From 96868bb505ed602369304f0d5c2092a6baf36fe8 Mon Sep 17 00:00:00 2001
From: jmeridth <jmeridth@gmail.com>
Date: Sun, 10 May 2026 18:26:22 -0500
Subject: [PATCH 1/2] ci: adopt consolidated ospo-reusable-workflows
 release.yaml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## What

Collapse the three legacy `release` / `release_image` / `release_discussion` job calls into a single call to the consolidated `release.yaml` reusable workflow at v1.0.0 (`592067a6...`). Pass `image-name`, `create-attestation: true`, and `create-discussion: true` so the workflow handles GitHub release, container image build/push to GHCR, build provenance attestation, and announcement discussion in one draft-first pipeline. Also add a "💥 Breaking Changes" category to `release-drafter.yml`.

## Why

The legacy three-workflow setup forced callers to wire up the same job chain by hand in every repo and made it easy for permissions, secrets, and ordering to drift. v1.0.0 of ospo-reusable-workflows owns the chain internally and exposes a single entry point. The "Breaking Changes" category matches the upstream release-drafter template (github-community-projects/ospo-reusable-workflows#134); the `breaking` label already maps to a major bump in `version-resolver`, so this just surfaces those PRs in their own changelog section.

## Notes

- The job-level permission block now lists the union of what the called workflow's internal jobs need (contents/pull-requests/packages/id-token/attestations/discussions). A `uses:` caller can only grant — never expand — what the reusable workflow requests, so missing perms here silently disable features instead of erroring.
- `image-registry` and `image-registry-username` moved from `secrets:` to inputs in v1.0.0 (defaults to `ghcr.io` and `github.actor`). Both defaults match the previous explicit values, so they're omitted.
- `image-registry-password` stays a secret and continues to use `GITHUB_TOKEN` for ghcr.io pushes.
- The reusable workflow's `release_discussion` job validates the discussion secrets at the step level and skips with a notice if they're unset, so the workflow keeps working even if the discussion secrets aren't configured.

Signed-off-by: jmeridth <jmeridth@gmail.com>
---
 .github/release-drafter.yml   |  3 +++
 .github/workflows/release.yml | 38 +++++++++--------------------------
 2 files changed, 12 insertions(+), 29 deletions(-)

diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
index f786f73..059bbd5 100644
--- a/.github/release-drafter.yml
+++ b/.github/release-drafter.yml
@@ -8,6 +8,9 @@ template: |
   See details of [all code changes](https://github.com/$OWNER/$REPOSITORY/compare/$PREVIOUS_TAG...v$RESOLVED_VERSION) since previous release
 
 categories:
+  - title: "💥 Breaking Changes"
+    labels:
+      - "breaking"
   - title: "🚀 Features"
     labels:
       - "feature"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7d1ca1a..826c333 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,41 +10,21 @@ permissions:
 jobs:
   release:
     permissions:
-      contents: write
-      pull-requests: read
-    uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release.yaml@a0cf79bd8756e0a9c1555bf4975eae7ce7a8e8dc
+      contents: write       # Create release and push tags
+      pull-requests: read   # Read PR labels for release-drafter
+      packages: write       # Push container image to ghcr.io
+      id-token: write       # Federate for artifact attestation
+      attestations: write   # Generate build provenance attestations
+      discussions: write    # Create release announcement discussion
+    uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release.yaml@592067a69a43d2285f933753d89a7c9d51b96530 # v1.0.0
     with:
       publish: true
       release-config-name: release-drafter.yml
-    secrets:
-      github-token: ${{ secrets.GITHUB_TOKEN }}
-  release_image:
-    needs: release
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release-image.yaml@a0cf79bd8756e0a9c1555bf4975eae7ce7a8e8dc
-    with:
       image-name: ${{ github.repository }}
-      full-tag: ${{ needs.release.outputs.full-tag }}
-      short-tag: ${{ needs.release.outputs.short-tag }}
+      create-attestation: true
+      create-discussion: true
     secrets:
       github-token: ${{ secrets.GITHUB_TOKEN }}
-      image-registry: ghcr.io
-      image-registry-username: ${{ github.actor }}
       image-registry-password: ${{ secrets.GITHUB_TOKEN }}
-  release_discussion:
-    needs: release
-    permissions:
-      contents: read
-      discussions: write
-    uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@a0cf79bd8756e0a9c1555bf4975eae7ce7a8e8dc
-    with:
-      full-tag: ${{ needs.release.outputs.full-tag }}
-      body: ${{ needs.release.outputs.body }}
-    secrets:
-      github-token: ${{ secrets.GITHUB_TOKEN }}
       discussion-repository-id: ${{ secrets.RELEASE_DISCUSSION_REPOSITORY_ID }}
       discussion-category-id: ${{ secrets.RELEASE_DISCUSSION_CATEGORY_ID }}

From 94c032a26f3358b4b7d7ef13b4f207d60c0bfea0 Mon Sep 17 00:00:00 2001
From: jmeridth <jmeridth@gmail.com>
Date: Sun, 10 May 2026 18:31:02 -0500
Subject: [PATCH 2/2] style: align release.yml comments to prettier formatting

Single-space before `#` so prettier (via super-linter) accepts the workflow file. No behavior change.

Signed-off-by: jmeridth <jmeridth@gmail.com>
---
 .github/workflows/release.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 826c333..6786338 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,12 +10,12 @@ permissions:
 jobs:
   release:
     permissions:
-      contents: write       # Create release and push tags
-      pull-requests: read   # Read PR labels for release-drafter
-      packages: write       # Push container image to ghcr.io
-      id-token: write       # Federate for artifact attestation
-      attestations: write   # Generate build provenance attestations
-      discussions: write    # Create release announcement discussion
+      contents: write # Create release and push tags
+      pull-requests: read # Read PR labels for release-drafter
+      packages: write # Push container image to ghcr.io
+      id-token: write # Federate for artifact attestation
+      attestations: write # Generate build provenance attestations
+      discussions: write # Create release announcement discussion
     uses: github-community-projects/ospo-reusable-workflows/.github/workflows/release.yaml@592067a69a43d2285f933753d89a7c9d51b96530 # v1.0.0
     with:
       publish: true