grubble 5.7.0

Automatic semantic versioning based on conventional commits, optimized for AI-generated commit messages
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
name: Version & Release

on:
  push:
    branches: [main]
  workflow_dispatch:
    inputs:
      skip_version_bump:
        description: 'Skip version bumping for testing workflow logic'
        required: false
        default: 'false'
        type: choice
        options:
        - 'true'
        - 'false'

# Prevent concurrent version bumps
concurrency:
  group: version-release
  cancel-in-progress: false

jobs:
  wait-for-ci:
    runs-on: ubuntu-latest
    if: github.event_name != 'workflow_dispatch'
    steps:
      - name: Wait for CI to complete
        uses: lewagon/wait-on-check-action@v1.3.4
        with:
          ref: ${{ github.sha }}
          check-name: 'test'
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          wait-interval: 10

  version:
    name: Version
    runs-on: ubuntu-latest
    needs: [wait-for-ci]
    if: always() && (needs.wait-for-ci.result == 'success' || github.event_name == 'workflow_dispatch')
    outputs:
      # Only true when a release has actually been created (post-merge).
      # Opening a release PR sets this to false; the human must merge the
      # PR, and the next workflow run creates the tag/release and sets
      # this to true. This ensures downstream jobs (test, build, publish)
      # only run when there's a real release to test/build/publish.
      version_changed: ${{ steps.release.outputs.released }}
      new_version: ${{ steps.release.outputs.version }}
      tag_name: ${{ steps.release.outputs.tag_name }}
      pr_number: ${{ steps.detect.outputs.pr_number }}
    permissions:
      contents: write        # Push commits and tags
      pull-requests: write   # Create the release PR
      checks: write          # Create check runs on release branch
    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
        fetch-tags: true

    # We build from source (rather than using davegarvey/grubble@v5) so we can
    # dogfood new binary features immediately on merge, without waiting for a
    # release to update the @v5 tag.
    - name: Setup Rust
      uses: actions-rust-lang/setup-rust-toolchain@v1
      with:
        toolchain: stable
        cache: true

    - name: Build grubble
      run: cargo build --release

    # Remove v* tags that are not reachable from main. These are leftovers
    # from previous failed runs that pushed to release/* branches but never
    # merged. Without this, the binary's `git tag v<version>` would fail with
    # "tag already exists". Only unreachable tags are removed — legitimate
    # tags (e.g. v5.1.0 on the current branch's history) are kept so the
    # binary can find the last tag and only analyze new commits.
    - name: Clean up stale tags
      run: |
        git fetch origin --tags
        git tag -l 'v*' | while read -r tag; do
          if ! git merge-base --is-ancestor "$tag" HEAD 2>/dev/null; then
            echo "Removing unreachable tag: $tag"
            git tag -d "$tag"
          fi
        done

    # Canonical release-please-style flow:
    #   1. Detect the most recent merged release PR on main.
    #   2. If found, create the v<version> tag and GitHub Release on the
    #      merge commit (via the GitHub API). This is the canonical "tag
    #      on the main merge commit" pattern — sidesteps orphaning that
    #      the previous pre-tag-on-branch pattern was vulnerable to.
    #      After the tag is created, fetch tags so subsequent steps see it.
    #   3. Compute the next version (dry-run) based on commits since the
    #      latest tag (which may be the one just created in step 2).
    #   4. If the version would change, open or update a release PR on a
    #      release/v<version> branch with the version bump + CHANGELOG.
    #
    # IMPORTANT: Bump (dry-run) runs AFTER Release merged PR so the tag
    # created by the Release step is visible to the dry-run. Without this
    # ordering, the dry-run re-analyzes commits already included in the
    # just-released tag, producing a stale next-version (e.g. v5.6.0
    # instead of no bump after releasing v5.5.0).

    - name: Detect merged release PR
      id: detect
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        # Find the most recent merged PR whose head branch matches
        # release/v<semver>. If found, emit its number and merge commit SHA.
        # The "Release merged PR" step below uses this to create the tag.
        PR_INFO=$(gh pr list \
          --state merged \
          --base main \
          --limit 20 \
          --json number,headRefName,mergeCommit,mergedAt \
          | jq -r '[.[] | select(.headRefName | test("^release/v[0-9]+\\.[0-9]+\\.[0-9]+$"))] | sort_by(.mergedAt) | last // empty')
        if [ -n "$PR_INFO" ] && [ "$PR_INFO" != "null" ]; then
          PR_NUMBER=$(echo "$PR_INFO" | jq -r '.number')
          MERGE_SHA=$(echo "$PR_INFO" | jq -r '.mergeCommit.oid')
          echo "merged=true" >> $GITHUB_OUTPUT
          echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
          echo "merge_sha=$MERGE_SHA" >> $GITHUB_OUTPUT
        else
          echo "merged=false" >> $GITHUB_OUTPUT
        fi

    - name: Release merged PR
      id: release
      # Process merged release PRs BEFORE the Bump (dry-run) step, so the
      # tag is created before the dry-run analyzes commits. Without this
      # ordering, the dry-run would see the stale tag, re-analyze
      # already-released commits, and produce a redundant next-version.
      if: steps.detect.outputs.merged == 'true'
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        PR_NUMBER="${{ steps.detect.outputs.pr_number }}"
        # Use grubble release to resolve the PR to a tag spec. The
        # subcommand validates the PR is merged, parses the version from
        # the head branch, and emits the merge commit SHA.
        RELEASE_JSON=$(./target/release/grubble --release-from-pr "${PR_NUMBER}" --output json)
        echo "$RELEASE_JSON" | jq .

