refactor(ci): unify release back into a single ci-release command by ludamad · Pull Request #23780 · AztecProtocol/aztec-packages

ludamad · 2026-06-01T19:47:39Z

What

Reunifies the release flow into a single ci-release command (undoes the ci-release / ci-release-publish split from feat(ci): forward-port backwards compatibility e2e workflows to v5 #22930). This had introduced several bugs and caused the command to span multiple machines.
Fixes runner-side git push auth, broken by the checkout-v6 repin.

PR #22930 split ci-release into a build-only ci-release plus a separate ci-release-publish, with publishing gated on a standalone ci-compat-e2e GitHub job. A side effect: the release dry-run leg of merge-queue-ci (ci-release v0.0.1-commit.<sha> under DRY_RUN=1) degraded to build-only, so the publish flow had zero dry-run coverage — the first time publish code ran was a live tag push. Reunify: - bootstrap.sh: ci-release once again does semver check -> backwards-compat e2e -> private-fork handling -> build release -> release (publish), all DRY_RUN-aware. Removed ci-release-publish and the standalone ci-compat-e2e case; the compat suite is now a release_compat_e2e bash check called inline (blocking for stable/RC, non-blocking + Slack-notify for nightlies, honors SKIP_COMPAT_E2E, amd64-only). - ci.sh: dropped release-publish and compat-e2e; release is a single multi_job_run of ci-release on amd64 + arm64, with a roomier AWS_SHUTDOWN_TIME since the amd64 leg now does compat + build + publish. - ci3.yml: removed the ci-release-publish and ci-compat-e2e jobs (publishing happens in the main ci job on a tag, as before the split); dropped the ci-release-publish dependency from ci-network-scenario.

actions/checkout v6.0.0 ("persist creds to a separate file", #2286) moved the persisted github.token out of the repo's local .git/config into a temp file included via includeIf directives. `git config --unset-all http....extraheader` can no longer clear it, so the token-swap every runner-side push relies on (set-url to a bot-PAT URL, unset the persisted header, push) stopped working: pushes go out as github-actions[bot] (contents: read) and 403. The node24 repin (0b04aac) pulled this in, silently breaking the ci-release-pr tag push, the ci-squash-and-merge push, and the chonk-input refresh since late May. Pin every actions/checkout across .github/workflows to v5.0.1: it is node24 (so the deprecation that motivated the repin is still satisfied) but predates #2286, so the credential is a plain, removable local http.extraheader again. The push sites work unchanged, persist-credentials stays true so authenticated reads (e.g. the aztec-packages-private mirror) keep working, and a comment on the ci3.yml checkout warns against bumping back to v6.

PR #21775 renamed release_github -> release_bb_github but updated only one of the two call sites; the private-fork path in ci-release kept calling the now -undefined release_github, so any tag-based private release failed with exit 127 ("command not found") before building. Point it at the renamed function.

- release_compat_e2e was invoked as `|| compat_rc=$?`, which suspends errexit for the whole function and its subshell, masking build/install failures (the subshell set -e did not restore it). Toggle errexit explicitly instead so a failed build surfaces as a non-zero compat result, and correct the misleading comment. - Forward RUN_ID to the ci3 Run step so the nightly compat-failure Slack alert links a real GitHub run URL (on EC2, RUN_ID was a millisecond timestamp).

ludamad requested a review from charlielye as a code owner June 1, 2026 19:47

ludamad added the ci-release-pr Creates a development tag and runs the release suite label Jun 1, 2026