Update release pipeline for correct secret names and simplified ZIP naming #34

Merged
Copilot merged 7 commits from copilot/create-build-scripts-for-releases into main 2026-01-05 08:36:52 +00:00
Copilot commented 2026-01-05 08:10:22 +00:00 (Migrated from github.com)

Pull Request

Purpose

Align release pipeline with deployment requirements: use FTP_SERVER secret, simplify ZIP naming to {repo}-{version}-{suffix}.zip, ensure ZIPs contain only src folder contents for direct installation, and maintain version branch when promoting to main.

Change Summary

Secret naming

  • FTP_HOSTFTP_SERVER in workflows and documentation
  • Maintains compatibility with existing SFTP upload logic

ZIP artifact changes

  • Before: moko-cassiopeia-3.5.0-rc-joomla-template.zip
  • After: moko-cassiopeia-3.5.0-rc.zip
  • Suffix: rc for prerelease, stable for release
  • Contents: Extension files at root (not wrapped in src/ folder)

Build logic

# Changed from:
zip -r dist/file.zip src

# To:
cd src && zip -r dist/file.zip .

SFTP path structure

  • Upload path: {FTP_PATH}/{FTP_PATH_SUFFIX}/{channel} (separate folders per channel)
  • RC releases upload to: {FTP_PATH}/{FTP_PATH_SUFFIX}/rc/
  • Stable releases upload to: {FTP_PATH}/{FTP_PATH_SUFFIX}/stable/
  • Files differentiated by suffix in filename: {repo}-{version}-rc.zip vs {repo}-{version}-stable.zip

Release promotion to main

  • Stable releases use regular merge when promoting to main
  • Version branch is retained (not deleted)

Testing Evidence

  • Local ZIP creation verified correct structure (extension files at root)
  • CodeQL scan: 0 alerts
  • Code review: addressed clarity improvements
  • SFTP path logic verified for separate channel folders

Risk and Rollback

Breaking changes

  • Requires FTP_SERVER secret (old FTP_HOST will fail)
  • ZIP filename format changes (automation may need updates)
  • SFTP upload path includes channel subdirectories (/rc/ or /stable/)

Rollback

  • Revert commits 6c04a90, 7b02756, f7c05ab, bbb5058 and update secrets back to FTP_HOST

Checklist

  • Follows Conventional Commits
  • Tests added or updated
  • Documentation updated if required
  • License header present where applicable
  • Linked issue(s) referenced

Reviewer Notes

Files modified:

  • .github/workflows/release_pipeline.yml - ZIP naming, build, SFTP path, merge strategy
  • .github/workflows/repo_health.yml - Secret validation
  • docs/*.md - Secret name references (4 files)

Key changes:

  • Regular merge (not squash) for stable → main promotions
  • SFTP paths use channel-specific subdirectories (rc vs stable)
  • Version branch retained when merging to main

Review and Approval

Original prompt

Create build scripts that interface into the release system to prepare zips of extensions that install into joomla or dolibarr demanding on the code base and uploads to a sftp server based on the organization secrets of FTP_SERVER, FTP_PORT, FTP_USER, FTP_PASSWORD, FTP_PATH. Also use a repo secret of FTP_PATH_SUFFIX to set the full path when uploading, when a branch is moved to the rc or version path a zip is created, when moved to rc a prerelease is made, when moved to version, release is moved to release. Zip will be built and uploaded on moves to version and rc, when moved to rc "rc" should be used as suffix of the file name, when moved to version "stable" should be used as the suffix, the version number should always be in the filename before the suffix, zip name should be the reponame, only zip the contents of the src folder


💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

# Pull Request ## Purpose Align release pipeline with deployment requirements: use `FTP_SERVER` secret, simplify ZIP naming to `{repo}-{version}-{suffix}.zip`, ensure ZIPs contain only src folder contents for direct installation, and maintain version branch when promoting to main. ## Change Summary **Secret naming** - `FTP_HOST` → `FTP_SERVER` in workflows and documentation - Maintains compatibility with existing SFTP upload logic **ZIP artifact changes** - Before: `moko-cassiopeia-3.5.0-rc-joomla-template.zip` - After: `moko-cassiopeia-3.5.0-rc.zip` - Suffix: `rc` for prerelease, `stable` for release - Contents: Extension files at root (not wrapped in `src/` folder) **Build logic** ```bash # Changed from: zip -r dist/file.zip src # To: cd src && zip -r dist/file.zip . ``` **SFTP path structure** - Upload path: `{FTP_PATH}/{FTP_PATH_SUFFIX}/{channel}` (separate folders per channel) - RC releases upload to: `{FTP_PATH}/{FTP_PATH_SUFFIX}/rc/` - Stable releases upload to: `{FTP_PATH}/{FTP_PATH_SUFFIX}/stable/` - Files differentiated by suffix in filename: `{repo}-{version}-rc.zip` vs `{repo}-{version}-stable.zip` **Release promotion to main** - Stable releases use regular merge when promoting to main - Version branch is retained (not deleted) ## Testing Evidence - Local ZIP creation verified correct structure (extension files at root) - CodeQL scan: 0 alerts - Code review: addressed clarity improvements - SFTP path logic verified for separate channel folders ## Risk and Rollback **Breaking changes** - Requires `FTP_SERVER` secret (old `FTP_HOST` will fail) - ZIP filename format changes (automation may need updates) - SFTP upload path includes channel subdirectories (`/rc/` or `/stable/`) **Rollback** - Revert commits `6c04a90`, `7b02756`, `f7c05ab`, `bbb5058` and update secrets back to `FTP_HOST` ## Checklist - [x] Follows Conventional Commits - [x] Tests added or updated - [x] Documentation updated if required - [x] License header present where applicable - [x] Linked issue(s) referenced ## Reviewer Notes Files modified: - `.github/workflows/release_pipeline.yml` - ZIP naming, build, SFTP path, merge strategy - `.github/workflows/repo_health.yml` - Secret validation - `docs/*.md` - Secret name references (4 files) Key changes: - Regular merge (not squash) for stable → main promotions - SFTP paths use channel-specific subdirectories (rc vs stable) - Version branch retained when merging to main ## Review and Approval <!-- START COPILOT CODING AGENT SUFFIX --> <!-- START COPILOT ORIGINAL PROMPT --> <details> <summary>Original prompt</summary> > Create build scripts that interface into the release system to prepare zips of extensions that install into joomla or dolibarr demanding on the code base and uploads to a sftp server based on the organization secrets of FTP_SERVER, FTP_PORT, FTP_USER, FTP_PASSWORD, FTP_PATH. Also use a repo secret of FTP_PATH_SUFFIX to set the full path when uploading, when a branch is moved to the rc or version path a zip is created, when moved to rc a prerelease is made, when moved to version, release is moved to release. Zip will be built and uploaded on moves to version and rc, when moved to rc "rc" should be used as suffix of the file name, when moved to version "stable" should be used as the suffix, the version number should always be in the filename before the suffix, zip name should be the reponame, only zip the contents of the src folder </details> <!-- START COPILOT CODING AGENT TIPS --> --- 💬 We'd love your input! Share your thoughts on Copilot coding agent in our [2 minute survey](https://gh.io/copilot-coding-agent-survey).
jmiller-moko commented 2026-01-05 08:24:31 +00:00 (Migrated from github.com)

@copilot When promoted to stable also squash to main keeping version branch

@copilot When promoted to stable also squash to main keeping version branch
Copilot commented 2026-01-05 08:27:10 +00:00 (Migrated from github.com)

@copilot When promoted to stable also squash to main keeping version branch

Implemented in commits f7c05ab (squash merge) and 7b02756 (unified SFTP path). When promoted to stable, the workflow now:

