name: Version & Release
on:
push:
branches: [main]
workflow_dispatch:
inputs:
skip_version_bump:
description: 'Skip version bumping for testing workflow logic'
required: false
default: 'false'
type: choice
options:
- 'true'
- 'false'
concurrency:
group: version-release
cancel-in-progress: false
jobs:
wait-for-ci:
runs-on: ubuntu-latest
if: github.event_name != 'workflow_dispatch'
steps:
- name: Wait for CI to complete
uses: lewagon/wait-on-check-action@v1.3.4
with:
ref: ${{ github.sha }}
check-name: 'test'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 10
version:
name: Version
runs-on: ubuntu-latest
needs: [wait-for-ci]
if: always() && (needs.wait-for-ci.result == 'success' || github.event_name == 'workflow_dispatch')
outputs:
version_changed: ${{ steps.release.outputs.released }}
new_version: ${{ steps.release.outputs.version }}
tag_name: ${{ steps.release.outputs.tag_name }}
pr_number: ${{ steps.detect.outputs.pr_number }}
permissions:
contents: write pull-requests: write checks: write steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
- name: Setup Rust
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: stable
cache: true
- name: Build grubble
run: cargo build --release
- name: Clean up stale tags
run: |
git fetch origin --tags
git tag -l 'v*' | while read -r tag; do
if ! git merge-base --is-ancestor "$tag" HEAD 2>/dev/null; then
echo "Removing unreachable tag: $tag"
git tag -d "$tag"
fi
done
- name: Bump (dry-run)
id: bump
if: github.event_name != 'workflow_dispatch' || github.event.inputs.skip_version_bump != 'true'
run: |
VERSION_BEFORE=$(grep '^version' Cargo.toml | head -1 | cut -d'"' -f2)
# --raw --dry-run prints just the next version (no extra lines)
# and exits 0 in all non-error cases. The "current" version is
# already in Cargo.toml; the "next" version is what would be set
# if a release happened. If they differ, a release is needed.
VERSION_AFTER=$(./target/release/grubble --preset rust --raw --dry-run)
if [ -z "$VERSION_AFTER" ]; then
VERSION_AFTER="$VERSION_BEFORE"
fi
if [ "$VERSION_AFTER" != "$VERSION_BEFORE" ]; then
echo "changed=true" >> $GITHUB_OUTPUT
echo "version=$VERSION_AFTER" >> $GITHUB_OUTPUT
else
echo "changed=false" >> $GITHUB_OUTPUT
echo "version=$VERSION_AFTER" >> $GITHUB_OUTPUT
fi
- name: Detect merged release PR
id: detect
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Find the most recent merged PR whose head branch matches
# release/v<semver>. If found, emit its number and merge commit SHA.
# The "Release merged PR" step below uses this to create the tag.
PR_INFO=$(gh pr list \
--state merged \
--base main \
--limit 20 \
--json number,headRefName,mergeCommit,mergedAt \
| jq -r '[.[] | select(.headRefName | test("^release/v[0-9]+\\.[0-9]+\\.[0-9]+$"))] | sort_by(.mergedAt) | last // empty')
if [ -n "$PR_INFO" ] && [ "$PR_INFO" != "null" ]; then
PR_NUMBER=$(echo "$PR_INFO" | jq -r '.number')
MERGE_SHA=$(echo "$PR_INFO" | jq -r '.mergeCommit.oid')
echo "merged=true" >> $GITHUB_OUTPUT
echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
echo "merge_sha=$MERGE_SHA" >> $GITHUB_OUTPUT
else
echo "merged=false" >> $GITHUB_OUTPUT
fi
- name: Release merged PR
id: release
if: steps.detect.outputs.merged == 'true'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
PR_NUMBER="${{ steps.detect.outputs.pr_number }}"
# Use grubble release to resolve the PR to a tag spec. The
# subcommand validates the PR is merged, parses the version from
# the head branch, and emits the merge commit SHA.
RELEASE_JSON=$(./target/release/grubble --release-from-pr "${PR_NUMBER}" --output json)
echo "$RELEASE_JSON" | jq .
VERSION=$(echo "$RELEASE_JSON" | jq -r '.version')
TAG_NAME=$(echo "$RELEASE_JSON" | jq -r '.tag_name')
MAJOR_TAG=$(echo "$RELEASE_JSON" | jq -r '.major_tag_name')
MERGE_SHA=$(echo "$RELEASE_JSON" | jq -r '.merge_commit_sha')
BODY=$(echo "$RELEASE_JSON" | jq -r '.body')
if [ -z "$VERSION" ] || [ "$VERSION" = "null" ]; then
echo "::error::Failed to resolve release for PR #${PR_NUMBER}"
exit 1
fi
# Create the v<version> tag on the merge commit.
RELEASED=false
if gh api "repos/${GITHUB_REPOSITORY}/git/refs/tags/${TAG_NAME}" >/dev/null 2>&1; then
EXISTING_TAG_OBJ=$(gh api "repos/${GITHUB_REPOSITORY}/git/refs/tags/${TAG_NAME}")
EXISTING_TAG_SHA=$(echo "$EXISTING_TAG_OBJ" | jq -r '.object.sha')
EXISTING_TYPE=$(echo "$EXISTING_TAG_OBJ" | jq -r '.object.type')
if [ "$EXISTING_TYPE" = "tag" ]; then
EXISTING_SHA=$(gh api "repos/${GITHUB_REPOSITORY}/git/tags/${EXISTING_TAG_SHA}" | jq -r '.object.sha')
else
EXISTING_SHA="$EXISTING_TAG_SHA"
fi
if [ "$EXISTING_SHA" = "$MERGE_SHA" ]; then
echo "Tag ${TAG_NAME} already exists on ${MERGE_SHA}; nothing to do"
else
echo "::error::Tag ${TAG_NAME} exists on ${EXISTING_SHA} but the release PR merged at ${MERGE_SHA}."
echo "::error::This usually means a previous workflow left an orphan tag."
echo "::error::Fix: delete the orphan tag and re-run, e.g.:"
echo "::error:: gh api -X DELETE repos/${GITHUB_REPOSITORY}/git/refs/tags/${TAG_NAME}"
exit 1
fi
else
echo "Creating tag ${TAG_NAME} on ${MERGE_SHA}"
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
"repos/${GITHUB_REPOSITORY}/git/refs" \
-f "ref=refs/tags/${TAG_NAME}" \
-f "sha=${MERGE_SHA}"
RELEASED=true
fi
# Update the v<major> floating tag to the same merge commit.
if gh api "repos/${GITHUB_REPOSITORY}/git/refs/tags/${MAJOR_TAG}" >/dev/null 2>&1; then
echo "Updating floating tag ${MAJOR_TAG} to ${MERGE_SHA}"
gh api \
--method PATCH \
-H "Accept: application/vnd.github+json" \
"repos/${GITHUB_REPOSITORY}/git/refs/tags/${MAJOR_TAG}" \
-f "sha=${MERGE_SHA}" \
-F "force=true" >/dev/null
else
echo "Creating floating tag ${MAJOR_TAG} on ${MERGE_SHA}"
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
"repos/${GITHUB_REPOSITORY}/git/refs" \
-f "ref=refs/tags/${MAJOR_TAG}" \
-f "sha=${MERGE_SHA}"
fi
# Create the GitHub Release for the tag (if it doesn't exist yet).
if ! gh release view "${TAG_NAME}" >/dev/null 2>&1; then
echo "Creating GitHub release for ${TAG_NAME}"
gh release create "${TAG_NAME}" \
--target "${MERGE_SHA}" \
--title "v${VERSION}" \
--notes "${BODY}" \
--verify-tag
RELEASED=true
else
echo "GitHub release for ${TAG_NAME} already exists"
fi
if [ "$RELEASED" = "true" ]; then
echo "released=true" >> $GITHUB_OUTPUT
else
echo "released=false" >> $GITHUB_OUTPUT
fi
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "tag_name=${TAG_NAME}" >> $GITHUB_OUTPUT
- name: Open or update release PR
if: steps.bump.outputs.changed == 'true'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
VERSION="${{ steps.bump.outputs.version }}"
BRANCH="release/v${VERSION}"
# Fetch tags created by the Release step (above). Without this,
# grubble would see the old tag and refuse to bump with "file
# ahead of tag" since Cargo.toml was updated by the merged PR.
git fetch origin --tags --force
# Run grubble on the release branch: bumps Cargo.toml, updates
# CHANGELOG.md. NO --tag here — the tag is created on the main
# merge commit by the "Release merged PR" step after a human merges
# the PR.
git checkout -B "${BRANCH}"
./target/release/grubble \
--git-user-name "github-actions[bot]" \
--git-user-email "41898282+github-actions[bot]@users.noreply.github.com" \
--git-branch "${BRANCH}" \
--preset rust \
--changelog \
--push \
--force-push
# Create a passing check run for the required "test" check on the
# pushed commit. The pull_request event from the bot push cannot
# trigger a new workflow run (GitHub does not create runs from
# GITHUB_TOKEN events), so we create the check directly via the
# Check Runs API. The release branch content is the same as main
# plus a version bump + CHANGELOG entry — both validated on main.
PUSHED_SHA=$(git rev-parse "${BRANCH}")
gh api "repos/${GITHUB_REPOSITORY}/check-runs" \
--method POST \
-f "name=test" \
-f "head_sha=${PUSHED_SHA}" \
-f "status=completed" \
-f "conclusion=success" \
-f "output[title]=Release branch check" \
-f "output[summary]=Content validated by CI on main"
# Read the CHANGELOG entry to use as the PR body.
CHANGELOG_BODY=$(./target/release/grubble --changelog-entry || echo "")
if gh pr view "${BRANCH}" >/dev/null 2>&1; then
echo "PR already exists for ${BRANCH}; branch was force-pushed."
