-
Notifications
You must be signed in to change notification settings - Fork 0
193 lines (161 loc) · 5.95 KB
/
release.yml
File metadata and controls
193 lines (161 loc) · 5.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
name: Release
on:
push:
tags:
- "v*"
workflow_dispatch:
inputs:
tag:
description: "Release tag to publish, including the leading v"
required: true
type: string
concurrency:
group: release-${{ github.ref_name }}
cancel-in-progress: false
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
attestations: write
artifact-metadata: write
id-token: write
steps:
- name: Check out repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
ref: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.ref_name }}
- name: Set up Node
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
with:
node-version: 24
cache: npm
- name: Set release tag
shell: bash
run: |
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
echo "RELEASE_TAG=${{ inputs.tag }}" >> "$GITHUB_ENV"
else
echo "RELEASE_TAG=${GITHUB_REF_NAME}" >> "$GITHUB_ENV"
fi
- name: Install dependencies
run: npm ci
- name: Validate package version matches tag
shell: bash
run: |
PACKAGE_VERSION="$(node -p "require('./package.json').version")"
EXPECTED_TAG="v${PACKAGE_VERSION}"
if [ "${EXPECTED_TAG}" != "${RELEASE_TAG}" ]; then
echo "package.json version ${PACKAGE_VERSION} does not match tag ${RELEASE_TAG}"
exit 1
fi
echo "PACKAGE_VERSION=${PACKAGE_VERSION}" >> "$GITHUB_ENV"
- name: Typecheck
run: npm run typecheck
- name: Test
run: npm test
- name: Build
run: npm run build
- name: Deterministic end-to-end workflow validation
run: npm run ci:e2e
- name: Pack release tarball
shell: bash
run: |
mkdir -p release
PACKAGE_FILE="$(npm pack --pack-destination release | tail -n 1)"
cp "release/${PACKAGE_FILE}" "release/cstack-latest.tgz"
echo "PACKAGE_FILE=${PACKAGE_FILE}" >> "$GITHUB_ENV"
- name: Record release artifact paths
id: release_paths
shell: bash
run: |
echo "package_file=${PACKAGE_FILE}" >> "$GITHUB_OUTPUT"
echo "sbom_file=release/cstack-${PACKAGE_VERSION}.sbom.spdx.json" >> "$GITHUB_OUTPUT"
- name: Smoke-test packaged install
shell: bash
run: |
INSTALL_ROOT="${RUNNER_TEMP}/cstack-release-install"
rm -rf "${INSTALL_ROOT}"
mkdir -p "${INSTALL_ROOT}"
npm install -g "./release/${PACKAGE_FILE}" --prefix "${INSTALL_ROOT}"
"${INSTALL_ROOT}/bin/cstack" --help >/dev/null
- name: Generate SBOM
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610
with:
file: release/${{ steps.release_paths.outputs.package_file }}
format: spdx-json
output-file: ${{ steps.release_paths.outputs.sbom_file }}
upload-artifact: false
upload-release-assets: false
- name: Create provenance attestation
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32
with:
subject-path: |
release/${{ steps.release_paths.outputs.package_file }}
release/cstack-latest.tgz
- name: Generate checksums
shell: bash
run: |
cd release
sha256sum "${PACKAGE_FILE}" cstack-latest.tgz > SHA256SUMS.txt
- name: Generate release notes
shell: bash
run: |
cat > release/RELEASE_NOTES.md <<EOF
## Install
Requirements:
- Node.js 24+
- Codex CLI installed and available on \`PATH\`
Install directly from this GitHub release:
\`\`\`bash
npm install -g https://github.com/ganesh47/cstack/releases/download/${RELEASE_TAG}/${PACKAGE_FILE}
\`\`\`
Install using the stable latest asset:
\`\`\`bash
npm install -g https://github.com/ganesh47/cstack/releases/latest/download/cstack-latest.tgz
\`\`\`
Download first, then install locally:
\`\`\`bash
curl -LO https://github.com/ganesh47/cstack/releases/download/${RELEASE_TAG}/${PACKAGE_FILE}
npm install -g ./${PACKAGE_FILE}
\`\`\`
Verify the download:
\`\`\`bash
curl -LO https://github.com/ganesh47/cstack/releases/download/${RELEASE_TAG}/SHA256SUMS.txt
sha256sum -c SHA256SUMS.txt
\`\`\`
## What is in this release
- packaged CLI entrypoint
- compiled \`dist/\` runtime
- current README and install guidance
- SBOM and provenance attestation for the published tarball
## Quick start
\`\`\`bash
cstack --help
cstack spec "Draft an implementation note for the next cstack slice"
\`\`\`
EOF
- name: Publish GitHub release
env:
GITHUB_TOKEN: ${{ github.token }}
shell: bash
run: |
if gh release view "${RELEASE_TAG}" >/dev/null 2>&1; then
gh release upload "${RELEASE_TAG}" \
"release/${PACKAGE_FILE}" \
"release/cstack-latest.tgz" \
"release/SHA256SUMS.txt" \
"${{ steps.release_paths.outputs.sbom_file }}" \
--clobber
gh release edit "${RELEASE_TAG}" \
--title "cstack ${RELEASE_TAG}" \
--notes-file release/RELEASE_NOTES.md
else
gh release create "${RELEASE_TAG}" \
"release/${PACKAGE_FILE}" \
"release/cstack-latest.tgz" \
"release/SHA256SUMS.txt" \
"${{ steps.release_paths.outputs.sbom_file }}" \
--title "cstack ${RELEASE_TAG}" \
--notes-file release/RELEASE_NOTES.md
fi