GHA-174 Add releasability check to automated release workflow (#83)

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: nils-werner-sonarsource

.github/workflows/automated-release.yml

@@ -116,6 +116,11 @@ on:
         required: false
         type: boolean
         default: true
+      check-releasability:
+        description: "Check the releasability status after freezing the branch"
+        required: false
+        type: boolean
+        default: true
       slack-channel:
         description: "Slack channel for notifications"
         required: false
@@ -170,19 +175,91 @@ jobs:
           echo "- Locked branch pattern \`$BRANCH\` to prevent changes during the release." >> $GITHUB_STEP_SUMMARY
           echo "- Notifications sent to Slack channel: \`$SLACK_CHANNEL\`." >> $GITHUB_STEP_SUMMARY
 
+  # This job executes the releasability check on the branch to ensure it is ready for release.
+  # Running this check early prevents unnecessary work (like creating REL tickets) if the release cannot proceed.
+  check-releasability:
+    name: Check Releasability
+    if: ${{ inputs.check-releasability && !cancelled() }}
+    needs: [ freeze-branch ]
+    runs-on: ${{ inputs.runner-environment }}
+    permissions:
+      id-token: write
+      contents: read
+      statuses: read
+    outputs:
+      release-version: ${{ steps.get-version.outputs.release-version }}
+    steps:
+      - name: Get Release Version
+        id: get-version
+        uses: SonarSource/release-github-actions/get-release-version@v1
+        with:
+          branch: ${{ inputs.branch }}
+
+      - uses: SonarSource/gh-action_releasability@v3
+        id: releasability
+        with:
+          branch: ${{ github.ref_name }}
+          commit-sha: ${{ github.sha }}
+          organization: ${{ github.repository_owner }}
+          repository: ${{ github.event.repository.name }}
+          version: ${{ steps.get-version.outputs.release-version }}
+
+      - name: Summary
+        if: ${{ always() && inputs.verbose }}
+        shell: bash
+        env:
+          BRANCH: ${{ inputs.branch }}
+          VERSION: ${{ steps.get-version.outputs.release-version }}
+          CHECK_OUTCOME: ${{ steps.releasability.outcome }}
+          CHECK_DEPENDENCIES: ${{ steps.releasability.outputs.releasabilityCheckDependencies }}
+          CHECK_QA: ${{ steps.releasability.outputs.releasabilityQA }}
+          CHECK_JIRA: ${{ steps.releasability.outputs.releasabilityJira }}
+          CHECK_PEACHEE: ${{ steps.releasability.outputs.releasabilityCheckPeacheeLanguagesStatistics }}
+          CHECK_QUALITY_GATE: ${{ steps.releasability.outputs.releasabilityQualityGate }}
+          CHECK_PARENT_POM: ${{ steps.releasability.outputs.releasabilityParentPOM }}
+          CHECK_GITHUB: ${{ steps.releasability.outputs.releasabilityGitHub }}
+          CHECK_MANIFEST: ${{ steps.releasability.outputs.releasabilityCheckManifestValues }}
+          CHECK_LICENSES: ${{ steps.releasability.outputs.releasabilityCheckLicenses }}
+        run: |
+          if [ "$CHECK_OUTCOME" = "success" ]; then
+            echo "## ✅ Releasability Check" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "## ❌ Releasability Check Failed" >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### What happened" >> $GITHUB_STEP_SUMMARY
+          echo "- Executed releasability check on branch \`$BRANCH\` for version \`$VERSION\`." >> $GITHUB_STEP_SUMMARY
+          if [ "$CHECK_OUTCOME" != "success" ]; then
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Failed Checks" >> $GITHUB_STEP_SUMMARY
+            [ "$CHECK_DEPENDENCIES" = "FAILED" ] && echo "- ❌ CheckDependencies" >> $GITHUB_STEP_SUMMARY
+            [ "$CHECK_QA" = "FAILED" ] && echo "- ❌ QA" >> $GITHUB_STEP_SUMMARY
+            [ "$CHECK_JIRA" = "FAILED" ] && echo "- ❌ Jira" >> $GITHUB_STEP_SUMMARY
+            [ "$CHECK_PEACHEE" = "FAILED" ] && echo "- ❌ CheckPeacheeLanguagesStatistics" >> $GITHUB_STEP_SUMMARY
+            [ "$CHECK_QUALITY_GATE" = "FAILED" ] && echo "- ❌ QualityGate" >> $GITHUB_STEP_SUMMARY
+            [ "$CHECK_PARENT_POM" = "FAILED" ] && echo "- ❌ ParentPOM" >> $GITHUB_STEP_SUMMARY
+            [ "$CHECK_GITHUB" = "FAILED" ] && echo "- ❌ GitHub" >> $GITHUB_STEP_SUMMARY
+            [ "$CHECK_MANIFEST" = "FAILED" ] && echo "- ❌ CheckManifestValues" >> $GITHUB_STEP_SUMMARY
+            [ "$CHECK_LICENSES" = "FAILED" ] && echo "- ❌ CheckLicenses" >> $GITHUB_STEP_SUMMARY
+          fi
+
   # This step determines the release version, Jira version name, and gathers release notes.
   # It sets up the necessary outputs for subsequent steps.
   # These outputs include the release version, Jira version name, release notes, Jira release notes, and Jira release URL.
   prepare-release:
     name: Prepare Release
-    needs: [ freeze-branch ]
+    needs: [ freeze-branch, check-releasability ]
+    if: |
+      !cancelled() &&
+      (needs.freeze-branch.result == 'success' || needs.freeze-branch.result == 'skipped') &&
+      (needs.check-releasability.result == 'success' || needs.check-releasability.result == 'skipped')
     runs-on: ${{ inputs.runner-environment }}
     permissions:
       statuses: read
       contents: read
       id-token: write
     outputs:
-      release-version: ${{ steps.get-release-version.outputs.release-version }}
+      release-version: ${{ needs.check-releasability.outputs.release-version || steps.get-release-version.outputs.release-version }}
       jira-version-name: ${{ steps.get-jira-version.outputs.jira-version-name }}
       release-notes: ${{ inputs.release-notes != '' && inputs.release-notes || steps.get-jira-release-notes.outputs.release-notes }}
       jira-release-notes: ${{ inputs.release-notes != '' && inputs.release-notes || steps.get-jira-release-notes.outputs.jira-release-notes }}
@@ -191,6 +268,7 @@ jobs:
     steps:
       - name: Get Release Version
         id: get-release-version
+        if: ${{ needs.check-releasability.result == 'skipped' }}
         uses: SonarSource/release-github-actions/get-release-version@v1
         with:
           branch: ${{ inputs.branch }}
@@ -228,7 +306,7 @@ jobs:
           fi
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "### Results" >> $GITHUB_STEP_SUMMARY
-          echo "- Release version: \`${{ steps.get-release-version.outputs.release-version }}\`." >> $GITHUB_STEP_SUMMARY
+          echo "- Release version: \`${{ needs.check-releasability.outputs.release-version || steps.get-release-version.outputs.release-version }}\`." >> $GITHUB_STEP_SUMMARY
           echo "- Jira version name: \`${{ steps.get-jira-version.outputs.jira-version-name }}\`." >> $GITHUB_STEP_SUMMARY
 
