ci: release-please PR 검증을 CI 사이클 내로 통합

기존 흐름은 master push 시 ci.yml과 release-please.yml이 병렬로 돌면서 release-please가 만든 PR에는 GITHUB_TOKEN 정책상 외부 CI가 자동 트리거되지 않아 PR 검증이 누락되는 비대칭이 있었다. solapi/solactl이 사용 중인 패턴을 따라 release-please를 CI 완료 후 직렬화하고, 같은 워크플로 안에서 PR head를 다시 빌드·테스트해 commit status로 보고한다. - workflow_run["CI"] 트리거로 변경 (CI 성공 후에만 실행) - release-please job에 outputs로 release_created·tag_name·pr_head_sha 노출 - unit-test-release-pr matrix job 추가: release PR head 체크아웃 후 ci.yml과 동일한 PHP 7.1~8.5 매트릭스로 unit test - 결과를 repos/{repo}/statuses/{sha} API로 commit status 등록 (외부 CI 자동 트리거가 없는 release-please PR에서도 PR 화면에 검증 결과 표시되도록) - 워크플로 인젝션 방지를 위해 모든 표현식을 env 경유로 셸에 전달 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
solapi · Palbahngmiyine · May 11, 2026 · May 11, 2026 · baa66b13823352178ee37c32d22a695c1d8fb812
commit baa66b13823352178ee37c32d22a695c1d8fb812
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -1,21 +1,141 @@
 name: release-please
 
 on:
-  push:
-    branches:
-      - master
+  workflow_run:
+    workflows: ["CI"]
+    branches: [master]
+    types: [completed]
 
 permissions:
   contents: write
   pull-requests: write
+  statuses: write
 
 jobs:
   release-please:
     name: Run release-please
+    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'push' }}
     runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      tag_name: ${{ steps.release.outputs.tag_name }}
+      pr_head_sha: ${{ steps.pr-sha.outputs.sha }}
     steps:
       - name: Run release-please
+        id: release
         uses: googleapis/release-please-action@v4
         with:
           config-file: .github/release-please-config.json
           manifest-file: .github/.release-please-manifest.json
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get release-please PR head SHA
+        id: pr-sha
+        if: ${{ !steps.release.outputs.release_created }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+          SHA=$(gh pr list \
+            --repo "$GH_REPO" \
+            --head release-please--branches--master \
+            --state open \
+            --json headRefOid \
+            --jq '.[0].headRefOid // ""')
+          echo "sha=$SHA" >> "$GITHUB_OUTPUT"
+
+  unit-test-release-pr:
+    name: Unit (Release PR) / PHP ${{ matrix.php }}
+    needs: release-please
+    if: ${{ !needs.release-please.outputs.release_created && needs.release-please.outputs.pr_head_sha != '' }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        php: ["7.1", "7.2", "7.3", "7.4", "8.0", "8.1", "8.2", "8.3", "8.4", "8.5"]
+    env:
+      PHP_VERSION: ${{ matrix.php }}
+      SHA: ${{ needs.release-please.outputs.pr_head_sha }}
+      REPO: ${{ github.repository }}
+    steps:
+      - name: Set pending commit status
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api "repos/$REPO/statuses/$SHA" \
+            -f state=pending \
+            -f context="Unit / PHP $PHP_VERSION" \
+            -f description="Running unit tests..."
+
+      - name: Checkout release-please PR head
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.release-please.outputs.pr_head_sha }}
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+          extensions: json, mbstring
+          coverage: none
+          tools: composer:v2
+
+      - name: Determine PHPUnit constraint
+        id: phpunit
+        run: |
+          case "$PHP_VERSION" in
+            7.1|7.2) echo "constraint=^7.5" >> "$GITHUB_OUTPUT" ;;
+            *)       echo "constraint=^9.5" >> "$GITHUB_OUTPUT" ;;
+          esac
+
+      - name: Resolve Composer cache directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT"
+
+      - name: Cache Composer dependencies
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: composer-${{ matrix.php }}-${{ steps.phpunit.outputs.constraint }}-${{ hashFiles('composer.json') }}
+          restore-keys: |
+            composer-${{ matrix.php }}-${{ steps.phpunit.outputs.constraint }}-
+            composer-${{ matrix.php }}-
+
+      - name: Allow legacy PHPUnit on PHP 7.1/7.2
+        if: matrix.php == '7.1' || matrix.php == '7.2'
+        run: composer config --no-plugins audit.block-insecure false || true
+
+      - name: Pin PHPUnit constraint
+        env:
+          PHPUNIT_CONSTRAINT: ${{ steps.phpunit.outputs.constraint }}
+        run: composer require --dev --no-update --no-interaction "phpunit/phpunit:$PHPUNIT_CONSTRAINT"
+
+      - name: Install dependencies
+        env:
+          COMPOSER_NO_AUDIT: "1"
+        run: composer update --prefer-dist --no-interaction --no-progress
+
+      - name: Run unit tests
+        run: composer test:unit
+
+      - name: Report success commit status
+        if: success()
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api "repos/$REPO/statuses/$SHA" \
+            -f state=success \
+            -f context="Unit / PHP $PHP_VERSION" \
+            -f description="Unit tests passed"
+
+      - name: Report failure commit status
+        if: failure()
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api "repos/$REPO/statuses/$SHA" \
+            -f state=failure \
+            -f context="Unit / PHP $PHP_VERSION" \
+            -f description="Unit tests failed"