Skip to content

hotfix(ci): make release + UAT manual-only (no auto-run on merge/push)#504

Merged
alichherawalla merged 1 commit into
mainfrom
hotfix/manual-only-ci-triggers
Jul 8, 2026
Merged

hotfix(ci): make release + UAT manual-only (no auto-run on merge/push)#504
alichherawalla merged 1 commit into
mainfrom
hotfix/manual-only-ci-triggers

Conversation

@alichherawalla

@alichherawalla alichherawalla commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

What

Removes the automatic push triggers from both release workflows:

  • release.yml no longer runs on push to main (was auto-cutting a production release on every merge).
  • uat-dev.yml no longer runs on push to dev (was auto-building/publishing a beta).

Both keep workflow_dispatch, so they can still be launched by hand from the Actions tab. Local scripts (scripts/release.sh, scripts/uat.sh) remain the primary paths.

Why

Merging #503 to main auto-fired the production Android release (failed run). Releases and betas should be cut manually, not on merge.

Scope

Trigger-only change; no build/logic changes. Nothing auto-publishes to the stores anymore.

Summary by CodeRabbit

  • Chores
    • Release and beta pipelines now run manually instead of automatically on branch updates.
    • This helps prevent unintended app store publishing from routine merges.

Merging to main was auto-cutting a production release (release.yml) and pushing to
dev was auto-building/publishing a beta (uat-dev.yml). Both should be run by hand.
Drop the push triggers; keep workflow_dispatch so they can still be launched manually
from the Actions tab (and scripts/release.sh / scripts/uat.sh remain the local paths).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c8b09f31-9eac-4a4f-9f67-7ea0d4c8e5d1

📥 Commits

Reviewing files that changed from the base of the PR and between 653067a and 6db08b5.

📒 Files selected for processing (2)
  • .github/workflows/release.yml
  • .github/workflows/uat-dev.yml

📝 Walkthrough

Walkthrough

Two GitHub Actions workflow files were modified to remove automatic push-based triggers. The Android release workflow (release.yml) and the UAT/dev workflow (uat-dev.yml) now run only via manual workflow_dispatch, preventing automatic publishing when code is pushed to main or dev.

Changes

Workflow trigger changes

Layer / File(s) Summary
Remove automatic push triggers
.github/workflows/release.yml, .github/workflows/uat-dev.yml
Both workflows drop their push triggers (on main and dev respectively), leaving only workflow_dispatch, with added comments clarifying manual-only release/beta behavior.

Estimated code review effort: 1 (Trivial) | ~3 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch hotfix/manual-only-ci-triggers

Comment @coderabbitai help to get the list of available commands.

@alichherawalla
alichherawalla merged commit 362ca5b into main Jul 8, 2026
1 check was pending
@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

Hotfix CI: make release and UAT workflows manual-only (remove push triggers)

⚙️ Configuration changes 🐞 Bug fix 🕐 Less than 10 minutes

Grey Divider

AI Description

• Remove push triggers so merges to main/dev no longer auto-publish releases/betas.
• Keep workflow_dispatch to allow explicit, manual runs from the Actions tab.
• Document intent inline to prevent accidental reintroduction of auto-release behavior.
Diagram

graph TD
  Maintainer([Maintainer]) --> Dispatch["GitHub Actions: workflow_dispatch"] --> ReleaseWF["release.yml"] --> ProdPublish["Prod publish (stores)"]
  Maintainer([Maintainer]) --> Dispatch["GitHub Actions: workflow_dispatch"] --> UATWF["uat-dev.yml"] --> BetaPublish["Beta publish (internal)"]
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Trigger on tags/releases (instead of push)
  • ➕ Still automated, but only when an explicit release tag/release is created
  • ➕ Keeps CI reproducibility while avoiding “every merge publishes” failure mode
  • ➖ Requires disciplined tag/release creation process
  • ➖ May need additional guardrails (tag format validation, version checks)
2. Keep push trigger but add hard gates
  • ➕ Retains “merge-to-release” convenience for teams that want it
  • ➕ Can be made safe with environment approvals / required reviewers / conditional checks
  • ➖ More complex and easier to misconfigure
  • ➖ Still risks accidental runs if a guard condition is missed (e.g., bot merges, back-merges)
3. Split build vs publish workflows
  • ➕ Allows automatic build/verification on push while keeping publish manual
  • ➕ Reduces risk while preserving fast feedback on release readiness
  • ➖ More workflow plumbing and artifacts handoff
  • ➖ More moving parts than a hotfix warrants

Recommendation: For a hotfix, the PR’s approach (manual-only via workflow_dispatch) is the safest and simplest way to stop unintended store publishing immediately. If you later want some automation back, prefer “tag-triggered publish” or “auto-build + manual publish” rather than reintroducing branch-push publishing.

