// Activate when user asks to release, bump version, cut a release, merge to main, or tag a version. Handles version bumping (semver), CHANGELOG updates, PR merging, git tagging, and GitHub release creation.
Activate when a subagent completes work and needs continuation check. Activate when a task finishes to determine next steps or when detecting work patterns in user messages. Governs automatic work continuation and queue management.
Activate when user asks to commit, push changes, create a PR, open a pull request, or submit changes for review. Activate when process skill reaches commit or PR phase. Provides commit message formatting and PR structure. PRs default to dev branch, not main. Works with git-privacy skill.
Orchestrate the end-to-end development workflow with autonomous quality gates. Use when users ask to implement/run workflow phases, start or continue development, handle review/QA findings, or process actionable comments by routing through create-work-items -> plan-work-items -> run-work-items. Enforces TDD by default for implementation work and only pauses for genuine decisions.
Create and classify typed work items (epic, story, feature, bug, finding, work-item) in the configured tracking backend. Use when users ask to create/capture work or when actionable findings/comments are discovered from review, PR feedback, QA, regressions, or defect reports.
Plan and prioritize existing typed work items with dependency and hierarchy validation. Use when users ask to sequence work, when new actionable findings/comments were captured, or when blockers/dependencies changed before execution.
Activate when user needs coordination, story breakdown, task delegation, or progress tracking. Activate when the pm skill is requested or work requires planning before implementation. PM coordinates specialists but does not implement.
| name | release |
| description | Activate when user asks to release, bump version, cut a release, merge to main, or tag a version. Handles version bumping (semver), CHANGELOG updates, PR merging, git tagging, and GitHub release creation. |
| category | process |
| scope | development |
| subcategory | release |
| tags | ["release","versioning","changelog","github"] |
| version | 10.2.18 |
| author | Karsten Samaschke |
| contact-email | karsten@vanillacore.net |
| website | https://vanillacore.net |
Handles the complete release workflow: version bump, CHANGELOG, merge, tag, and GitHub release.
Use this skill when the request requires release-specific git/version actions.
Use this skill when prompts include:
major/minor/patch) and update changelog for releasemainDo not use this skill for:
dev (use commit-pr)| Test ID | Type | Prompt / Condition | Expected Result |
|---|---|---|---|
| RLS-T1 | Positive trigger | "Cut a patch release and tag it" | skill triggers |
| RLS-T2 | Positive trigger | "Merge this release PR to main and publish notes" | skill triggers |
| RLS-T3 | Negative trigger | "Create a PR to dev for this feature" | skill does not trigger |
| RLS-T4 | Negative trigger | "Explain release strategy options" | skill does not trigger |
| RLS-T5 | Behavior | skill triggered for release flow | enforces release gates, worktree/branch policy, and explicit approval for non-draft publish |
| RLS-T6 | Behavior | missing autonomy.system_level in user ica.config.json | asks user, persists autonomy.system_level, then proceeds |
| RLS-T7 | Behavior | missing autonomy.project_level in project ica.config.json | asks user, persists autonomy.project_level, then proceeds |
| RLS-T8 | Behavior | project autonomy is follow-system | resolves effective autonomy and applies it to release confirmation behavior |
| RLS-T9 | Behavior | release PR missing ICA-REVIEW-RECEIPT | runs post-PR review loop, refreshes receipt for current head SHA, then re-checks gates |
| RLS-T10 | Behavior | release PR missing ICA-SECURITY-REVIEW-RECEIPT | runs post-PR security loop, refreshes receipt for current head SHA, then re-checks gates |
| RLS-T11 | Behavior | release PR has no required checks configured | treats checks gate as pass-with-note (no required checks configured) |
| RLS-T12 | Behavior | release flow reaches merge gate | requires current review+security receipts and checks result before merge |
| RLS-T13 | Behavior | security receipt missing dedicated-subagent verification fields | fails release merge gate and requires refreshed verified security receipt |
Resolve autonomy settings from ica.config.json hierarchy (not tracking config):
${ICA_HOME}/ica.config.json$HOME/.codex/ica.config.json$HOME/.claude/ica.config.json./ica.config.jsonRequired keys:
autonomy.system_level: L1 | L2 | L3 (default L2)autonomy.project_level: follow-system | L1 | L2 | L3 (default follow-system)Bootstrap prompts (if missing):
autonomy.system_level missing:
L2 (recommended), L1, or L3?"ica.config.jsonautonomy.project_level missing:
follow-system (recommended), L1, L2, or L3?"ica.config.jsonCompatibility:
autonomy.level exists and autonomy.system_level is missing, treat legacy value as system level for this run and persist it as autonomy.system_level.Effective level:
project_level is L1/L2/L3, use project levelproject_level is follow-system, use system levelEffective-level behavior for release:
L1: require explicit confirmation for each release transition (version bump commit, PR merge, tag, publish)L2: standard release flow; explicit confirmation remains mandatory for larger-change release actionsL3: automate mechanical release actions when gates pass and release automation is enabled, while still requiring explicit approval for non-draft publishThis skill does NOT require GitHub "auto-merge" (gh pr merge --auto).
When automation is enabled, the agent performs the merge itself (runs gh pr merge) once the merge gates pass.
Before releasing:
validate checks pass for release scopegit.worktree_branch_behavior)autonomy.system_level + autonomy.project_level)Read git.worktree_branch_behavior from ica.config.json hierarchy.
Allowed values:
always_newaskcurrent_branchIf missing:
ica.config.jsonRelease enforcement:
always_new, use a dedicated release worktree + branch before release actionsask, ask before release actions and follow responsecurrent_branch, release remains a larger-change flow and requires explicit confirmationPre-release gate:
mainPre-tag gate:
main is up to date and cleanPre-publish gate:
Fail-closed behavior:
These controls are driven by workflow configuration (AgentTask workflow.* and ica.workflow.json):
workflow.auto_merge=true: standing approval to merge PRs once gates passworkflow.release_automation=true: automate the mechanical release steps (tag + GitHub release creation)Safety defaults:
main unless the user explicitly requested a release workflow.Autonomy-level enforcement:
L1: pause for explicit user confirmation at each release transition.L2: continue routine release steps after gates pass; keep explicit confirmations for larger-change actions.L3: may proceed through gated release steps automatically when workflow settings allow, but must still respect explicit-approval rules above.Before merge, release flow must verify receipts/checks for the current release PR head SHA.
If any receipt/check gate fails:
security-best-practicessecurity-engineer for high-risk/complex findingsRequired receipt outcomes for current head SHA:
ICA-REVIEW-RECEIPT: Findings: 0, Result: PASSICA-SECURITY-REVIEW-RECEIPT: Findings: 0, Result: PASS, and:
Security-Reviewer-Stage: post-pr (temp checkout)Security-Reviewer-Agent: ... (subagent)Security-Reviewer-Execution: dedicated-security-subagentSecurity-Reviewer-Executor: github:<login>Security-Reviewer-Run-ID: <non-empty run id>Security-Reviewer-ExecutorChecks behavior:
no required checks configured and treat checks gate as pass-with-note.# Check PR status
gh pr status
# Verify PR is approved
gh pr view <PR-number> --json reviews
# Verify checks pass
CHECKS_OUTPUT=$(gh pr checks <PR-number> 2>&1 || true)
if echo "$CHECKS_OUTPUT" | rg -q "no checks reported"; then
echo "No required checks configured; checks gate = pass-with-note."
else
echo "$CHECKS_OUTPUT"
fi
# Verify this is a release PR (base should be main)
gh pr view <PR-number> --json baseRefName --jq .baseRefName
# Verify reviewer Stage 3 receipt exists (ICA-REVIEW-RECEIPT) and matches current head SHA
PR=<PR-number>
HEAD_SHA=$(gh pr view "$PR" --json headRefOid --jq .headRefOid)
RECEIPT=$(gh pr view "$PR" --json comments --jq '.comments | map(select(.body | contains("ICA-REVIEW-RECEIPT"))) | last | .body // ""')
echo "$RECEIPT" | rg -q "Reviewer-Stage: 3 \\(temp checkout\\)"
echo "$RECEIPT" | rg -q "Head-SHA: $HEAD_SHA"
echo "$RECEIPT" | rg -q "Result: PASS"
# Verify security review receipt exists (ICA-SECURITY-REVIEW-RECEIPT) and matches current head SHA
SEC_RECEIPT=$(gh pr view "$PR" --json comments --jq '.comments | map(select(.body | contains("ICA-SECURITY-REVIEW-RECEIPT"))) | last | .body // ""')
echo "$SEC_RECEIPT" | rg -q "Security-Reviewer-Stage: post-pr \\(temp checkout\\)"
echo "$SEC_RECEIPT" | rg -q "Security-Reviewer-Agent:.*\\(subagent\\)"
echo "$SEC_RECEIPT" | rg -q "Security-Reviewer-Execution: dedicated-security-subagent"
echo "$SEC_RECEIPT" | rg -q "^Security-Reviewer-Run-ID: [A-Za-z0-9._:-][A-Za-z0-9._:-]*$"
echo "$SEC_RECEIPT" | rg -q "Head-SHA: $HEAD_SHA"
echo "$SEC_RECEIPT" | rg -q "Result: PASS"
SEC_EXECUTOR=$(echo "$SEC_RECEIPT" | sed -n 's/^Security-Reviewer-Executor: github:\\(.*\\)$/\\1/p' | head -n1)
SEC_AUTHOR=$(gh pr view "$PR" --json comments --jq '.comments | map(select(.body | contains("ICA-SECURITY-REVIEW-RECEIPT"))) | last | .author.login // ""')
test -n "$SEC_EXECUTOR"
[ "$SEC_AUTHOR" = "$SEC_EXECUTOR" ]
PR=<PR-number>
HEAD_SHA=$(gh pr view "$PR" --json headRefOid --jq .headRefOid)
BASE_BRANCH=$(gh pr view "$PR" --json baseRefName --jq .baseRefName)
