COG-3546: Initial release pipeline

[pazone]

Description

Inputs:

flavour: dev or main
test_mode: Boolean. Aka Dry Run. If true, it won't affect public indices or repositories

Jobs

• Create GitHub Release
• Release PyPI Package
• Release Docker Image

Test run

Create GitHub Release

Gets the version from pyproject.toml
Creates a tag and release based on the version. The version in pyproject.toml must be already correct!
If the version not updated and tag already exists - the process will take no effect and be failed.

Test release was deleted. Here is the screenshot:

Release PyPI Package

Publishes the dist artifacts to pypi.org. If test_mode enabled - it will publish it to test.pypi.org (example). <<< That's how I tested it.

Release Docker Image

IMPORTANT!
Builds the image and tags it with the version from pyproject.toml. For example:

• cognee/cognee:0.5.1.dev0
• cognee/cognee:0.5.1
  ONLY main flavor adds the latest tag!. If a user does docker pull cognee/cognee:latest - the latest main release image will be pulled

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Code refactoring
• Performance improvement
• Other (please specify): CI

Screenshots/Videos (if applicable)

Pre-submission Checklist

• I have tested my changes thoroughly before submitting this PR
• This PR contains minimal changes necessary to address the issue/feature
• My code follows the project's coding standards and style guidelines
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if applicable)
• All new and existing tests pass
• I have searched existing PRs to ensure this change hasn't been submitted already
• I have linked any relevant issues in the description
• My commits have clear and descriptive messages

DCO Affirmation

I affirm that all code in every commit of this pull request conforms to the terms of the Topoteretes Developer Certificate of Origin.

Summary by CodeRabbit

• Chores
  • Added an automated release pipeline that creates versioned GitHub releases, publishes Python packages to TestPyPI/PyPI, and builds/pushes Docker images.
  • Supports selectable dev/main flavors, includes flavor-specific image tagging and labels, wires version/tag outputs for downstream steps, and offers a test-mode dry run that skips external publishing.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[pull-checklist]

Please make sure all the checkboxes are checked:

• I have tested these changes locally.
• I have reviewed the code changes.
• I have added end-to-end and unit tests (if applicable).
• I have updated the documentation and README.md file (if necessary).
• I have removed unnecessary code and debug statements.
• PR title is clear and follows the convention.
• I have tagged reviewers or team members for feedback.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds a new GitHub Actions workflow at .github/workflows/release.yml implementing a configurable release pipeline with inputs flavour and test_mode, and three jobs to create GitHub releases, build/publish Python packages, and build/push Docker images, wiring tag/version outputs between jobs.

Changes

Cohort / File(s)

Summary

GitHub Actions Release Workflow .github/workflows/release.yml

Adds a release workflow with inputs flavour (dev/main) and test_mode (boolean). Introduces three jobs: release-github (checkout, install uv, create version tag, output tag/version, optional tag push, create GitHub release), release-pypi-package (checkout, install uv, setup Python, build dists, publish to TestPyPI or PyPI depending on test_mode), and release-docker-image (checkout, setup Buildx, Docker login, build images with flavour-specific tags/labels and caching, optionally push images). Uses uv for versioning and conditions to skip pushes when testing.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Verify conditional logic for tag push, PyPI endpoint selection, and Docker push behavior.
• Confirm tag/version outputs propagate correctly between jobs and steps using uv.
• Inspect Docker Buildx setup, cache usage, and image tag/label generation for dev vs main.
• Validate authentication and secrets usage for PyPI and Docker publish steps.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description provides substantial details about the release pipeline, its inputs, all three jobs with implementation details, examples, and test evidence, though the pre-submission checklist remains largely unchecked.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title 'COG-3546: Initial release pipeline' directly and clearly describes the main change—adding a complete release pipeline with GitHub Actions workflows for releases, PyPI publishing, and Docker image builds.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci_release_pipeline

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gitguardian]

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

---

^{_{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}}

[Copilot]

Pull request overview

This PR introduces a new GitHub Actions workflow for automating releases across multiple platforms. The workflow supports both dev and main release flavors with an optional test mode (dry run) to prevent publishing to production indices during testing.

Key changes:

• Adds a manual workflow dispatch trigger with configurable flavor (dev/main) and test_mode inputs
• Implements three dependent jobs: GitHub release creation, PyPI package publishing, and Docker image building
• Configures conditional logic to route test releases to test.pypi.org and prevent production pushes during dry runs

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

59-65: Consider updating the softprops/action-gh-release action to a newer version.