Files changed (2) +5 / -5

Other (2) +5 / -5
release.ymlRemove push-to-main trigger; keep manual dispatch for production releases +3/-3

Remove push-to-main trigger; keep manual dispatch for production releases

• Drops the 'push' trigger on 'main' so merges no longer auto-cut/publish production releases. Adds an explicit comment clarifying that releases must be initiated manually via 'workflow_dispatch' (or local scripts).

.github/workflows/release.yml

uat-dev.ymlRemove push-to-dev trigger; keep manual dispatch for UAT/beta builds +2/-2

Remove push-to-dev trigger; keep manual dispatch for UAT/beta builds

• Drops the 'push' trigger on 'dev' so pushes no longer auto-build/publish betas to internal testers. Adds documentation in the workflow header and retains 'workflow_dispatch' inputs for manual launches.

.github/workflows/uat-dev.yml

@qodo-code-review

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (1) 📜 Skill insights (0)

Context used
✅ Compliance rules (platform): 36 rules

Grey Divider


Action required

1. Em dash in release.yml comment 📘 Rule violation ✧ Quality
Description
Workflow comments include a Unicode em dash (), which is disallowed in user-facing/documentation
text per the checklist. This can cause inconsistent typography and violates the hyphen-only
requirement.
Code

.github/workflows/release.yml[6]

+  # Manual only. Releases are cut by hand (scripts/release.sh locally, or this dispatch) —
Relevance

⭐⭐⭐ High

PR #503 definitely accepted replacing Unicode em dashes with ASCII hyphens in docs; same rule likely
enforced here.

PR-#503

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
PR Compliance ID 1570610 disallows the em dash character () in user-facing/documentation text and
requires ASCII hyphens instead. The cited updated comment lines in both
.github/workflows/release.yml and .github/workflows/uat-dev.yml contain the  character,
directly demonstrating the rule violation in the workflow comments.

Rule 1570610: Disallow em dashes in user-facing text; use hyphens instead
.github/workflows/release.yml[6-6]
.github/workflows/uat-dev.yml[22-22]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Workflow comments were updated to include a Unicode em dash (`—`), which is disallowed in user-facing/documentation text.

## Issue Context
PR Compliance ID 1570610 forbids em dashes in user-facing/documentation text and requires ASCII hyphens (`-`) instead to ensure consistent typography.

## Fix Focus Areas
- .github/workflows/release.yml[6-6]
- .github/workflows/uat-dev.yml[22-22]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


2. UAT runs on wrong ref 🐞 Bug ☼ Reliability
Description
With push-based restrictions removed, both uat-dev.yml and release.yml are now manual-only
(workflow_dispatch) and can be run against any selected ref, yet they still reattach/operate on
the triggering branch and perform side effects like version bumps/commits/tags, pushes, and
publishing (beta via scripts/uat.sh with store credentials and release via GitHub Release and
possible Play upload). Dispatching either workflow from the wrong branch/tag can mutate the wrong
branch history and publish unintended beta or release artifacts from unintended code.
Code

.github/workflows/uat-dev.yml[R21-24]

on:
-  push:
-    branches: [dev]
+  # Manual only. Betas are cut by hand (scripts/uat.sh locally, or this dispatch) — pushing
+  # to dev must NOT auto-build/publish a beta.
  workflow_dispatch:
Relevance

⭐⭐ Medium

Team accepted safeguards against unintended UAT publishes (#503), but no direct precedent for
workflow_dispatch ref restrictions.

PR-#503
PR-#504

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The cited workflows no longer enforce branch constraints via push.branches (e.g., no longer
restricted to dev for UAT or main for release), but they still contain steps that (a) check out
and/or reattach to the ref selected in the GitHub “Run workflow” UI (the triggering
$GITHUB_REF_NAME/github.ref), (b) perform git operations that push commits/tags back to that
branch, and (c) run publishing flows—uat-dev.yml invokes scripts/uat.sh with Play/TestFlight
credentials, while release.yml performs a version bump commit and creates a GitHub Release with
optional Play upload. Because workflow_dispatch allows selecting arbitrary refs, the combination
of missing restrictions plus these push/publish side effects makes wrong-ref dispatch hazardous and
directly explains how unintended code could be published or branch history could be altered.