DATE_UTC=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
SEC_REVIEWER=$(gh api user --jq .login)
SEC_RUN_ID="sec-$(date -u +%Y%m%dT%H%M%SZ)-${HEAD_SHA:0:12}"
gh pr comment "$PR" --body "$(cat <<EOF
ICA-SECURITY-REVIEW
ICA-SECURITY-REVIEW-RECEIPT
Security-Reviewer-Stage: post-pr (temp checkout)
Security-Reviewer-Agent: security reviewer (subagent)
Security-Reviewer-Execution: dedicated-security-subagent
Security-Reviewer-Executor: github:$SEC_REVIEWER
Security-Reviewer-Run-ID: $SEC_RUN_ID
PR: #$PR
Base: $BASE_BRANCH
Head-SHA: $HEAD_SHA
Date-UTC: $DATE_UTC
Findings: 0
NO FINDINGS
Result: PASS
EOF
)"
Ask user if not specified:
| Type | When | Example |
|---|---|---|
major | Breaking changes | 1.0.0 → 2.0.0 |
minor | New features, backward compatible | 1.0.0 → 1.1.0 |
patch | Bug fixes, no new features | 1.0.0 → 1.0.1 |
# Read current version
CURRENT=$(cat src/VERSION 2>/dev/null || cat VERSION 2>/dev/null || echo "0.0.0")
# Calculate new version based on bump type
# For patch: increment last number
# For minor: increment middle, reset last to 0
# For major: increment first, reset others to 0
Add new section at top of CHANGELOG.md:
## [X.Y.Z] - YYYY-MM-DD
### Added
- New features
### Changed
- Changes to existing features
### Fixed
- Bug fixes
### Removed
- Removed features
Derive changes from:
git log --oneline $(git describe --tags --abbrev=0 2>/dev/null || echo "HEAD~10")..HEAD
# Re-run quality/validation gate before release commit
# - tests pass
# - reviewer has no blocking findings
# - security review has no blocking findings
# - validate checks pass
# - tracking verification passes
git add VERSION src/VERSION CHANGELOG.md
git commit -m "chore: Bump version to X.Y.Z"
git push
# Merge gate (required):
# - Reviewer Stage 3 receipt exists and matches head SHA (ICA-REVIEW-RECEIPT)
# - Security review receipt exists and matches head SHA (ICA-SECURITY-REVIEW-RECEIPT)
# - Security receipt includes dedicated-subagent verification fields and executor/author match
# - Required checks passing (or no required checks configured)
# - Validate checks pass
# - Backend-aware tracking verification passes
# - User explicitly approved the release/merge
#
# Only then merge the PR (squash or merge based on project preference)
gh pr merge <PR-number> --squash --delete-branch
Or if merge commit preferred:
gh pr merge <PR-number> --merge --delete-branch
# Checkout main after merge
git checkout main
git pull origin main
# Create annotated tag
git tag -a "vX.Y.Z" -m "Release vX.Y.Z"
git push origin "vX.Y.Z"
# Default: create DRAFT release (safe). Publish only if user explicitly requests.
gh release create "vX.Y.Z" \
--draft \
--title "vX.Y.Z" \
--notes "$(cat <<'EOF'
## What's Changed
### Added
- Feature 1
- Feature 2
### Fixed
- Bug fix 1
**Full Changelog**: https://github.com/OWNER/REPO/compare/vPREV...vX.Y.Z
EOF
)"
Or generate notes automatically:
gh release create "vX.Y.Z" --generate-notes
Check for VERSION in order:
src/VERSIONVERSIONpackage.json (for Node projects)pyproject.toml (for Python projects)Follow Keep a Changelog format:
# Changelog
All notable changes to this project will be documented in this file.
## [Unreleased]
## [X.Y.Z] - YYYY-MM-DD
### Added
### Changed
### Deprecated
### Removed
### Fixed
### Security
Before any release action:
no required checks configured)validate checks for current release stepWorks with:
User: "Release a patch for the bug fixes"
→ Bump 1.2.3 → 1.2.4
→ Update CHANGELOG
→ Commit, merge, tag, release
User: "Cut a minor release with the new features"
→ Bump 1.2.3 → 1.3.0
→ Update CHANGELOG
→ Commit, merge, tag, release
User: "Major release - we have breaking changes"
→ Bump 1.2.3 → 2.0.0
→ Update CHANGELOG (note breaking changes)
→ Commit, merge, tag, release
If release needs to be reverted:
# Delete the tag locally and remotely
git tag -d vX.Y.Z
git push origin :refs/tags/vX.Y.Z
# Delete the GitHub release
gh release delete vX.Y.Z --yes
# Revert the merge commit if needed
git revert <merge-commit-sha>
When this skill runs, produce:
system_level, project_level, effective level, and whether defaults were bootstrapped)git.worktree_branch_behavior) and enforcement result