   # This step creates a Jira release ticket using the prepared release information.
@@ -563,7 +641,7 @@ jobs:
     name: Release Results
     runs-on: ${{ inputs.runner-environment }}
     if: always()
-    needs: [ prepare-release, publish-github-release, create-release-ticket, release-in-jira, create-integration-tickets, update-analyzers ]
+    needs: [ check-releasability, prepare-release, publish-github-release, create-release-ticket, release-in-jira, create-integration-tickets, update-analyzers ]
     env:
         RELEASE_PROCESS: ${{ inputs.release-process != '' && inputs.release-process || 'https://xtranet-sonarsource.atlassian.net/wiki/spaces/CSD/pages/4325048388/Release+Instructions+-+Cloud+Security' }}
     steps:
@@ -580,7 +658,7 @@ jobs:
           SQS_PR_URL: ${{ needs.update-analyzers.outputs.sqs-pull-request-url || 'not created' }}
           SQC_PR_URL: ${{ needs.update-analyzers.outputs.sqc-pull-request-url || 'not created' }}
         run: |
-          ALL_SUCCESS=$(echo '${{ toJson(needs) }}' | jq -r 'to_entries | all(.value.result == "success")')
+          ALL_SUCCESS=$(echo '${{ toJson(needs) }}' | jq -r 'to_entries | all(.value.result == "success" or .value.result == "skipped")')
           
           if [[ "$ALL_SUCCESS" == "true" ]]; then
             echo "# 🎉 Release Successful" >> $GITHUB_STEP_SUMMARY

