rw_release_validation_complete.yaml
Pre-release validation workflow that tests all release components without publishing artifacts.
Descriptionโ
This workflow provides comprehensive validation of release artifacts before actual deployment. It tests Python package builds, Docker image builds, documentation generation, and supply chain security without publishing anything to production registries.
Purposeโ
- Pre-Release Testing: Validate all release components before production deployment
- Pull Request Validation: Automatically test releases on PRs to master branch
- Configuration Testing: Verify release configuration and intent parsing
- Security Validation: Test SBOM generation, vulnerability scanning, and signing
- Risk Mitigation: Catch issues early without affecting production artifacts
Inputsโ
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
level | string | No | auto | Release level to test (auto, patch, minor, major) |
python | string | No | auto | Python package validation (auto, force, skip) |
docker | string | No | auto | Docker image validation (auto, force, skip) |
docs | string | No | auto | Documentation validation (auto, force, skip) |
Outputsโ
| Output | Description |
|---|---|
validation_passed | Whether all validation checks passed |
intent_parsed | Release intent parsing result |
python_validated | Python package validation result |
docker_validated | Docker validation result |
docs_validated | Documentation validation result |
security_validated | Security validation result |
Workflow Architectureโ
Validation Stepsโ
1. Configuration Parsing & Validationโ
config:
name: Parse Configuration
uses: ./.github/workflows/rw_parse_project_config.yaml
Validates:
- Enhanced
intent.yamlstructure and syntax - Config output generation for all sections
- Auto-detection logic for project and package names
- Docker registry URLs and health check configurations
- Documentation path accessibility
2. Dockerfile Detectionโ
check-dockerfile:
name: Check Dockerfile Exists
runs-on: ubuntu-latest
outputs:
has_dockerfile: ${{ steps.check.outputs.has_dockerfile }}
Purpose:
- Validates Dockerfile presence before Docker validation steps
- Prevents validation failures for Python-only projects
- Provides clear skip messages when no Dockerfile found
- Enables conditional execution of Docker-related jobs
3. Release Intent Validationโ
intent-parse:
uses: ./.github/workflows/rw_parse_release_intent.yaml
needs: config
with:
level: ${{ inputs.level }}
python: ${{ inputs.python }}
docker: ${{ inputs.docker }}
docs: ${{ inputs.docs }}
Validates:
- Enhanced JSON schema validation
- Release intent against config-provided defaults
- Artifact configuration with enhanced format support
- Version bump level settings
- Release notes format
4. Python Package Build Check�โ
Tests:
- Package builds successfully with
uv build - All dependencies resolve correctly
- Package metadata is valid
- Distribution files are created
- No build errors or warnings
Validation Process:
# Build package
uv build
# Verify dist files
ls -la dist/
# Check package metadata
tar -tzf dist/*.tar.gz
5. Docker Image Build Validationโ
Only runs if Dockerfile exists
DockerHub Build Testโ
docker-build-dockerhub:
if: needs.check-dockerfile.outputs.has_dockerfile == 'true'
uses: ./.github/workflows/rw_docker_operations.yaml
with:
operation: 'build'
registry: ${{ needs.config.outputs.docker_registry_dockerhub }}
Tests:
- Docker image builds successfully
- Multi-architecture support (amd64, arm64)
- Image layers are optimized
- Build cache works correctly
- No build errors
GHCR Build Testโ
docker-build-ghcr:
if: needs.check-dockerfile.outputs.has_dockerfile == 'true'
uses: ./.github/workflows/rw_docker_operations.yaml
with:
operation: 'build'
registry: ${{ needs.config.outputs.docker_registry_ghcr }}
Tests:
- GHCR-specific build configuration
- Registry authentication setup
- Image tagging conventions
- Metadata labels
6. Documentation Build Testโ
docs-build:
uses: ./.github/workflows/rw_docusaurus_operations.yaml
with:
operation: 'build'
Tests:
- Docusaurus builds successfully
- All MDX files are valid
- No broken links
- Search index generation
- Multi-section documentation support
7. Supply Chain Security Validationโ
Only runs if Dockerfile exists
supply-chain-loopback:
if: needs.check-dockerfile.outputs.has_dockerfile == 'true'
needs: [docker-build-dockerhub, docker-build-ghcr]
SBOM Generation Testโ