The action is pinned to @v1, which is significantly outdated. Updating to v2 or later would benefit from security patches and Node.js runtime improvements.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 127d986 and 9ead1e5.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

.github/**

⚙️ CodeRabbit configuration file

.github/**: * When the project is hosted on GitHub: All GitHub-specific configurations, templates, and tools should be found in the '.github' directory tree.

• 'actionlint' erroneously generates false positives when dealing with GitHub's ${{ ... }} syntax in conditionals.
• 'actionlint' erroneously generates incorrect solutions when suggesting the removal of valid ${{ ... }} syntax.

Files:

• .github/workflows/release.yml

🪛 actionlint (1.7.9)

.github/workflows/release.yml

60-60: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (23)

• GitHub Check: Upload results
• GitHub Check: End-to-End Tests / Concurrent Subprocess access test
• GitHub Check: End-to-End Tests / Test multi tenancy with different situations in Cognee
• GitHub Check: End-to-End Tests / Test Cognify - Edge Centered Payload
• GitHub Check: End-to-End Tests / Test Pipeline Caching
• GitHub Check: End-to-End Tests / Conversation sessions test (FS)
• GitHub Check: End-to-End Tests / Test graph edge ingestion
• GitHub Check: End-to-End Tests / Conversation sessions test (Redis)
• GitHub Check: End-to-End Tests / Test using different async databases in parallel in Cognee
• GitHub Check: End-to-End Tests / Test Entity Extraction
• GitHub Check: End-to-End Tests / Test Feedback Enrichment
• GitHub Check: End-to-End Tests / S3 Bucket Test
• GitHub Check: Basic Tests / Run Simple Examples
• GitHub Check: End-to-End Tests / Server Start Test
• GitHub Check: Basic Tests / Run Simple Examples BAML
• GitHub Check: End-to-End Tests / Run Telemetry Pipeline Test
• GitHub Check: End-to-End Tests / Test permissions with different situations in Cognee
• GitHub Check: Basic Tests / Run Unit Tests
• GitHub Check: End-to-End Tests / Test dataset database handlers in Cognee
• GitHub Check: End-to-End Tests / Deduplication Test
• GitHub Check: Basic Tests / Run Integration Tests
• GitHub Check: CLI Tests / CLI Functionality Tests
• GitHub Check: CLI Tests / CLI Integration Tests

🔇 Additional comments (4)

.github/workflows/release.yml (4)

1-16: Workflow inputs and configuration look good.

Clear setup with sensible defaults (test_mode defaults to true for safety).

---

19-34: Job structure and permissions are appropriate.

The permissions block correctly grants contents:write for tag creation, and the checkout/uv setup is standard.

---

67-87: PyPI job setup is correct.

Permissions and dependency declaration are appropriate.

---

104-124: Docker job setup is correct.

Permissions and Docker authentication setup are appropriate.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (4)

.github/workflows/release.yml (4)

24-25: Permissions blocks are properly scoped.

All jobs now have explicit permissions declarations following the principle of least privilege. This addresses the previous security warnings.

Also applies to: 70-71, 107-108

---

52-57: Shell syntax is correct.

The if/else/fi structure is properly formatted and the conditional logic for tag creation is sound.

---

92-102: PyPI publish conditions are correct.

Both TestPyPI and PyPI publish steps are now gated by ${{ !inputs.test_mode }}, ensuring they only execute for production releases.

---

126-154: Docker image push conditions are properly configured.

Both dev and main image builds now use push: ${{ !inputs.test_mode }}, ensuring images are only published for production releases.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9ead1e5 and 7930388.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

.github/**

⚙️ CodeRabbit configuration file

.github/**: * When the project is hosted on GitHub: All GitHub-specific configurations, templates, and tools should be found in the '.github' directory tree.

• 'actionlint' erroneously generates false positives when dealing with GitHub's ${{ ... }} syntax in conditionals.
• 'actionlint' erroneously generates incorrect solutions when suggesting the removal of valid ${{ ... }} syntax.

