ci: auto-bump @openrouter/sdk and dispatch monorepo on release#49
Conversation
HOP A + HOP B of the SDK release chain: - bump-openrouter-sdk.yaml: receives openrouter-sdk-published dispatch (or manual workflow_dispatch), opens a PR bumping @openrouter/sdk in packages/agent (caret floor + relock + changeset) via an App token so Perry and CI run, then self-polls Perry + CI to a terminal state and squash-merges on green or alerts Slack and leaves the PR red on failure. - bump-sdk.sh / pr-gate.sh: the bump and wait-gate logic, runnable locally. - publish.yaml: on a real @openrouter/agent publish (changesets published output, or npm version diff on manual publish), dispatch openrouter-agent-published to openrouter-web to kick off the server-tools bump.
![perry-the-pr-reviewer[bot]](https://avatars.githubusercontent.com/in/3222961?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Drop the GitHub App (AGENT_BUMP_APP_*) and WEB_DISPATCH_PAT in favor of the org's existing SUBTREE_PUSH_PAT for opening/merging the bump PR and for the monorepo dispatch. Slack alerts use the org-level CI_RELEASE_ALERT_SLACK_* secrets, so no new secrets are required on this repo.
There was a problem hiding this comment.
⚠️ APPROVE unavailable on this installation — the maintainer GitHub App is not
configured, so the verdict below is posted as COMMENT. Event-level approval
(for branch-protection / review requirements) must be added out-of-band.
Perry's Review
Simplifies the SDK release chain by reusing the org's existing SUBTREE_PUSH_PAT instead of introducing two new GitHub App secrets and a separate WEB_DISPATCH_PAT.
Verdict: ✅ LGTM
Details
CI: all passing ✅ (typecheck, lint, unit-tests, structural-gate, e2e-tests)
Findings: none (no new issues in the 11 new lines)
Codex (HEAVY_SECONDARY_MODEL): skipped (medium tier)
Research: skipped (medium tier)
Security: Category 7 (auth/credential) touched — consolidating from 3 separate secrets to 1 is a net reduction in secret surface area. The PAT still needs contents:write on openrouter-web for the dispatch step (documented inline). No concerns.
Test coverage: no tests needed for workflow infrastructure changes
Unresolved threads: 1 open nit from prior review (double date call in bump-sdk.sh) — not addressed by this PR, which is fine as this PR's scope is credential consolidation only.
Scope: incremental — 11 new lines since prior review
Tier: medium (448 LoC)
| # push into the SDK repos). | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| token: ${{ secrets.SUBTREE_PUSH_PAT }} |
There was a problem hiding this comment.
[nit] The bump job passes token: SUBTREE_PUSH_PAT at checkout so that the subsequent git push in bump-sdk.sh is authenticated as the PAT rather than GITHUB_TOKEN; the gate job omits the token (correct — it only needs read access, and the merge-step GH_TOKEN env var handles authentication separately). Consider a brief comment here to explain the asymmetry for the next reader.
Reviewed at 8917615
1 participant
Auto-bump
@openrouter/sdk+ dispatch monorepo on release (HOPs 2 & 3)Receives the
openrouter-sdk-publisheddispatch fromtypescript-sdk, opens aPR bumping
@openrouter/sdkinpackages/agent, drives it through Perry + CI,and auto-merges on green. When that release publishes a new
@openrouter/agent,it dispatches the monorepo to bump its server-tools pin.
What this adds / changes
.github/workflows/bump-openrouter-sdk.yaml(new): receiver +self-gating auto-merge.
bumpjob: opens the PR withSUBTREE_PUSH_PAT(a PAT, so Perry + CIrun —
GITHUB_TOKENwould suppress them), bumps the dependency to the caretfloor
^<version>, runs a fullpnpm installrelock, writes a changeset,and closes prior bot bump PRs.
gatejob: pollsperry/review+ CI to a terminal state and squash-mergeson green; on failure/blocker/timeout it alerts Slack and leaves the PR red
(never merges red). Branch protection is off, so the gate — not GitHub-native
auto-merge — does the gating.
.github/scripts/bump-sdk.sh,.github/scripts/pr-gate.sh(new): thebump and wait-gate logic (locally runnable).
.github/workflows/publish.yaml(extended): on a real@openrouter/agentpublish (changesets
publishedoutput, or an npm version diff on a manualpublish), dispatch
openrouter-agent-publishedtoopenrouter-webusingSUBTREE_PUSH_PAT.Secrets — reuses existing, nothing new to create
SUBTREE_PUSH_PAT— org's cross-repo PAT, used here to open + merge thebump PR and to dispatch the monorepo.
contents: write+pull_requests: writeon this repo andcontents: writeonOpenRouterTeam/openrouter-web.CI_RELEASE_ALERT_SLACK_BOT_TOKEN+CI_RELEASE_ALERT_SLACK_CHANNEL_ID—org-level (already used by the monorepo's release workflows); the gate posts
pass/fail here. No setup needed.
NPM_TOKEN/OPENROUTER_API_KEY— already resolve org-level (the Releaseperry/reviewposts on the bump PR.How to test
main.version=0.12.79,dry_run=true. Confirm the PR opens, Perry + CI run on it, and the gatereports without merging.
dry_run=falseon a green PR to confirm squash-merge.[sdk-bot]