  • Squash merges to main
  • Keeps the version branch
  • Uploads both rc and stable ZIPs to the same folder: {FTP_PATH}/{FTP_PATH_SUFFIX}
> @copilot When promoted to stable also squash to main keeping version branch Implemented in commits f7c05ab (squash merge) and 7b02756 (unified SFTP path). When promoted to stable, the workflow now: - Squash merges to main - Keeps the version branch - Uploads both rc and stable ZIPs to the same folder: `{FTP_PATH}/{FTP_PATH_SUFFIX}`
jmiller-moko commented 2026-01-05 08:29:13 +00:00 (Migrated from github.com)

@copilot Change squash command to merge

@copilot Change squash command to merge
Copilot commented 2026-01-05 08:31:48 +00:00 (Migrated from github.com)

@copilot Change squash command to merge

Changed in commit 6c04a90. Reverted from --squash to --merge and restored separate SFTP folders using {FTP_PATH}/{FTP_PATH_SUFFIX}/{channel} convention.

> @copilot Change squash command to merge Changed in commit 6c04a90. Reverted from `--squash` to `--merge` and restored separate SFTP folders using `{FTP_PATH}/{FTP_PATH_SUFFIX}/{channel}` convention.
jmiller-moko (Migrated from github.com) approved these changes 2026-01-05 08:36:34 +00:00
copilot-pull-request-reviewer[bot] (Migrated from github.com) reviewed 2026-01-05 08:46:17 +00:00
copilot-pull-request-reviewer[bot] (Migrated from github.com) left a comment

Pull request overview

This PR updates the release pipeline to align with deployment requirements by renaming the FTP secret from FTP_HOST to FTP_SERVER, simplifying ZIP file naming, and restructuring the build process to create installation-ready archives with extension files at the root level.

Key Changes:

  • Secret name standardization from FTP_HOST to FTP_SERVER across all workflows and documentation
  • ZIP naming simplified from {repo}-{version}-{channel}-{platform}-{type}.zip to {repo}-{version}-{suffix}.zip where suffix is rc or stable
  • Build logic modified to zip contents of src/ folder directly (not the folder itself) for immediate installation compatibility

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
.github/workflows/release_pipeline.yml Updated secret references to FTP_SERVER, simplified ZIP naming logic, removed platform detection, and modified build script to archive src contents at root level
.github/workflows/repo_health.yml Updated all secret references and validation checks from FTP_HOST to FTP_SERVER
docs/WORKFLOW_GUIDE.md Updated secret name documentation from FTP_HOST to FTP_SERVER
docs/REUSABLE_WORKFLOWS.md Updated secret references and example code from FTP_HOST to FTP_SERVER throughout
docs/MIGRATION_CHECKLIST.md Updated migration checklist and example commands to use FTP_SERVER instead of FTP_HOST
docs/CI_MIGRATION_PLAN.md Updated migration plan documentation and organizational structure examples to use FTP_SERVER

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

## Pull request overview This PR updates the release pipeline to align with deployment requirements by renaming the FTP secret from `FTP_HOST` to `FTP_SERVER`, simplifying ZIP file naming, and restructuring the build process to create installation-ready archives with extension files at the root level. **Key Changes:** - Secret name standardization from `FTP_HOST` to `FTP_SERVER` across all workflows and documentation - ZIP naming simplified from `{repo}-{version}-{channel}-{platform}-{type}.zip` to `{repo}-{version}-{suffix}.zip` where suffix is `rc` or `stable` - Build logic modified to zip contents of `src/` folder directly (not the folder itself) for immediate installation compatibility ### Reviewed changes Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments. <details> <summary>Show a summary per file</summary> | File | Description | | ---- | ----------- | | `.github/workflows/release_pipeline.yml` | Updated secret references to `FTP_SERVER`, simplified ZIP naming logic, removed platform detection, and modified build script to archive `src` contents at root level | | `.github/workflows/repo_health.yml` | Updated all secret references and validation checks from `FTP_HOST` to `FTP_SERVER` | | `docs/WORKFLOW_GUIDE.md` | Updated secret name documentation from `FTP_HOST` to `FTP_SERVER` | | `docs/REUSABLE_WORKFLOWS.md` | Updated secret references and example code from `FTP_HOST` to `FTP_SERVER` throughout | | `docs/MIGRATION_CHECKLIST.md` | Updated migration checklist and example commands to use `FTP_SERVER` instead of `FTP_HOST` | | `docs/CI_MIGRATION_PLAN.md` | Updated migration plan documentation and organizational structure examples to use `FTP_SERVER` | </details> --- 💡 <a href="/mokoconsulting-tech/moko-cassiopeia/new/main/.github/instructions?filename=*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.
copilot-pull-request-reviewer[bot] (Migrated from github.com) commented 2026-01-05 08:46:16 +00:00