gh pr edit "${BRANCH}" --body "${CHANGELOG_BODY}"
else
gh pr create \
--base main \
--head "${BRANCH}" \
--title "Release v${VERSION}" \
--body "${CHANGELOG_BODY}"
echo "Release PR opened for ${BRANCH}"
fi
# Enable auto-merge with squash using the PAT so the merge event
# triggers the version workflow to create the tag + GitHub Release.
# With GITHUB_TOKEN, the auto-merge event would not create a new
# workflow run and the tag would never be created.
for i in 1 2 3 4 5; do
if GH_TOKEN=${{ secrets.RELEASE_PAT }} gh pr merge "${BRANCH}" --auto --squash 2>/dev/null; then
echo "Auto-merge enabled on ${BRANCH}"
break
fi
sleep 3
done
test:
name: Pre-release Tests
runs-on: ubuntu-latest
needs: version
if: needs.version.outputs.version_changed == 'true'
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ needs.version.outputs.tag_name }}
- name: Setup Rust
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: stable
components: clippy, rustfmt
cache: true
- name: Run tests
run: cargo test --all-features --verbose
- name: Run clippy
run: cargo clippy --all-targets --all-features -- -D warnings
build-release:
name: Build Release
needs: [version, test]
strategy:
fail-fast: false
matrix:
include:
- target: x86_64-unknown-linux-musl
os: ubuntu-latest
name: grubble-linux-x86_64
cross: true
- target: aarch64-unknown-linux-musl
os: ubuntu-latest
name: grubble-linux-aarch64
cross: true
- target: aarch64-apple-darwin
os: macos-latest
name: grubble-macos-aarch64
cross: false
- target: x86_64-pc-windows-msvc
os: windows-latest
name: grubble-windows-x86_64.exe
cross: false
runs-on: ${{ matrix.os }}
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ needs.version.outputs.tag_name }}
- name: Setup Rust
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: stable
target: ${{ matrix.target }}
cache: true
- name: Install cross
if: matrix.cross
run: |
cargo install cross --git https://github.com/cross-rs/cross
cross --version
- name: Build (native)
if: ${{ !matrix.cross }}
run: cargo build --release --target ${{ matrix.target }}
- name: Build (cross)
if: matrix.cross
run: cross build --release --target ${{ matrix.target }}
- name: Strip binary (Linux)
if: matrix.os == 'ubuntu-latest'
run: |
strip target/${{ matrix.target }}/release/grubble || true
- name: Strip binary (macOS)
if: matrix.os == 'macos-latest'
run: |
strip target/${{ matrix.target }}/release/grubble || true
- name: Prepare binary (Unix)
if: matrix.os != 'windows-latest'
run: |
cd target/${{ matrix.target }}/release
tar czf ../../../${{ matrix.name }}.tar.gz grubble
cd -
- name: Prepare binary (Windows)
if: matrix.os == 'windows-latest'
run: |
cd target/${{ matrix.target }}/release
7z a ../../../${{ matrix.name }}.zip grubble.exe
cd -
- name: Generate SHA256 checksums (Unix)
if: matrix.os != 'windows-latest'
run: |
shasum -a 256 ${{ matrix.name }}.tar.gz > ${{ matrix.name }}.tar.gz.sha256
- name: Generate SHA256 checksums (Windows)
if: matrix.os == 'windows-latest'
shell: pwsh
run: |
$hash = (Get-FileHash -Algorithm SHA256 ${{ matrix.name }}.zip).Hash.ToLower()
"$hash ${{ matrix.name }}.zip" | Out-File -Encoding ASCII ${{ matrix.name }}.zip.sha256
- name: Upload Release Asset (Unix)
if: matrix.os != 'windows-latest'
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ needs.version.outputs.tag_name }}
files: |
${{ matrix.name }}.tar.gz
${{ matrix.name }}.tar.gz.sha256
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Release Asset (Windows)
if: matrix.os == 'windows-latest'
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ needs.version.outputs.tag_name }}
files: |
${{ matrix.name }}.zip
${{ matrix.name }}.zip.sha256
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
publish-crate:
name: Publish to crates.io
runs-on: ubuntu-latest
needs: [test, build-release]
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ needs.version.outputs.tag_name }}
- name: Setup Rust
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: stable
cache: true
- name: Authenticate with crates.io
uses: rust-lang/crates-io-auth-action@v1
id: auth
- name: Publish to crates.io
run: cargo publish
env:
CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}