Release publication
ReviewPhin publishes public releases through GitHub Actions after Happy Changelog updates the version and creates the release tag. Happy Changelog remains responsible for changelog and version changes; the release workflow publishes the website, Docker image, Helm chart, and Docker Hub README.
Workflow shape
Section titled “Workflow shape”Pull requests run Quality Gates and Validate PR Changelog. Quality Gates exposes the test, CodeQL, and Dependency Review checks on public pull requests; Validate PR Changelog calls the Happy Changelog reusable validation job.
Pushes to main run Update Changelog. That workflow calls the reusable Quality Gates workflow as quality-gates, then runs the Happy Changelog update job only after those gates pass. On main, dependency review stays disabled because it is a pull-request-only check.
Scheduled Security runs weekly and from workflow_dispatch. It calls Quality Gates as security-analysis with tests and dependency review disabled, and keeps CodeQL and OpenSSF Scorecard coverage on a schedule.
Release tags matching v* run Release:
verifyruns lint, typecheck, application build, docs build, and coverage.publish-helm-chartlints and packages.chart/, uploads the packaged chart as a workflow artifact, and pushes the OCI chart toghcr.io/<owner>/charts/reviewphin.publish-docsbuilds the static homepage and docs forhttps://reviewphin.com, writesCNAME, and deploys with GitHub Pages.build-and-smoke-test-imagebuilds a local amd64 image, checks/healthz, and verifies the image-providedreviewphinCLI.publish-dockerpublishescdwv/reviewphinto Docker Hub with the release tag, safe semver aliases, andlatestfor stablex.y.zreleases.update-dockerhub-readmegeneratesDOCKERHUB_README.mdand pushes it to Docker Hub.
Required repository settings
Section titled “Required repository settings”Configure these before the first public release:
- Enable GitHub Pages and set the source to GitHub Actions.
- Configure DNS and the Pages custom domain for
reviewphin.com. - Add
REVIEWPHIN_POSTHOG_KEYas a GitHub repository or Pages environment variable for the public site. AddREVIEWPHIN_POSTHOG_HOSTonly when the project does not use the default US Cloud host. - Add
DOCKERHUB_USERNAMEandDOCKERHUB_TOKENsecrets with write access tocdwv/reviewphin. - Allow the release workflow to publish GitHub Packages with
GITHUB_TOKEN; the chart job requestspackages: writeand publishes to GHCR. - Enable GitHub native secret scanning when available.
- Run a one-time full-history secret scan from a maintainer machine before public launch.
- Configure branch protection or repository rules for
mainafter the first pull request run creates check names.
Require these checks for protected pull requests:
testCodeQLDependency ReviewValidate PR Changelog / validate
Do not require security-analysis / ... checks from Scheduled Security or quality-gates / ... checks from Update Changelog for pull request branch protection. Those workflows run outside the pull request path.
Require branches to be up to date before merging if maintainers want merge commits tested against the current main.
Tag trigger requirement
Section titled “Tag trigger requirement”GitHub does not trigger downstream workflows from tags created with the default GITHUB_TOKEN. Configure Happy Changelog to create tags with a maintainer PAT or GitHub App token, or dispatch Release explicitly after the gated Happy Changelog update job completes.
The tag or dispatch step must stay downstream of the Happy Changelog update job. Branch protection alone is not enough because the update workflow runs after a push to main.
Security automation
Section titled “Security automation”Pull request security gates live in Quality Gates: CodeQL runs on public pull requests, and Dependency Review blocks moderate-or-higher dependency findings there. Scheduled Security provides scheduled and manually triggered CodeQL and OpenSSF Scorecard coverage outside the pull request path.
CodeQL, dependency review, and Scorecard availability depends on repository visibility and GitHub Advanced Security. The committed workflows run those checks automatically for public repositories; private repositories with GitHub Advanced Security can remove the visibility guards.
Before public launch, run a full-history secret scan from a maintainer machine or a trusted workflow and rotate any exposed credentials before publishing history.