CLAUDE.md

@@ -6,6 +6,10 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 This is a collection of reusable GitHub Actions for automating SonarSource analyzer releases. Actions handle Jira integration (tickets, versions, release notes), GitHub releases, cross-repository updates, and Slack notifications.
 
+## Jira Project
+
+Related Jira tickets for this project are tracked in the **GHA** (GitHub Automation) project. When available, use the Jira MCP to access ticket details (e.g., `GHA-123`).
+
 ## Branching
 
 **Important:** Changes must always be made on a feature branch, never directly on `master`.
@@ -14,6 +18,14 @@ This is a collection of reusable GitHub Actions for automating SonarSource analy
 - Adapt `<feature-name>` based on the task/prompt (use lowercase, hyphen-separated)
 - If already on a feature branch, do not create a new branch—continue working on the current branch
 
+## Documentation
+
+**Important:** When making any code changes, check if the related README or documentation needs to be updated. Each action has its own `README.md`, and workflow documentation is in `docs/`. Keep documentation in sync with code changes.
+
+When creating a new action:
+- Add a `README.md` to the action's directory documenting inputs, outputs, and usage
+- Update the main `README.md` at the repository root to link to the new action
+
 ## Testing
 
 **Important:** When making any code changes, always check if there are related tests that need to be updated. Always run the tests after making changes to ensure nothing is broken.
@@ -95,3 +107,17 @@ env:
   INPUT_BRANCH: ${{ inputs.branch }}
 run: echo "$INPUT_BRANCH"
 ```
+
+### Pinning External Actions
+
+**Important:** All GitHub Actions from outside the SonarSource organization must be pinned to a full commit SHA (not a tag). Add a comment with the version number for readability.
+
+```yaml
+# Bad - using tag
+- uses: actions/checkout@v4
+
+# Good - pinned to commit SHA with version comment
+- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+```
+
+This prevents tag mutation attacks where a malicious actor could change what code a tag points to.

check-releasability-status/README.md

@@ -24,7 +24,12 @@ This action requires the `statuses: read` permission for the GitHub token to acc
 
 ## Outputs
 
-This action has no outputs.
+| Output                     | Description                                                              |
+|----------------------------|--------------------------------------------------------------------------|
+| `releasability-state`      | The state of the Releasability status (e.g., `success`, `failure`, `pending`) |
+| `releasability-description`| The description of the Releasability status                              |
+
+These outputs are always set (even on failure), allowing subsequent steps to access the releasability information for reporting or debugging purposes.
 
 ## Usage
 

check-releasability-status/action.yml

@@ -16,10 +16,19 @@ inputs:
     required: false
     default: 'true'
 
+outputs:
+  releasability-state:
+    description: 'The state of the Releasability status (e.g., success, failure, pending)'
+    value: ${{ steps.check.outputs.releasability-state }}
+  releasability-description:
+    description: 'The description of the Releasability status'
+    value: ${{ steps.check.outputs.releasability-description }}
+
 runs:
   using: 'composite'
   steps:
     - name: Check releasability status
+      id: check
       shell: bash
       env:
         GITHUB_TOKEN: ${{ inputs.github-token }}
@@ -40,6 +49,10 @@ runs:
         RELEASABILITY_STATE=$(echo "$STATUS_RESPONSE" | jq -r '.statuses[] | select(.context == "Releasability") | .state')
         RELEASABILITY_DESCRIPTION=$(echo "$STATUS_RESPONSE" | jq -r '.statuses[] | select(.context == "Releasability") | .description')
 
+        # Output the state and description for use in subsequent steps
+        echo "releasability-state=$RELEASABILITY_STATE" >> $GITHUB_OUTPUT
+        echo "releasability-description=$RELEASABILITY_DESCRIPTION" >> $GITHUB_OUTPUT
+
         if [ -z "$RELEASABILITY_STATE" ] || [ "$RELEASABILITY_STATE" = "null" ]; then
           echo "❌ Could not find Releasability status on $BRANCH_NAME branch"