.github/workflows/uat-dev.yml[21-31]
.github/workflows/uat-dev.yml[38-40]
.github/workflows/uat-dev.yml[85-93]
.github/workflows/uat-dev.yml[93-117]
.github/workflows/release.yml[5-9]
.github/workflows/release.yml[63-82]
.github/workflows/release.yml[112-120]
.github/workflows/release.yml[134-154]
.github/workflows/release-ios.yml[3-10]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`uat-dev.yml` and `release.yml` are now manual-only (`workflow_dispatch`), which allows operators to run them against arbitrary branches/tags via the GitHub **Run workflow** UI. Both workflows still perform mutable and/or publishing side effects (reattach/push to the selected ref, beta publish via `scripts/uat.sh` with store credentials, and release side effects like version bump commit + `git push`, GitHub Release creation, and optional Play upload), so dispatching from the wrong ref can mutate the wrong branch and publish unintended beta/release artifacts.

## Issue Context
- `workflow_dispatch` permits selecting a branch/tag at run time; with prior `push.branches` restrictions removed, there is no inherent enforcement that UAT runs only from `dev` or releases only from `main`.
- `uat-dev.yml` includes explicit git operations to re-attach to `$GITHUB_REF_NAME` and set upstream, making the selected dispatch ref the push target.

## Fix Focus Areas
- .github/workflows/uat-dev.yml[21-31]
- .github/workflows/uat-dev.yml[85-93]
- .github/workflows/uat-dev.yml[93-117]
- .github/workflows/release.yml[5-9]
- .github/workflows/release.yml[24-29]
- .github/workflows/release.yml[63-82]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

push:
branches: [main] # every merge to main cuts a release
workflow_dispatch: {} # manual fallback
# Manual only. Releases are cut by hand (scripts/release.sh locally, or this dispatch) —

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Em dash in release.yml comment 📘 Rule violation ✧ Quality

Workflow comments include a Unicode em dash (), which is disallowed in user-facing/documentation
text per the checklist. This can cause inconsistent typography and violates the hyphen-only
requirement.
Agent Prompt
## Issue description
Workflow comments were updated to include a Unicode em dash (`—`), which is disallowed in user-facing/documentation text.

## Issue Context
PR Compliance ID 1570610 forbids em dashes in user-facing/documentation text and requires ASCII hyphens (`-`) instead to ensure consistent typography.

## Fix Focus Areas
- .github/workflows/release.yml[6-6]
- .github/workflows/uat-dev.yml[22-22]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment on lines 21 to 24
on:
push:
branches: [dev]
# Manual only. Betas are cut by hand (scripts/uat.sh locally, or this dispatch) — pushing
# to dev must NOT auto-build/publish a beta.
workflow_dispatch:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

2. Uat runs on wrong ref 🐞 Bug ☼ Reliability

With push-based restrictions removed, both uat-dev.yml and release.yml are now manual-only
(workflow_dispatch) and can be run against any selected ref, yet they still reattach/operate on
the triggering branch and perform side effects like version bumps/commits/tags, pushes, and
publishing (beta via scripts/uat.sh with store credentials and release via GitHub Release and
possible Play upload). Dispatching either workflow from the wrong branch/tag can mutate the wrong
branch history and publish unintended beta or release artifacts from unintended code.
Agent Prompt
## Issue description
`uat-dev.yml` and `release.yml` are now manual-only (`workflow_dispatch`), which allows operators to run them against arbitrary branches/tags via the GitHub **Run workflow** UI. Both workflows still perform mutable and/or publishing side effects (reattach/push to the selected ref, beta publish via `scripts/uat.sh` with store credentials, and release side effects like version bump commit + `git push`, GitHub Release creation, and optional Play upload), so dispatching from the wrong ref can mutate the wrong branch and publish unintended beta/release artifacts.

## Issue Context
- `workflow_dispatch` permits selecting a branch/tag at run time; with prior `push.branches` restrictions removed, there is no inherent enforcement that UAT runs only from `dev` or releases only from `main`.
- `uat-dev.yml` includes explicit git operations to re-attach to `$GITHUB_REF_NAME` and set upstream, making the selected dispatch ref the push target.

## Fix Focus Areas
- .github/workflows/uat-dev.yml[21-31]
- .github/workflows/uat-dev.yml[85-93]
- .github/workflows/uat-dev.yml[93-117]
- .github/workflows/release.yml[5-9]
- .github/workflows/release.yml[24-29]
- .github/workflows/release.yml[63-82]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant