ci: keep release PRs mergeable

[hiqiancheng]

Summary

• Require Release Please to use the dedicated RELEASE_PLEASE_TOKEN instead of falling back to github.token, so release PR updates trigger required pull request checks.
• Add workflow_dispatch to the Release Please workflow so maintainers can manually refresh the release PR after token or workflow changes.
• Remove the generated Release Please manifest from CODEOWNERS while keeping release automation controls under maintainer review.
• Add CI policy tests for release PR check triggering and CODEOWNERS ownership semantics.

Related issue or RFC

• Related to chore(main): release 1.1.1 #410

AI assistance disclosure

• Tool(s) used: Codex
• Scope of assistance: diagnosed PR chore(main): release 1.1.1 #410 merge blockers, updated release policy/workflow files, added regression tests, fixed the current release PR formatting/lockfile issue, ran local and remote verification.
• Human review or rewrite performed: maintainer review pending.
• Architecture or boundary impact: no runtime architecture impact; CI/release policy only.

Testing evidence

pnpm.cmd --filter @touchai/desktop test:unit tests/ci/release-codeowners-policy.test.ts
# 1 file, 2 tests passed

pnpm.cmd --filter @touchai/desktop test:unit tests/ci/release-workflow-environments.test.ts
# 1 file, 8 tests passed

pnpm.cmd --filter @touchai/desktop test:typecheck
# passed

pnpm.cmd run format:check
# passed

pre-commit hook during commit:
# pnpm check:rust passed with existing unused warnings
# pnpm type:check passed
# lint-staged passed

TDD: yes. The new workflow policy tests failed first against the github.token fallback and missing workflow_dispatch, then passed after updating release-please.yml.

Risk notes

• AgentService, runtime, MCP, or schema impact: none.
• database baseline or migration impact: none.
• release or packaging impact: release PR updates now require RELEASE_PLEASE_TOKEN; missing token fails the Release Please workflow early with a clear message. Generated release metadata no longer requires code owner review solely for bot updates; release config, workflows, and release CI scripts remain owned.

Screenshots or recordings

Not applicable; CI policy change only.

Checklist

• The PR title follows Conventional Commits and is valid for squash merge.
• This PR is either ready for review or explicitly marked as a Draft PR.
• I did not use [WIP] or similar title prefixes.
• If AI materially assisted this PR, I disclosed the tools and scope and I personally reviewed every affected change.
• I can explain the why, what, and how of this change without relying on an AI tool.
• If this touches AgentService, runtime, MCP, or schema boundaries, there is an accepted RFC.
• If this changes architecture or adds a new cross-boundary abstraction, there is an accepted RFC.
• I ran pnpm test:pr for this code PR, or this is a docs-only change.
• If I changed Rust behavior or tests, I reviewed pnpm test:coverage:rust or relied on CI coverage evidence.
• If I changed desktop startup/window/search/popup/settings/E2E paths, I ran pnpm test:e2e locally or documented why CI is the first valid proof.
• I added tests or explained why tests are not appropriate.
• I updated docs when behavior changed.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 843b440a-3318-480f-aab2-8018bb97eb03

📥 Commits

Reviewing files that changed from the base of the PR and between 104d11b and 8beba63.

📒 Files selected for processing (2)

• .github/workflows/release-please.yml
• apps/desktop/tests/ci/release-workflow-environments.test.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: CodeQL (javascript-typescript)
• GitHub Check: CodeQL (rust)
• GitHub Check: Frontend Tests
• GitHub Check: Rust Checks
• GitHub Check: Frontend Quality
• GitHub Check: Desktop E2E Smoke (Windows)

🔇 Additional comments (2)

.github/workflows/release-please.yml (1)

9-9: LGTM!

Also applies to: 32-39, 48-48

apps/desktop/tests/ci/release-workflow-environments.test.ts (1)

15-23: LGTM!

Also applies to: 25-29

---

📝 Walkthrough

Summary by CodeRabbit

• Tests

  • Added suites to verify CODEOWNERS policy for release artifacts and to validate the release workflow uses the dedicated token and supports manual triggers.

• Chores

  • Clarified CODEOWNERS entries for release automation, excluding generated release artifacts and keeping release control files assigned to the designated owner.
  • Updated release workflow to require and use a dedicated release token.

Walkthrough

Removes the /release-please-manifest.json CODEOWNERS entry, adds clarifying comments, updates the release-please workflow to require secrets.RELEASE_PLEASE_TOKEN and support workflow_dispatch, and adds tests validating CODEOWNERS ownership and workflow token/dispatch settings.

Changes

Release automation CODEOWNERS & workflow

Layer / File(s)	Summary
Update release automation CODEOWNERS policy .github/CODEOWNERS	Removed /release-please-manifest.json entry and added comment lines clarifying release automation controls; /release-please-config.json remains assigned to @hiqiancheng.
Add CODEOWNERS policy validation tests apps/desktop/tests/ci/release-codeowners-policy.test.ts	New Vitest helpers parse .github/CODEOWNERS and assert Release Please–generated artifacts are excluded while control files are matched by entries including @hiqiancheng.
Release workflow token and trigger changes .github/workflows/release-please.yml	Added workflow_dispatch trigger, added a validation step requiring secrets.RELEASE_PLEASE_TOKEN, and passed that secret to the release-please action directly.
Add workflow environment tests apps/desktop/tests/ci/release-workflow-environments.test.ts	Tests assert the workflow uses RELEASE_PLEASE_TOKEN (no github.token fallback) and includes workflow_dispatch for manual refresh.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• TouchAI-org/TouchAI#391: Related CODEOWNERS and Release Please configuration changes affecting release automation inputs and config ownership.

