in the workflow
definition to derive from a consistent version value for both the
workflow_dispatch and workflow_call paths, so the same branch push is serialized
regardless of trigger; keep the change localized to the concurrency block.

---

Outside diff comments:
In @.github/workflows/sync-wren-core-py-lock.yml:
- Around line 92-114: The sync PR creation in the Open sync PR step uses the
default GH_TOKEN/GITHUB_TOKEN, which leaves the resulting pull_request workflow
in approval-required state. Update the token used by the git push and gh pr
create commands in this job to a GitHub App installation token or PAT so the PR
can trigger checks automatically; keep the logic around BRANCH and gh pr list
unchanged.

---

Nitpick comments:
In @.github/workflows/sync-wren-core-py-lock.yml:
- Around line 60-61: The workflow step using astral-sh/setup-uv@v4 is outdated
and should be updated to a current immutable release pin. In the
sync-wren-core-py-lock workflow, replace the setup-uv action reference with a
newer per-patch tag such as astral-sh/setup-uv@v8.1.0, or pin it to a commit
SHA, so the job uses the maintained version of the action.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 906a6172-7e2e-4346-8d5d-cf350f2b682b

📥 Commits

Reviewing files that changed from the base of the PR and between 6686034 and 1a96eda.

📒 Files selected for processing (1)
  • .github/workflows/sync-wren-core-py-lock.yml

Comment thread .github/workflows/sync-wren-core-py-lock.yml Outdated
Comment thread .github/workflows/sync-wren-core-py-lock.yml
ttw225 added 2 commits July 3, 2026 17:40
persist-credentials: false keeps the write token out of .git/config while
uv builds dependency sdists during resolution; the push re-auths explicitly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant