feat(ci): add basic release workflows

[Molter73]

Description

Since the repository has some pretty strict rules about pushing certain branches, we need to define some basic workflows that will allow us to push them via a robot account. While we are at it, we are also automating some of the additional steps needed for updating and pinning versions

Checklist

• Patch has a change log entry OR does not need one.
• Investigated and inspected CI test results
• Updated documentation accordingly

Automated testing

• Added unit tests
• Added integration tests
• Added regression tests

If any of these don't apply, please comment below.

Testing Performed

Since the workflows are only meant to be run manually, testing will happen once this PR is merged and the workflows become available in the Actions tab. If any fixes are needed after testing, a follow up PR will be created.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a composite version-validation action and two GitHub Actions workflows: one to prepare release branches (validate inputs, create branch/tag, pin Rust, bump crate versions, update changelog, open PRs) and one to compute a patch and create/push an annotated release tag.

Changes

Release Automation

Layer / File(s)	Summary
Version validation action .github/actions/validate-version/action.yml	Composite action Validate <Major>.<minor> version added; checks inputs.version against digits.digits regex and fails on mismatch.
Prepare-release workflow inputs & validation .github/workflows/prepare-release.yml	Workflow prepare-release.yml inputs added (version, next-version, rust-version, dry-run) and a validate-version job that runs the local validation action for each input.
Create release branch and pin versions .github/workflows/prepare-release.yml	prepare-release-branch creates ${version}.x and release-${version}; pin-rust-version updates constants.mk and fact/Cargo.toml on the release branch, runs cargo update -p fact, shows git diff, and (when not dry-run) opens a PR.
Update main changelog and bump next-dev .github/workflows/prepare-release.yml	update-version inserts a ${version}.0 section after ## Next in CHANGELOG.md, bumps fact/Cargo.toml to ${next-version}.0-dev, runs cargo update -p fact, shows git diff, and (when not dry-run) opens a PR.
Release tag creation workflow .github/workflows/release.yml	Workflow release.yml accepts version and dry-run, checks out release-${version}, validates version, computes PATCH from latest tags (${VERSION}.x -> 0 or ${VERSION}.<n> -> n+1), configures git author, creates annotated tag ${VERSION}.${PATCH}, and conditionally pushes the tag.
Release documentation updates docs/release.md	Adds “Automated release” notes, a FACT_DEV env var in examples, adjusts fact/Cargo.toml substitutions, and inserts cargo update -p fact steps after version changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding basic release workflows for CI automation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description includes all required sections with substantive content: description of changes, completed checklist items, and testing approach.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch mauro/ci/releaser

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/prepare-release.yml:
- Around line 63-74: Make the tag and branch steps idempotent so rerunning the
workflow doesn't fail: for the tag referenced as "${{ inputs.version }}.x" check
whether the tag already exists (e.g., via git rev-parse --verify) and only
create it if missing instead of unconditionally running git tag; for the branch
"release-${{ inputs.version }}" use git checkout -B "release-${{ inputs.version
}}" to recreate/reset the local branch reliably, fetch remote refs first, and
when pushing use a safe update (git push --force-with-lease origin "release-${{
inputs.version }}" or push the tag only if newly created) so the Push internal
tag and release-${{ inputs.version }} branch step becomes rerunnable without
manual cleanup.
- Around line 123-127: The update-version job currently only depends on
validate-version, so it can run and open the next-version PR even if
prepare-release-branch fails; change its dependencies so update-version also
waits for the prepare-release-branch job to complete successfully (add
prepare-release-branch to the needs list for the update-version job), ensuring
update-version will not advance main before a release branch/tag is created.
- Around line 82-86: The checkout step always tries to fetch ref: release-${{
inputs.version }} which fails in dry-run because that remote branch isn't
pushed; replace the single checkout with two conditional steps: one
actions/checkout@v6 step that includes ref: release-${{ inputs.version }} and
runs only when inputs.dry-run is false, and a second actions/checkout@v6 step
without the ref (default checkout of the workflow commit) that runs when
inputs.dry-run is true; update the step names accordingly so later steps use the
same workspace.

In @.github/workflows/release.yml:
- Around line 51-60: The tag is constructed with undefined variable RELEASE and
PATCH isn't exported to the Push tag step; update the Create release tag step to
build the tag using the defined VERSION and the patch from
steps.patch.outputs.patch (e.g., use "${VERSION}.${{ steps.patch.outputs.patch
}}") and export or set PATCH consistently so the Push tag step pushes the exact
same ref (or change the Push tag step to push "${VERSION}.${{
steps.patch.outputs.patch }}" too); ensure both steps reference the same
variables (replace RELEASE with VERSION and either set env PATCH from
steps.patch.outputs.patch or inline the steps.patch.outputs.patch expression in
both steps) so the tag name is correct and consistent.
- Around line 29-44: Patch selection currently uses git describe --tags
--abbrev=0 which returns the nearest tag from HEAD (variable last_tag in the
"Determine patch version" step); change it to explicitly pick the latest tag
matching the requested series ${VERSION}.* (e.g. replace the last_tag assignment
with a command that lists tags filtered by pattern and sorts by version, such as
using git tag --list "${VERSION}.*" --sort=-v:refname | head -n1), then keep the
existing regex/patch logic but add a guard to fail if no matching tag is found
(empty last_tag) so the patch calculation uses the correct series tag instead of
a nearest unrelated tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5db6a745-9ef7-4156-9be2-6df4dd8c93f0

📥 Commits

Reviewing files that changed from the base of the PR and between d8ceac0 and 21762dc.