Poem

🐰 I nibble at lines where manifests hide,
Comments mark which files hop outside,
Tests nose through patterns, sniff and peep,
Tokens checked before the bot can leap,
Thump — the release path dreams safe in sleep.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commits format with 'ci:' prefix, clearly summarizes the main objective of keeping release PRs mergeable, and is concise and relevant to the changeset.
Description check	✅ Passed	The PR description is comprehensive, covering summary, related issue, AI disclosure, testing evidence, risk assessment, and a completed checklist that aligns with the template requirements.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/release-please-merge-policy

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/desktop/tests/ci/release-codeowners-policy.test.ts`:
- Around line 14-20: The parser function codeownerPatterns currently discards
owner identities by returning only patterns; change it to parse and return both
the pattern and its owners (e.g., return an array of objects like {pattern,
owners}) so tests can assert owner membership; update any test logic that calls
codeownerPatterns (and the assertions around release-control checks) to verify
that the matching CODEOWNERS entry for release-control files includes the
required owner string (e.g., '`@hiqiancheng`') rather than only checking pattern
coverage.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: b80a3506-1644-4ed4-af3c-9f2110a6509a

📥 Commits

Reviewing files that changed from the base of the PR and between c3d675e and d2cdf17.

📒 Files selected for processing (2)

• .github/CODEOWNERS
• apps/desktop/tests/ci/release-codeowners-policy.test.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Desktop E2E Smoke (Windows)
• GitHub Check: CodeQL (rust)
• GitHub Check: CodeQL (javascript-typescript)
• GitHub Check: Rust Checks
• GitHub Check: Frontend Quality
• GitHub Check: Frontend Tests

🔇 Additional comments (1)

.github/CODEOWNERS (1)

10-11: LGTM!

[coderabbitai]

♻️ Duplicate comments (1)

apps/desktop/tests/ci/release-codeowners-policy.test.ts (1)

40-45: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Implement last-match-wins semantics for CODEOWNERS ownership.

The function uses .some() to check if any matching entry includes @hiqiancheng, but CODEOWNERS semantics specify that when multiple patterns match the same path, the last matching pattern determines ownership. If overlapping rules are added later (e.g., a broader /apps/desktop/scripts/ @team after `/apps/desktop/scripts/ci/ `@hiqiancheng), this test could pass even though actual ownership has changed.

The past review suggested using .filter().at(-1) to retrieve the last matching entry. This ensures the test correctly validates that the effective owner (per CODEOWNERS semantics) is @hiqiancheng, preventing false positives in lines 67-71.

🔧 Apply the past review's suggested fix

+function ownersForPath(codeowners: string, path: string) {
+    const matches = codeownerEntries(codeowners).filter(({ pattern }) =>
+        patternMatchesPath(pattern, path)
+    );
+    return matches.at(-1)?.owners ?? [];
+}
+
 function ownedByMaintainer(codeowners: string, path: string) {
-    return codeownerEntries(codeowners).some(
-        ({ owners, pattern }) =>
-            patternMatchesPath(pattern, path) && owners.includes('`@hiqiancheng`')
-    );
+    return ownersForPath(codeowners, path).includes('`@hiqiancheng`');
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/desktop/tests/ci/release-codeowners-policy.test.ts` around lines 40 -
45, The ownedByMaintainer helper currently uses .some() which checks any
matching entry, but CODEOWNERS uses last-match-wins; update ownedByMaintainer to
collect matching entries from codeownerEntries(...) using
patternMatchesPath(...) then pick the last match (e.g., .filter(...).at(-1) or
.filter(...).slice(-1)[0]) and return whether that last entry's owners includes
'`@hiqiancheng`'; reference the ownedByMaintainer function, codeownerEntries, and
patternMatchesPath when making the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@apps/desktop/tests/ci/release-codeowners-policy.test.ts`:
- Around line 40-45: The ownedByMaintainer helper currently uses .some() which
checks any matching entry, but CODEOWNERS uses last-match-wins; update
ownedByMaintainer to collect matching entries from codeownerEntries(...) using
patternMatchesPath(...) then pick the last match (e.g., .filter(...).at(-1) or
.filter(...).slice(-1)[0]) and return whether that last entry's owners includes
'`@hiqiancheng`'; reference the ownedByMaintainer function, codeownerEntries, and
patternMatchesPath when making the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 4a1300a7-c6a7-4a8e-a08b-47b3eab4461e

📥 Commits

Reviewing files that changed from the base of the PR and between d2cdf17 and c9cc65a.

📒 Files selected for processing (1)

• apps/desktop/tests/ci/release-codeowners-policy.test.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Desktop E2E Smoke (Windows)
• GitHub Check: Rust Checks
• GitHub Check: Frontend Tests
• GitHub Check: Frontend Quality
• GitHub Check: CodeQL (javascript-typescript)
• GitHub Check: CodeQL (rust)

🔇 Additional comments (5)

apps/desktop/tests/ci/release-codeowners-policy.test.ts (5)

1-12: LGTM!

---

14-24: LGTM!

---

26-34: LGTM!

---

36-38: LGTM!

---

48-62: LGTM!