Tool: Syft
Validates:
- SBOM generation for Docker images
- Fallback SBOM from workspace
- SBOM format (SPDX, CycloneDX)
- Component inventory completeness
Vulnerability Scanning Testโ
Tool: Grype
Validates:
- CVE detection in dependencies
- Vulnerability severity assessment
- Security scan report generation
- Defensive checks for missing images
Cosign Signing Testโ
Validates:
- Keyless signing with GitHub OIDC
- Signature generation
- Signature verification
- Cosign integration
SLSA Attestation Testโ
Validates:
- Provenance attestation generation
- Build metadata capture
- Attestation format compliance
- Supply chain transparency
Validation Summaryโ
The workflow generates a comprehensive validation summary:
=== Release Validation Summary ===
โ
Configuration Parsing: Success
โ
Release Intent Validation: Success
โ
Python Package Build: Success
โ
Docker Build (DockerHub): Success
โ
Docker Build (GHCR): Success
โ
Documentation Build: Success
โ
SBOM Generation: Success
โ
Vulnerability Scanning: Success
โ
Cosign Signing: Success
โ
SLSA Attestation: Success
Overall Result: โ
All Validations Passed
Or for Python-only projects:
=== Release Validation Summary ===
โ
Configuration Parsing: Success
โ
Release Intent Validation: Success
โ
Python Package Build: Success
โญ๏ธ Docker Build: Skipped (no Dockerfile)
โ
Documentation Build: Success
โญ๏ธ Supply Chain Security: Skipped (no Docker)
Overall Result: โ
All Validations Passed
Usage Examplesโ
Basic Validationโ
jobs:
validate:
uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_release_validation_complete.yaml@master
Custom Validation Configurationโ
jobs:
validate:
uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_release_validation_complete.yaml@master
with:
level: 'minor'
python: 'force'
docker: 'auto'
docs: 'force'
Pull Request Validationโ
name: PR Validation
on:
pull_request:
branches: [master]
jobs:
validate-release:
uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_release_validation_complete.yaml@master
with:
level: 'auto'
Automatic Dockerfile Detectionโ
The validation workflow automatically detects Dockerfile presence:
- โ Dockerfile exists: All validation steps run
- โ ๏ธ No Dockerfile: Docker and security steps are skipped
- ๐ Clear logging: Workflow indicates which steps were skipped
Benefits:
- Works for both Docker-based and Python-only projects
- No manual configuration needed
- Prevents false validation failures
- Clear feedback on what was validated
Security Validation Featuresโ
Defensive Checksโ
- Pre-flight image existence validation
- Fallback SBOM generation from workspace
- Clear error messages for missing components
- Graceful handling of scan failures
Comprehensive Coverageโ
- SBOM: Complete software bill of materials
- CVE Detection: Known vulnerability scanning
- Signing: Digital signature verification
- Attestation: Build provenance tracking
Best Practicesโ
1. Run on Pull Requestsโ
Always validate releases before merging:
on:
pull_request:
branches: [master]
2. Review Validation Resultsโ
Check the validation summary and individual job results before merging.
3. Test Configuration Changesโ
When modifying intent.yaml, run validation to ensure changes are valid.
4. Monitor Security Scansโ
Review vulnerability scan results and address critical issues.
5. Validate Before Stagingโ
Run validation before deploying to staging environments.
Troubleshootingโ
Validation Failuresโ
Configuration Parsing Failed:
- Check
intent.yamlsyntax - Verify JSON schema compliance
- Review error messages in logs
Python Build Failed:
- Check
pyproject.tomlconfiguration - Verify dependencies are resolvable
- Review build logs for errors
Docker Build Failed:
- Verify Dockerfile syntax
- Check base image availability
- Review Docker build logs
Documentation Build Failed:
- Check MDX file syntax
- Verify all links are valid
- Review Docusaurus configuration
Security Scan Failed:
- Review vulnerability scan results
- Check SBOM generation logs
- Verify image exists before scanning
Docker Validation Skippedโ
If Docker validation is unexpectedly skipped:
- Verify
Dockerfileexists in repository root - Check the "Dockerfile Check" step in logs
- Ensure Dockerfile is committed to branch
- Review validation configuration
Related Documentationโ
- Production Release Workflow - Production deployment
- Staging Release Workflow - Staging deployment
- Release Intent Configuration - intent.yaml configuration guide