📒 Files selected for processing (2)

• .github/workflows/prepare-release.yml
• .github/workflows/release.yml

[Molter73]

@CodeRabbit review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

17-21: ⚡ Quick win

Serialize release runs per version to avoid dispatch races.

Two manual runs for the same version can overlap and contend on tag creation/push. Add job-level concurrency to make this deterministic.

Proposed refactor

 jobs:
   release:
     runs-on: ubuntu-24.04
+    concurrency:
+      group: release-${{ inputs.version }}
+      cancel-in-progress: false
     env:
       VERSION: ${{ inputs.version }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 17 - 21, Add a job-level
concurrency stanza to the "release" job so manual runs for the same VERSION
serialize and avoid tag races: under the release job, add a concurrency block
like concurrency: { group: "release-${{ inputs.version }}", cancel-in-progress:
true } (use the env/variable VERSION or inputs.version to form the group key) so
only one release per version runs at a time and in-progress duplicates are
canceled.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 6-14: The workflow accepts an input named "version" documented as
"<Major>.<minor>" but never validated; add an early workflow step (e.g.,
"Validate version") that checks the "version" input against a strict regex like
^\d+\.\d+$ and fails the job with a clear error message if it doesn't match so
downstream ref/tag creation (where "version" is used to form release-* refs and
tag names) cannot proceed with malformed values; reference the "version" input
name and place the check before any steps that use it (see where refs/tags are
generated in the release flow around the later steps).

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 17-21: Add a job-level concurrency stanza to the "release" job so
manual runs for the same VERSION serialize and avoid tag races: under the
release job, add a concurrency block like concurrency: { group: "release-${{
inputs.version }}", cancel-in-progress: true } (use the env/variable VERSION or
inputs.version to form the group key) so only one release per version runs at a
time and in-progress duplicates are canceled.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7fc86867-2983-462e-a11d-a6e0e13560e7

📥 Commits

Reviewing files that changed from the base of the PR and between 21762dc and 6f8a89a.

📒 Files selected for processing (2)

• .github/workflows/prepare-release.yml
• .github/workflows/release.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/prepare-release.yml

[coderabbitai]

CodeRabbit chat interactions are restricted to organization members for this repository. Ask an organization member to interact with CodeRabbit, or set chat.allow_non_org_members: true in your configuration.

[Molter73]

@CodeRabbit review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

16-18: ⚡ Quick win

Add job concurrency to prevent same-version tag races.

Two manual runs for the same version can compute the same next patch and race on git tag/git push. Add a per-version concurrency group on this job.

Suggested change

 jobs:
   release:
+    concurrency:
+      group: release-${{ inputs.version }}
+      cancel-in-progress: false
     runs-on: ubuntu-24.04

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 16 - 18, Add a concurrency block
to the release job (jobs.release) so manual runs with the same version cannot
race on git tag/push: add a concurrency key with a group that is unique
per-version (e.g. group: release-${{ github.event.inputs.version }} or whichever
input/ref holds the version) and set cancel-in-progress: true; this ensures only
one run per version proceeds and others are queued/cancelled.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 16-18: Add a concurrency block to the release job (jobs.release)
so manual runs with the same version cannot race on git tag/push: add a
concurrency key with a group that is unique per-version (e.g. group: release-${{
github.event.inputs.version }} or whichever input/ref holds the version) and set
cancel-in-progress: true; this ensures only one run per version proceeds and
others are queued/cancelled.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c8a335ba-2ea4-4353-82b3-b1195689bb75

📥 Commits

Reviewing files that changed from the base of the PR and between 6f8a89a and 53cfac9.

📒 Files selected for processing (3)

• .github/actions/validate-version/action.yml
• .github/workflows/prepare-release.yml
• .github/workflows/release.yml

✅ Files skipped from review due to trivial changes (1)

• .github/actions/validate-version/action.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/prepare-release.yml

[coderabbitai]

CodeRabbit chat interactions are restricted to organization members for this repository. Ask an organization member to interact with CodeRabbit, or set chat.allow_non_org_members: true in your configuration.

[coderabbitai]

CodeRabbit chat interactions are restricted to organization members for this repository. Ask an organization member to interact with CodeRabbit, or set chat.allow_non_org_members: true in your configuration.

[Molter73]

@CodeRabbit review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/release.md`:
- Around line 24-27: Add a blank line between the Note paragraph ("**Note**:
This is a fallback method... whenever possible") and the horizontal rule marker
("---") so the trailing `---` is not parsed as a setext heading underline;
alternatively remove the `---` line entirely. Update the block containing the
Note and the `---` marker to ensure there is an empty line separating the
paragraph and the rule.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9e6d9e57-7bef-4e03-8e74-31e7e1832e2e

📥 Commits

Reviewing files that changed from the base of the PR and between 53cfac9 and 621c29e.

📒 Files selected for processing (4)

• .github/actions/validate-version/action.yml
• .github/workflows/prepare-release.yml
• .github/workflows/release.yml
• docs/release.md

🚧 Files skipped from review as they are similar to previous changes (3)

• .github/actions/validate-version/action.yml
• .github/workflows/release.yml
• .github/workflows/prepare-release.yml

[coderabbitai]

CodeRabbit chat interactions are restricted to organization members for this repository. Ask an organization member to interact with CodeRabbit, or set chat.allow_non_org_members: true in your configuration.

[coderabbitai]

CodeRabbit chat interactions are restricted to organization members for this repository. Ask an organization member to interact with CodeRabbit, or set chat.allow_non_org_members: true in your configuration.

[Stringy]

Some nits, but nothing major; otherwise LGTM