jrmatherly/release
.claude/skills/release/SKILL.md
Guide the GitHub Actions release flow — version bump, tag push, verify CI, publish draft
testing
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add jrmatherly/1dev releaseInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:21 PM4.5s1 file scanned
SKILL.md
- name:
- release
- description:
- Guide the GitHub Actions release flow — version bump, tag push, verify CI, publish draft
- disable-model-invocation:
- true
Release Checklist
Walk through each step, verifying success before proceeding. The canonical release documentation is at docs/operations/release.md.
1. Version Bump
npm version patch --no-git-tag-version # or minor / major
Read package.json to confirm the new version number.
2. Commit + Tag + Push
git add package.json bun.lock
git commit -m "chore: bump version to v0.0.XX"
git tag -a v0.0.XX -m "v0.0.XX" # annotated tag (required for --follow-tags)
git push origin main v0.0.XX # push branch AND tag explicitly
The push: tags: ['v*'] trigger in .github/workflows/release.yml fires automatically.
Gotcha — lightweight tags vs --follow-tags: git tag v0.0.XX (no -a) creates a lightweight tag. git push --follow-tags only pushes annotated tags, so lightweight tags get left behind locally — the commit hits main, but the workflow never fires because the tag isn't on the remote. Two safe patterns:
- Use
git tag -a v0.0.XX -m "v0.0.XX"to create an annotated tag, OR - Push the tag explicitly by name:
git push origin main v0.0.XX
If you accidentally run git push --follow-tags with a lightweight tag, fix it with git push origin v0.0.XX — the workflow picks it up as soon as the tag lands on the remote.
Verify the tag hit the remote before assuming CI fired:
git ls-remote --tags origin v0.0.XX # should print the SHA + refs/tags/v0.0.XX
gh run list --workflow=release.yml --limit 1 # should show the queued run
3. Monitor CI
gh run list --workflow=release.yml --limit 3
gh run watch <run-id> --exit-status
The workflow builds installers on macos-15, Ubuntu, and Windows in parallel, then publishes a draft GitHub Release with all artifacts.
4. Review + Publish
Go to Releases, find the draft, review the artifacts and auto-generated notes, then click Publish release (or use CLI):
gh release edit v0.0.XX --draft=false
Once published, electron-updater's GitHub provider will see the release and offer auto-updates to installed users.
Manual Dispatch (for re-releases or testing)
gh workflow run release.yml --ref main --field version=v0.0.XX
The tag must already exist.
Important Notes
- First iteration releases are UNSIGNED — macOS users need
xattr -rd com.apple.quarantine /Applications/1Code.appafter install. Code signing is tracked as a roadmap item. - v0.0.72 users must manually reinstall — older installs have the dead CDN provider baked in and cannot auto-update. See release.md "First Release After Pipeline Migration" section.
- Beta channel is disabled —
auto-updater.tsis locked to "latest" channel. Beta support requiresgenerateUpdatesFilesForAllChannels: truein the electron-builder config.
See docs/operations/release.md for the full runbook including troubleshooting, code-signing plan, and the complete artifact table.
Related Skills
jrmatherly/verify-strategy-compliance
development
VerifiedTrustedCommunity
Background knowledge for AI agents before editing any file that handles authentication tokens or spawn environment variables in the 1Code enterprise fork. Triggers when touching src/main/lib/trpc/routers/claude.ts, claude-code.ts, claude/env.ts, feature-flags.ts, or claude-token.ts. Reminds the agent to consult the frozen Envoy Gateway strategy doc (auth-strategy-envoy-gateway.md v2.1) sections that impose hard rules on credential handling.
SKILL.mdUpdated Apr 16, 2026
jrmatherly/verify-pin
tools
VerifiedTrustedCommunity
Background knowledge for safely bumping the pinned versions of Claude CLI binary, Codex CLI binary, Electron, Vite, Tailwind, or Shiki in this repo. Each pin is load-bearing for a different reason — this skill encodes the per-pin rationale and the regression test that must pass before the bump can land. Use proactively whenever editing package.json, scripts/download-claude-binary.mjs, scripts/download-codex-binary.mjs, or any file that mentions these versions. Claude-only (background knowledge, not user-invocable).
SKILL.mdUpdated Apr 16, 2026
jrmatherly/upstream-boundary-check
development
VerifiedTrustedCommunity
Use when reading or writing any file under src/renderer/ that calls remoteTrpc.* or fetch(${apiUrl}/...). Verifies the call site is documented in docs/enterprise/upstream-features.md and warns if a new upstream-backend dependency is being introduced without a corresponding F-entry. This skill enforces the enterprise-fork posture documented in CLAUDE.md.
SKILL.mdUpdated Apr 16, 2026
jrmatherly/session-sync
development
VerifiedTrustedCommunity
End-of-task sync — update CLAUDE.md, rebuild code graph, sync Serena memories, check roadmap drift, and commit. Run after completing any significant work to ensure all drift surfaces are current.
SKILL.mdUpdated Apr 16, 2026