Create draft releases and publish after AI-generated highlights

[Copilot]

✅ Update release workflow to use draft releases - COMPLETE

Changes Implemented:

• Understand current workflow structure
• Modify draft_release job to create draft release (add --draft flag to gh release create)
• Rename release job to draft_release for clarity
• Add new job publish-release that runs after agent completes
  • Created as custom safe-output job under safe-outputs.jobs
  • Gets release tag from needs.draft_release.outputs.release_tag instead of agent output
  • Updated: Depends on draft_release and safe_outputs jobs
  • Compiler automatically adds agent and detection dependencies
  • Added contents: write permission to allow release editing
  • Publishes the release (removes draft status)
• Update job dependencies so publish-release runs after safe-outputs update
• Updated agent prompt: Agent calls update_release to add highlights; publish_release is automatic
• Test and validate the changes (compiled successfully)

Summary of Changes:

1. Draft Release Creation

Modified the draft_release job (renamed from release) to create a draft release by adding the --draft flag to gh release create:

gh release create "$RELEASE_TAG" \
  --draft \
  --title "$RELEASE_TAG" \
  --generate-notes \
  dist/*

2. Custom Safe Output Job

Created a publish-release job under safe-outputs.jobs that:

• Takes release tag from needs.draft_release.outputs.release_tag (job output)
• Runs after safe_outputs updates the release with highlights
• Depends on: agent, detection, draft_release, safe_outputs
• Has contents: write permission to edit the release
• Calls gh release edit --draft=false to publish the release
• Automatically triggered by the workflow (no agent tool call needed)

3. Updated Agent Prompt

Agent calls update_release tool to prepend highlights to the draft release. The workflow then automatically publishes the release via the publish_release job.

Agent workflow:

1. Agent calls update_release() to add highlights to draft release
2. Workflow automatically triggers publish_release job to remove draft status

No publish_release tool call is needed from the agent - the workflow handles publishing automatically.

Workflow Flow Diagram:

[Create Tag] → [Build/Test] → [Create Draft Release ⚠️ DRAFT]
                                      ↓
[Generate SBOM] ← [Build Docker] ← [Draft Release]
       ↓
[AI Agent] → Generates highlights and calls update_release
       ↓
[safe_outputs] → Processes update_release and prepends highlights to draft
       ↓
[publish_release] → Automatically removes draft status ✅ PUBLIC
     ↑ (contents: write permission)
     └─ Gets tag from needs.draft_release.outputs.release_tag
       └─ Waits for safe_outputs to complete

Job Dependencies:

• draft_release → creates draft release with binaries (outputs: release_tag, release_id)
• docker → builds Docker images (needs: draft_release)
• generate-sbom → creates SBOM files (needs: draft_release)
• agent → generates highlights and calls update_release (needs: activation, create-tag, docker, generate-sbom, draft_release)
• safe_outputs → processes update_release tool call (needs: agent, detection)
• publish_release → makes release public with contents: write (needs: agent, detection, draft_release, safe_outputs)
• conclusion → final cleanup (needs: activation, agent, detection, publish_release, safe_outputs)

Note: conclusion cannot be added to publish_release dependencies as it would create a circular dependency. The conclusion job properly depends on publish_release, ensuring it runs after the release is published.

Benefits:

✅ Release is only made public AFTER all content is ready
✅ AI-generated highlights are included before users see the release
✅ Binaries, SBOM, and Docker images are all attached before publication
✅ Failed highlight generation won't result in incomplete public releases
✅ Two-phase release process: prepare (draft) → finalize (publish)
✅ Simplified by using job outputs instead of parsing agent data
✅ Proper job ordering ensures release is updated before publishing
✅ Clear job naming: draft_release explicitly indicates draft creation
✅ Agent calls update_release; workflow handles publish_release automatically
✅ Proper permissions: publish_release has contents: write to edit releases

Files Modified:

• .github/workflows/release.md - Source workflow with custom safe-output job
• .github/workflows/release.lock.yml - Compiled GitHub Actions workflow (69.2 KB)

Verification:

✅ Workflow compiles successfully with no errors
✅ Job dependencies are correctly configured without circular dependencies
✅ publish_release job accesses needs.draft_release.outputs.release_tag
✅ publish_release runs after safe_outputs completes
✅ publish_release has contents: write permission for release editing
✅ Agent prompt includes update_release call; publish_release is automatic
✅ Job renamed to draft_release for clarity

Custom agent used: create-agentic-workflow
Design agentic workflows using GitHub Agentic Workflows (gh-aw) extension with interactive guidance on triggers, tools, and security best practices.

Original prompt

Update release.md to create a draft PR in the create release phase and make it non draft in a separate job that needs the agent, and the release id, etc...

Custom agent used: create-agentic-workflow
Design agentic workflows using GitHub Agentic Workflows (gh-aw) extension with interactive guidance on triggers, tools, and security best practices.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot get the release tag from a needs job output

[Copilot]

@copilot get the release tag from a needs job output

Changed the publish-release job to get the release tag from needs.release.outputs.release_tag instead of parsing the agent output. The job now has release in its dependencies and directly accesses the job output. (5d3dfab)

[pelikhan]

@copilot also needs agent, safe_outouts, conclusion

[Copilot]

@copilot also needs agent, safe_outouts, conclusion

Added safe_outputs to the needs array. The compiler automatically includes agent and detection dependencies. Note that conclusion cannot be added as it would create a circular dependency - conclusion already depends on publish_release, so the execution order is correct: publish_release → conclusion. (18bed4d)

[pelikhan]

@copilot rename release job to draft_release

[Copilot]

@copilot rename release job to draft_release

Renamed the job from release to draft_release and updated all references throughout the workflow including needs dependencies and output references. (f6f3212)

[pelikhan]

@copilot no need to prompt for update_releaE it will be done by actions

[pelikhan]

@copilot just call update_release

[Copilot]

Removed the update_release call instruction. The workflow handles this automatically. (265f3fc)

[pelikhan]

@copilot not needed

[Copilot]

Removed the publish_release call instruction and related notes. The workflow handles this automatically. (265f3fc)

[Copilot]

@copilot no need to prompt for update_releaE it will be done by actions

Removed the manual tool call instructions from the agent prompt. The workflow now handles update_release and publish_release automatically. (265f3fc)

[pelikhan]

@copilot the agent still need update_release, NOT publish_release

[Copilot]

@copilot the agent still need update_release, NOT publish_release

Restored the update_release tool call instructions for the agent. The publish_release remains automatic - it's triggered by the workflow after the agent updates the release. (1e1370d)

[pelikhan]

@copilot this job needs permissions to update a release

[Copilot]

Added contents: write permission to the publish-release job. This allows the job to execute gh release edit --draft=false to publish the release. (fb23940)