chore: harden release workflow and update release runbook

[edelauna]

Summary

• Replaces the hardcoded R00-B0T actor check with a GitHub App token approach (actions/create-github-app-token@v3) so the changeset job can push and open PRs without triggering loop-prevention rules on GITHUB_TOKEN.
• Renames Job 2 from "edit/approve" to "validate/approve" and replaces the changelog-push step with a real release-artifact validation: identity checks, SemVer format, CHANGELOG entry, README sync, and VSIX manifest verification.
• Adds workspace package builds and POSTHOG_API_KEY to the validate step so the packaged artifact matches what ships.
• Uses pnpm --filter ./src vsix (includes mkdirp ../bin) instead of bare exec vsce package.
• Adds a loop-guard comment explaining the PR-title-based condition.
• Updates .roo/commands/release.md for Zoo Code identity (zoo-code package name, ZooCodeOrganization publisher) and expands the runbook with the full release sequence: changeset prep → version-bump PR → tag → publish.

Required repository settings

Before the workflow can run end-to-end:

Setting	Type	Value
RELEASE_APP_ID	Variable	Roomote GitHub App ID
RELEASE_BOT_LOGIN	Variable	app/roomote
RELEASE_APP_PRIVATE_KEY	Secret	Roomote GitHub App private key (.pem)

Test plan

• Merge a changeset PR to main and confirm Job 1 opens a PR titled "Zoo Code changeset version bump" authored by app/roomote
• Confirm Job 2 triggers on that PR, passes validation, adds changelog-ready label, and auto-approves
• Confirm Job 1 does not re-trigger when the version-bump PR is merged (loop guard)

Summary by CodeRabbit

• Chores
  • Enhanced release automation workflow with improved token handling and validation checks.
  • Updated release preparation documentation with comprehensive step-by-step guidance and clarified processes.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates the changeset-release workflow to use GitHub App token authentication, title-based version-bump PR guards, and comprehensive release validation checks (build, package metadata, changelog/README parity, VSIX verification). Release documentation is expanded to detail the full Zoo Code release procedure from analysis through tagging with explicit expectations for the automated version-bump PR.

Changes

Release Process Automation and Documentation

Layer / File(s)	Summary
Version bump PR creation and authentication .github/workflows/changeset-release.yml	Run-name conditional logic updated to distinguish "Create PR" vs "Validate Version PR" based on pull request event and bump PR title/user. VERSION_BUMP_PR_TITLE constant added to env. The changeset-pr-version-bump job guard changed to skip based on title match instead of actor, and checkout now uses generated GitHub App token (release-bot-token).
Changesets PR creation and validation trigger .github/workflows/changeset-release.yml	Changesets action configuration now sets explicit commit and title values for the version-bump PR and authenticates using the GitHub App token. The validate-and-approve job refocused to trigger only for PRs where user.login matches vars.RELEASE_BOT_LOGIN and title exactly matches VERSION_BUMP_PR_TITLE, with checkout-ref selection logic adjusted for opened PRs authored by the bot.
Release validation and build verification .github/workflows/changeset-release.yml	Replaces prior changelog-push logic with comprehensive validation: Node/pnpm installation with frozen lockfile, workspace package builds, SemVer version validation, changelog heading verification, README parity checks, production bundle generation, VSIX file existence validation, and VSIX package.json metadata validation. Validation is followed by changelog-ready labeling.
Auto-approval after validation .github/workflows/changeset-release.yml	Auto-approve action changed from conditional (label-based gating) to unconditional execution after validation completes, with updated review message.
Release process documentation .roo/commands/release.md	Release documentation updated from Roo Code to Zoo Code branding. Expanded release checklist now covers stable release baseline identification, PR/issue analysis, detailed changeset creation with zoo-code package key, release image generation and integration, major/minor announcement flow with translation coordination, release-prep branch/PR procedure with explicit staged files, version-bump PR expectations including required repository variables/secrets and human review, and final tagging/publishing from v[version] tag only after version-bump PR merges.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• Repair Zoo Code changelog and Changesets release workflow #33: Related to changeset-based release flow updates including version-bump PR logic, changelog handling, and release validation/automation enhancements.