           exit 1

docs/AUTOMATED_RELEASE.md

@@ -7,19 +7,21 @@ This reusable GitHub Actions workflow automates the end-to-end release process a
 The workflow orchestrates these steps:
 
 1. Optionally freeze (lock) the target branch at the start of the release
-2. Determine the release version and Jira version name
-3. Optionally generate Jira release notes if not provided
-4. Create a Jira release ticket
-5. Publish a GitHub release (draft or final)
-6. Release the current Jira version and create the next version in Jira
-7. Optionally create integration tickets (SLVS, SLVSCODE, SLE, SLI, SQC, SQS)
-8. Optionally open analyzer update PRs in SQS and SQC
-9. Optionally post per-job and final workflow summaries when `verbose` is enabled
+2. Check releasability status on the branch (enabled by default)
+3. Determine the release version and Jira version name
+4. Optionally generate Jira release notes if not provided
+5. Create a Jira release ticket
+6. Publish a GitHub release (draft or final)
+7. Release the current Jira version and create the next version in Jira
+8. Optionally create integration tickets (SLVS, SLVSCODE, SLE, SLI, SQC, SQS)
+9. Optionally open analyzer update PRs in SQS and SQC
+10. Optionally post per-job and final workflow summaries when `verbose` is enabled
 
 ## Dependencies
 
 This workflow composes several actions from this repository:
 
+- `SonarSource/gh-action_releasability/releasability-status` (external action for releasability checks)
 - `SonarSource/release-github-actions/get-release-version`
 - `SonarSource/release-github-actions/get-jira-version`
 - `SonarSource/release-github-actions/get-jira-release-notes`
@@ -60,6 +62,7 @@ This workflow composes several actions from this repository:
 | `release-process`            | Release process documentation URL                                                                               | No       | General page |
 | `verbose`                    | When `true`, posts per-job summaries and a final run summary                                                    | No       | `false`      |
 | `freeze-branch`              | When `true`, locks the target branch during the release and unlocks it after publishing                         | No       | `true`       |
+| `check-releasability`        | When `true`, verifies the releasability status on the branch before proceeding                                  | No       | `true`       |
 | `slack-channel`              | Slack channel to notify when locking/unlocking the branch                                                       | No       | -            |
 
 ## Outputs
@@ -121,6 +124,10 @@ jobs:
 
 ## Notes
 
+- When `check-releasability: true` (default), the workflow will:
+  - Execute a releasability check on the specified branch immediately after freezing (using `SonarSource/gh-action_releasability@v3`)
+  - Update the commit status with the latest releasability results
+  - Fail early if the releasability check does not pass, preventing unnecessary work (like creating REL tickets)
 - When `freeze-branch: true`, the workflow will:
   - Lock the specified branch at the start of the release
   - Proceed with the release steps

docs/SETUP_AUTOMATED_RELEASE.md

@@ -8,6 +8,10 @@ For detailed workflow documentation (inputs, outputs, behavior), see [AUTOMATED_
 
 Before the workflow will work, complete these steps:
 
+### Releasability Status
+
+- [ ] **Ensure releasability checks are configured** for your repository. The workflow verifies releasability status on the branch before proceeding with the release. This prevents creating REL tickets and other artifacts if the build is not releasable.
+
 ### Jira Configuration
 
 - [ ] **Add `Jira Tech User GitHub` as Administrator** on your Jira project (required to create/release versions)
@@ -296,3 +300,15 @@ Specify a different runner:
 ```yaml
 runner-environment: "sonar-s"
 ```
+
+### Releasability Check
+
+The workflow checks releasability status by default. To disable or customize:
+```yaml
+# Disable releasability check entirely
+check-releasability: false
+
+# Check releasability but allow failed optional checks
+check-releasability: true
+with-optional-releasability-checks: false
+```