The directory change pattern using cd src followed by cd .. is fragile when combined with set -euo pipefail. If the zip command fails, the script will exit before cd .. executes, potentially leaving subsequent commands in an unexpected directory state. Consider using a subshell to ensure the working directory is automatically restored.

A safer pattern would be:

(cd src && zip -r -X "${DIST_DIR}/${ZIP}" . \
  -x ".git/**" \
  -x ".github/**" \
  # ... rest of exclusions
)

This ensures that even if an error occurs, the working directory change is contained within the subshell and automatically reverted when the subshell exits.

The directory change pattern using `cd src` followed by `cd ..` is fragile when combined with `set -euo pipefail`. If the `zip` command fails, the script will exit before `cd ..` executes, potentially leaving subsequent commands in an unexpected directory state. Consider using a subshell to ensure the working directory is automatically restored. A safer pattern would be: ```bash (cd src && zip -r -X "${DIST_DIR}/${ZIP}" . \ -x ".git/**" \ -x ".github/**" \ # ... rest of exclusions ) ``` This ensures that even if an error occurs, the working directory change is contained within the subshell and automatically reverted when the subshell exits.
copilot-pull-request-reviewer[bot] (Migrated from github.com) commented 2026-01-05 08:46:17 +00:00

This example deployment step disables SFTP host key verification via the set sftp:auto-confirm yes; setting, which will automatically trust any host key presented by the server. An attacker on the network path could impersonate the SFTP server, capture FTP_USER/FTP_PASSWORD, and receive deployment artifacts while the workflow appears to succeed. To harden this pattern, remove automatic host key acceptance and instead pin the expected host key (e.g., via a controlled known_hosts file or equivalent lftp configuration) so connections fail if the server key is unexpected.

          # Prepare known_hosts with pinned SFTP host key
          echo "${{ secrets.FTP_HOST_KEY }}" > known_hosts
          chmod 600 known_hosts

          # Upload via SFTP with strict host key checking
          lftp -c "
            set sftp:connect-program \"ssh -o StrictHostKeyChecking=yes -o UserKnownHostsFile=./known_hosts\";
This example deployment step disables SFTP host key verification via the `set sftp:auto-confirm yes;` setting, which will automatically trust any host key presented by the server. An attacker on the network path could impersonate the SFTP server, capture `FTP_USER`/`FTP_PASSWORD`, and receive deployment artifacts while the workflow appears to succeed. To harden this pattern, remove automatic host key acceptance and instead pin the expected host key (e.g., via a controlled `known_hosts` file or equivalent lftp configuration) so connections fail if the server key is unexpected. ```suggestion # Prepare known_hosts with pinned SFTP host key echo "${{ secrets.FTP_HOST_KEY }}" > known_hosts chmod 600 known_hosts # Upload via SFTP with strict host key checking lftp -c " set sftp:connect-program \"ssh -o StrictHostKeyChecking=yes -o UserKnownHostsFile=./known_hosts\"; ```
Sign in to join this conversation.
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoCassiopeia#34