Release pipeline

[shichengripple001]

High Level Overview of Change

Revamp release pipeline to run tests, scan for vulnerabilities, request for review

Context of Change

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (non-breaking change that only restructures code)
• Tests (You added tests for code that already exists, or your new feature included in this PR)
• Documentation Updates
• Release

Did you update CHANGELOG.md?

• Yes
• No, this change does not impact library users

Test Plan

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/release.yml (1)

192-192: Update trivy-action to the latest version (v0.33.1).

The workflow pins trivy-action to v0.28.0, which was released several months ago. The latest version is v0.33.1 (released September 2025), which includes critical bug fixes and security updates. Since this step scans for vulnerabilities, using an outdated version risks missing newly detected issues.

       - name: Scan SBOM for vulnerabilities using Trivy
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@v0.33.1
         with:
           scan-type: sbom

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

599-602: Remove unused variable enc_tag.

Line 601 creates enc_tag via URI encoding, but the subsequent line 602 builds RELEASE_URL using the raw $TAG variable. The encoded variable is never used and can be removed to clean up dead code.

  # Build release URL from tag (URL-encoded to handle '@' etc.)
  TAG="${TAG:-${PACKAGE_VERSION}}"
- enc_tag="$(printf '%s' "$TAG" | jq -sRr @uri)"
  RELEASE_URL="https://github.com/$REPO/releases/tag/v$TAG"

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aec609d and 780f4c1.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

RELEASE.md (1)

19-29: Standardize prerelease terminology.

Lines 21–22 mix --prerelease (the flag) with "prerelease" in prose. For consistency, use "pre-release" exclusively in descriptive text to distinguish it from the flag.

- **Beta release**:  
-  - Skips creating the release PR from the release branch back to `main`.  
-  - The GitHub Release is created with the `--prerelease` flag.  
-  - The `latest` tag on GitHub remains unchanged (beta/prerelease builds do not become the
-    default download).
+ **Beta release**:  
+  - Skips creating the release PR from the release branch back to `main`.  
+  - The GitHub Release is created with the `--prerelease` flag.  
+  - The `latest` tag on GitHub remains unchanged (beta/pre-release builds do not become the
+    default download).

Also update line 58 for consistency:

-| `github-release` | Signs artifacts with the Sigstore action, creates or updates the GitHub Release (`--prerelease` for beta versions, `--latest` for stable releases), uploads signatures/provenance, and posts a Slack success message. |
+| `github-release` | Signs artifacts with the Sigstore action, creates or updates the GitHub Release (`--prerelease` for pre-release versions, `--latest` for stable releases), uploads signatures/provenance, and posts a Slack success message. |

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 780f4c1 and 858add5.

📒 Files selected for processing (2)

• .github/workflows/release.yml (1 hunks)
• RELEASE.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

RELEASE.md

[uncategorized] ~4-~4: The official name of this software platform is spelled with a capital “H”.
Context: ...? to PyPIGitHub Actions workflow (see.github/workflows/release.yml`). ## 0. Config...

(GITHUB)

---

[uncategorized] ~21-~21: Do not mix variants of the same word (‘prerelease’ and ‘pre-release’) within a single text.
Context: ... The GitHub Release is created with the --prerelease flag. - The latest tag on GitHub...

(EN_WORD_COHERENCY)

---

[uncategorized] ~22-~22: Do not mix variants of the same word (‘prerelease’ and ‘pre-release’) within a single text.
Context: ...` tag on GitHub remains unchanged (beta/prerelease builds do not become the default do...

(EN_WORD_COHERENCY)

---

[uncategorized] ~58-~58: Do not mix variants of the same word (‘prerelease’ and ‘pre-release’) within a single text.
Context: ... creates or updates the GitHub Release (--prerelease for beta versions, --latest for stab...

(EN_WORD_COHERENCY)

---

[style] ~82-~82: Consider using “email”.
Context: ...sion or updating docs) if needed. 6. Send an email to [xrpl-announce](https://groups.google.c...

(SEND_AN_EMAIL)

---

[uncategorized] ~93-~93: The official name of this software platform is spelled with a capital “H”.
Context: ...tomation needs adjustments, update both .github/workflows/release.yml and this guide s...

(GITHUB)

---

[uncategorized] ~97-~97: The official name of this software platform is spelled with a capital “H”.
Context: ... ## Manual Release process(Just in case Github action is not available for unforseeabl...

(GITHUB)

---

[style] ~103-~103: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...hanges should have passed the linter. - Your code should pass all the unit and integ...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[uncategorized] ~103-~103: The official name of this software platform is spelled with a capital “H”.
Context: ...s all the unit and integration tests on Github (which check all versions of Python). -...

(GITHUB)

---

[uncategorized] ~118-~118: The official name of this software platform is spelled with a capital “H”.
Context: ... pypi publishing token. 6. Create a new Github release/tag off of this branch. 7. Send...

(GITHUB)

---

[style] ~118-~118: ‘off of’ might be wordy. Consider a shorter alternative.
Context: ...ken. 6. Create a new Github release/tag off of this branch. 7. Send an email to [xrpl-...

(EN_WORDINESS_PREMIUM_OFF_OF)

---

[style] ~119-~119: Consider using “email”.
Context: ...thub release/tag off of this branch. 7. Send an email to [xrpl-announce](https://groups.google.c...

(SEND_AN_EMAIL)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: Integration test (3.12)
• GitHub Check: Integration test (3.14)
• GitHub Check: Integration test (3.11)
• GitHub Check: Integration test (3.9)
• GitHub Check: Integration test (3.8)
• GitHub Check: Integration test (3.13)
• GitHub Check: Integration test (3.10)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (1)

.github/workflows/release.yml (1)

1-650: Workflow implementation looks solid.

All major issues flagged in prior reviews have been addressed: cache updated to v4, Slack notifications restructured to avoid undefined variables, Python version aligned to 3.8, trivy-action updated to v0.33.1, unused variables removed, and attestations permissions included. The job dependencies, environment gates, and permission scopes are correctly configured for the multi-stage release governance model.

[Patel-Raj11]

LGTM!

[kuan121]

Let's ship it! 🚢

[mvadari]

Please make sure to double check that beta publishing flows work properly - I'm running into a lot of issues with xrpl.js and it looks like this is using the exact same process