Suggested reviewers

• hannesrudolph

Poem

🐰 A rabbit hops through workflows bright,
With tokens swapped and guards made right,
Release procedures now take flight—
From version bumps to tags in sight,
Zoo Code marches toward the light! 🚀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete relative to the required template, missing several critical sections including Related GitHub Issue link, Test Procedure details, and Pre-Submission Checklist.	Add the missing 'Related GitHub Issue' section with issue number, expand 'Test Procedure' with detailed reproduction steps, and complete the 'Pre-Submission Checklist' to meet repository requirements.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: hardening the release workflow and updating the release runbook documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/release-checklist-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/changeset-release.yml (1)

7-7: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Skip validate-approve on closed events.

The workflow triggers on types: [closed, opened, labeled]. When the bot's version-bump PR merges, Job 1 is correctly suppressed by the title-based loop guard — but Job 2's if: does not filter on github.event.action, so the full validation pipeline (install, build, bundle, vsix package, metadata checks) re-runs on the closed event and then attempts to auto-approve an already-merged PR. Add an action filter to skip closed-event runs.

🛠️ Proposed fix

     if: >
         github.event_name == 'pull_request' &&
+        github.event.action != 'closed' &&
         github.event.pull_request.base.ref == 'main' &&
         github.event.pull_request.user.login == vars.RELEASE_BOT_LOGIN &&
         github.event.pull_request.title == 'Zoo Code changeset version bump'

Also applies to: 75-79

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/changeset-release.yml at line 7, The workflow currently
triggers on pull_request types including "closed", and the second job (the
validation/auto-approve job that lacks an action filter) runs on closed events
and tries to approve an already-merged PR; update that job's existing if:
condition (the job that performs install/build/bundle/vsix/metadata checks and
auto-approve) to also require github.event.action != 'closed' (e.g. add &&
github.event.action != 'closed' to its if: expression), and apply the same
change to the other occurrences around the 75-79 region so closed-event runs are
skipped.

🧹 Nitpick comments (2)

.roo/commands/release.md (1)

69-74: ⚡ Quick win

Make the staging command robust when no release image exists.

Step 7 makes the image optional, but the sample git add command always includes releases/[version]-release.png. Consider showing an optional/conditional add pattern to avoid failed copy-paste runs.

Suggested doc tweak

- git add .changeset/v[version].md README.md releases/[version]-release.png
+ git add .changeset/v[version].md README.md
+ # If generated:
+ git add releases/[version]-release.png

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.roo/commands/release.md around lines 69 - 74, The git add sample in the
release staging steps currently always includes releases/[version]-release.png
which breaks copy-paste when no image exists; change the single git add line so
the image is added conditionally (e.g., keep adding .changeset/v[version].md and
README.md unconditionally and add releases/[version]-release.png only if the
file exists, or split into two commands where the second command only runs when
the file is present) and update the example line in .roo/commands/release.md
accordingly so users won’t get errors when no release image is present.

.github/workflows/changeset-release.yml (1)

12-12: ⚡ Quick win

Centralize the version-bump PR title to avoid drift.

The literal "Zoo Code changeset version bump" is duplicated at lines 23 and 79 in job-level if: conditions in addition to env.VERSION_BUMP_PR_TITLE on line 12. GitHub Actions does not expose the workflow-level env context inside job-level if: expressions, so env.VERSION_BUMP_PR_TITLE cannot be reused there — but vars.* is available at job-level. Promoting this to a repo/org variable (e.g. vars.VERSION_BUMP_PR_TITLE) lets all three sites reference one source of truth and prevents the loop guard and validate-approve gate from silently desynchronizing from the title actually sent to changesets/action.

♻️ Proposed refactor

 env:
   REPO_PATH: ${{ github.repository }}
   GIT_REF: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || 'main' }}
-  VERSION_BUMP_PR_TITLE: Zoo Code changeset version bump
+  VERSION_BUMP_PR_TITLE: ${{ vars.VERSION_BUMP_PR_TITLE }}

     if: >
       ( github.event_name == 'pull_request' &&
       github.event.pull_request.merged == true &&
       github.event.pull_request.base.ref == 'main' &&
-      github.event.pull_request.title != 'Zoo Code changeset version bump' ) ||
+      github.event.pull_request.title != vars.VERSION_BUMP_PR_TITLE ) ||
       github.event_name == 'workflow_dispatch'

     if: >
         github.event_name == 'pull_request' &&
         github.event.pull_request.base.ref == 'main' &&
         github.event.pull_request.user.login == vars.RELEASE_BOT_LOGIN &&
-        github.event.pull_request.title == 'Zoo Code changeset version bump'
+        github.event.pull_request.title == vars.VERSION_BUMP_PR_TITLE

Then add VERSION_BUMP_PR_TITLE alongside RELEASE_APP_ID / RELEASE_BOT_LOGIN in the repo variables documented in the PR description.