Files:

• .github/workflows/release.yml

🪛 actionlint (1.7.9)

.github/workflows/release.yml

60-60: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (22)

• GitHub Check: End-to-End Tests / Test Feedback Enrichment
• GitHub Check: End-to-End Tests / Test Pipeline Caching
• GitHub Check: End-to-End Tests / Test dataset database handlers in Cognee
• GitHub Check: End-to-End Tests / Conversation sessions test (Redis)
• GitHub Check: End-to-End Tests / Test graph edge ingestion
• GitHub Check: End-to-End Tests / Test permissions with different situations in Cognee
• GitHub Check: End-to-End Tests / Conversation sessions test (FS)
• GitHub Check: End-to-End Tests / Test Entity Extraction
• GitHub Check: End-to-End Tests / Concurrent Subprocess access test
• GitHub Check: Basic Tests / Run Integration Tests
• GitHub Check: End-to-End Tests / Deduplication Test
• GitHub Check: End-to-End Tests / Test using different async databases in parallel in Cognee
• GitHub Check: Basic Tests / Run Simple Examples
• GitHub Check: End-to-End Tests / Test multi tenancy with different situations in Cognee
• GitHub Check: End-to-End Tests / Test Cognify - Edge Centered Payload
• GitHub Check: End-to-End Tests / S3 Bucket Test
• GitHub Check: Basic Tests / Run Unit Tests
• GitHub Check: End-to-End Tests / Server Start Test
• GitHub Check: End-to-End Tests / Run Telemetry Pipeline Test
• GitHub Check: Basic Tests / Run Formatting Check
• GitHub Check: CLI Tests / CLI Integration Tests
• GitHub Check: CLI Tests / CLI Functionality Tests

🔇 Additional comments (1)

.github/workflows/release.yml (1)

1-23: Workflow inputs and job structure are well-designed.

The workflow properly uses workflow_dispatch inputs for flavour and test_mode, with appropriate defaults and descriptions. The job dependency chain (release-github → release-pypi-package and release-docker-image) ensures sequential execution and proper output propagation.

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (1)

.github/workflows/release.yml (1)

1-26: (Optional) Add a top-level permissions: as a secure default.

You already set job-level permissions, which is good; adding workflow-level defaults prevents future jobs from accidentally getting broad permissions.

 name: release.yml
+permissions:
+  contents: read
 on:
   workflow_dispatch:

Also applies to: 67-72, 104-109

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

1-17: Rename workflow display name (optional) to avoid “.yml” noise (current name: release.yml).

-name: release.yml
+name: Release

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7930388 and 14ff94f.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

.github/**

⚙️ CodeRabbit configuration file

.github/**: * When the project is hosted on GitHub: All GitHub-specific configurations, templates, and tools should be found in the '.github' directory tree.

• 'actionlint' erroneously generates false positives when dealing with GitHub's ${{ ... }} syntax in conditionals.
• 'actionlint' erroneously generates incorrect solutions when suggesting the removal of valid ${{ ... }} syntax.

Files:

• .github/workflows/release.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (25)

• GitHub Check: End-to-End Tests / Conversation sessions test (Redis)
• GitHub Check: End-to-End Tests / Test dataset database handlers in Cognee
• GitHub Check: End-to-End Tests / Conversation sessions test (FS)
• GitHub Check: End-to-End Tests / Test Pipeline Caching
• GitHub Check: End-to-End Tests / Concurrent Subprocess access test
• GitHub Check: End-to-End Tests / Server Start Test
• GitHub Check: End-to-End Tests / Test Feedback Enrichment
• GitHub Check: End-to-End Tests / Test permissions with different situations in Cognee
• GitHub Check: End-to-End Tests / Run Telemetry Pipeline Test
• GitHub Check: End-to-End Tests / Test Entity Extraction
• GitHub Check: End-to-End Tests / S3 Bucket Test
• GitHub Check: End-to-End Tests / Deduplication Test
• GitHub Check: End-to-End Tests / Test using different async databases in parallel in Cognee
• GitHub Check: End-to-End Tests / Test graph edge ingestion
• GitHub Check: Basic Tests / Run Integration Tests
• GitHub Check: End-to-End Tests / Test Cognify - Edge Centered Payload
• GitHub Check: Basic Tests / Run Simple Examples
• GitHub Check: End-to-End Tests / Run Telemetry Test
• GitHub Check: End-to-End Tests / Test multi tenancy with different situations in Cognee
• GitHub Check: Basic Tests / Run Simple Examples BAML
• GitHub Check: Basic Tests / Run Linting
• GitHub Check: Basic Tests / Run Formatting Check
• GitHub Check: Basic Tests / Run Unit Tests
• GitHub Check: CLI Tests / CLI Functionality Tests
• GitHub Check: CLI Tests / CLI Integration Tests

[borisarzentar]

We could split these two into two separate workflows for easier maintenance. We can get the cognee version in the same way we get it in release-github so we don't have to depend on it.

[pazone]

Do you mean split by flavour or put release-github and release-docker-image to separate workflows?

[borisarzentar]

Why not call it dry-run since it is dry run already?

[pazone]

Also thought about it. PyPI release actually publishes the artifacts in test mode, but to the test registry. So it's not the pure dry run.