Also applies to: 23-23, 79-79

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/changeset-release.yml at line 12, Replace the duplicated
literal PR title with a single repo-level variable and reference it via vars:
create a repository variable named VERSION_BUMP_PR_TITLE (value "Zoo Code
changeset version bump"), update the two job-level if: expressions that
currently contain the literal string to use vars.VERSION_BUMP_PR_TITLE, and
update the workflow-level env (the top-level VERSION_BUMP_PR_TITLE env) to
reference vars.VERSION_BUMP_PR_TITLE so all three sites (workflow env and both
job if expressions) come from the same repo variable.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/changeset-release.yml:
- Around line 116-119: The workflow step uses a non-existent pnpm filter
'@roo-code/build' which causes the build to be skipped; either replace
'@roo-code/build' with the correct workspace package name (e.g., the actual
package that needs building) or remove that filter line entirely so only 'pnpm
--filter `@roo-code/vscode-webview` build' runs; update the step where the filters
are declared to reference the correct package identifier(s) or drop the invalid
'@roo-code/build' entry so downstream vsix artifacts are built from the intended
package.

---

Outside diff comments:
In @.github/workflows/changeset-release.yml:
- Line 7: The workflow currently triggers on pull_request types including
"closed", and the second job (the validation/auto-approve job that lacks an
action filter) runs on closed events and tries to approve an already-merged PR;
update that job's existing if: condition (the job that performs
install/build/bundle/vsix/metadata checks and auto-approve) to also require
github.event.action != 'closed' (e.g. add && github.event.action != 'closed' to
its if: expression), and apply the same change to the other occurrences around
the 75-79 region so closed-event runs are skipped.

---

Nitpick comments:
In @.github/workflows/changeset-release.yml:
- Line 12: Replace the duplicated literal PR title with a single repo-level
variable and reference it via vars: create a repository variable named
VERSION_BUMP_PR_TITLE (value "Zoo Code changeset version bump"), update the two
job-level if: expressions that currently contain the literal string to use
vars.VERSION_BUMP_PR_TITLE, and update the workflow-level env (the top-level
VERSION_BUMP_PR_TITLE env) to reference vars.VERSION_BUMP_PR_TITLE so all three
sites (workflow env and both job if expressions) come from the same repo
variable.

In @.roo/commands/release.md:
- Around line 69-74: The git add sample in the release staging steps currently
always includes releases/[version]-release.png which breaks copy-paste when no
image exists; change the single git add line so the image is added conditionally
(e.g., keep adding .changeset/v[version].md and README.md unconditionally and
add releases/[version]-release.png only if the file exists, or split into two
commands where the second command only runs when the file is present) and update
the example line in .roo/commands/release.md accordingly so users won’t get
errors when no release image is present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 6e951dac-426f-44e7-aa54-966a47f9fe3d

📥 Commits

Reviewing files that changed from the base of the PR and between 7535a56 and c0e6c47.

📒 Files selected for processing (2)

• .github/workflows/changeset-release.yml
• .roo/commands/release.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# List all workspace package.json `name` fields to confirm the filters resolve.
fd -t f '^package\.json$' -E node_modules -E dist -E build --exec sh -c 'printf "%s -> " "$1"; jq -r ".name // \"<no name>\"" "$1"' _ {}

Repository: Zoo-Code-Org/Zoo-Code

Length of output: 943

---

Remove or correct the non-existent @roo-code/build filter in the build step.

The filter pnpm --filter @roo-code/build`` will not match any workspace packages—@roo-code/build does not exist in the repository. The workspace contains `@roo-code/vscode-webview` (from `./webview-ui/package.json`), but no build package. This filter will silently skip the build, potentially leaving stale artifacts in the downstream vsix package.

Confirm the intended package name for the first filter, or remove it if no build is needed for this step.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/changeset-release.yml around lines 116 - 119, The workflow
step uses a non-existent pnpm filter '@roo-code/build' which causes the build to
be skipped; either replace '@roo-code/build' with the correct workspace package
name (e.g., the actual package that needs building) or remove that filter line
entirely so only 'pnpm --filter `@roo-code/vscode-webview` build' runs; update the
step where the filters are declared to reference the correct package
identifier(s) or drop the invalid '@roo-code/build' entry so downstream vsix
artifacts are built from the intended package.