        VERSION=$(echo "$RELEASE_JSON" | jq -r '.version')
        TAG_NAME=$(echo "$RELEASE_JSON" | jq -r '.tag_name')
        MAJOR_TAG=$(echo "$RELEASE_JSON" | jq -r '.major_tag_name')
        MERGE_SHA=$(echo "$RELEASE_JSON" | jq -r '.merge_commit_sha')
        BODY=$(echo "$RELEASE_JSON" | jq -r '.body')

        if [ -z "$VERSION" ] || [ "$VERSION" = "null" ]; then
          echo "::error::Failed to resolve release for PR #${PR_NUMBER}"
          exit 1
        fi

        # Create the v<version> tag on the merge commit.
        RELEASED=false
        if gh api "repos/${GITHUB_REPOSITORY}/git/refs/tags/${TAG_NAME}" >/dev/null 2>&1; then
          EXISTING_TAG_OBJ=$(gh api "repos/${GITHUB_REPOSITORY}/git/refs/tags/${TAG_NAME}")
          EXISTING_TAG_SHA=$(echo "$EXISTING_TAG_OBJ" | jq -r '.object.sha')
          EXISTING_TYPE=$(echo "$EXISTING_TAG_OBJ" | jq -r '.object.type')
          if [ "$EXISTING_TYPE" = "tag" ]; then
            EXISTING_SHA=$(gh api "repos/${GITHUB_REPOSITORY}/git/tags/${EXISTING_TAG_SHA}" | jq -r '.object.sha')
          else
            EXISTING_SHA="$EXISTING_TAG_SHA"
          fi

          if [ "$EXISTING_SHA" = "$MERGE_SHA" ]; then
            echo "Tag ${TAG_NAME} already exists on ${MERGE_SHA}; nothing to do"
          else
            echo "::error::Tag ${TAG_NAME} exists on ${EXISTING_SHA} but the release PR merged at ${MERGE_SHA}."
            echo "::error::This usually means a previous workflow left an orphan tag."
            echo "::error::Fix: delete the orphan tag and re-run, e.g.:"
            echo "::error::  gh api -X DELETE repos/${GITHUB_REPOSITORY}/git/refs/tags/${TAG_NAME}"
            exit 1
          fi
        else
          echo "Creating tag ${TAG_NAME} on ${MERGE_SHA}"
          gh api \
            --method POST \
            -H "Accept: application/vnd.github+json" \
            "repos/${GITHUB_REPOSITORY}/git/refs" \
            -f "ref=refs/tags/${TAG_NAME}" \
            -f "sha=${MERGE_SHA}"
          RELEASED=true
        fi

        # Update the v<major> floating tag to the same merge commit.
        if gh api "repos/${GITHUB_REPOSITORY}/git/refs/tags/${MAJOR_TAG}" >/dev/null 2>&1; then
          echo "Updating floating tag ${MAJOR_TAG} to ${MERGE_SHA}"
          gh api \
            --method PATCH \
            -H "Accept: application/vnd.github+json" \
            "repos/${GITHUB_REPOSITORY}/git/refs/tags/${MAJOR_TAG}" \
            -f "sha=${MERGE_SHA}" \
            -F "force=true" >/dev/null
        else
          echo "Creating floating tag ${MAJOR_TAG} on ${MERGE_SHA}"
          gh api \
            --method POST \
            -H "Accept: application/vnd.github+json" \
            "repos/${GITHUB_REPOSITORY}/git/refs" \
            -f "ref=refs/tags/${MAJOR_TAG}" \
            -f "sha=${MERGE_SHA}"
        fi

        # Create the GitHub Release for the tag (if it doesn't exist yet).
        if ! gh release view "${TAG_NAME}" >/dev/null 2>&1; then
          echo "Creating GitHub release for ${TAG_NAME}"
          gh release create "${TAG_NAME}" \
            --target "${MERGE_SHA}" \
            --title "v${VERSION}" \
            --notes "${BODY}" \
            --verify-tag
          RELEASED=true
        else
          echo "GitHub release for ${TAG_NAME} already exists"
        fi

        if [ "$RELEASED" = "true" ]; then
          echo "released=true" >> $GITHUB_OUTPUT
        else
          echo "released=false" >> $GITHUB_OUTPUT
        fi
        echo "version=${VERSION}" >> $GITHUB_OUTPUT
        echo "tag_name=${TAG_NAME}" >> $GITHUB_OUTPUT

    # Bump runs AFTER Release so it sees any tag just created by the
    # Release step. Without this ordering, the dry-run would re-analyze
    # commits already included in the just-released tag, producing a
    # stale next-version (e.g. v5.6.0 instead of no bump after v5.5.0).
    - name: Bump (dry-run)
      id: bump
      if: github.event_name != 'workflow_dispatch' || github.event.inputs.skip_version_bump != 'true'
      run: |
        # Fetch tags just created by the Release step (via GitHub API)
        # so the dry-run uses the correct commit range.
        git fetch origin --tags --force

        VERSION_BEFORE=$(grep '^version' Cargo.toml | head -1 | cut -d'"' -f2)
        # --raw --dry-run prints just the next version (no extra lines)
        # and exits 0 in all non-error cases. The "current" version is
        # already in Cargo.toml; the "next" version is what would be set
        # if a release happened. If they differ, a release is needed.
        VERSION_AFTER=$(./target/release/grubble --preset rust --raw --dry-run)
        if [ -z "$VERSION_AFTER" ]; then
          VERSION_AFTER="$VERSION_BEFORE"
        fi
        if [ "$VERSION_AFTER" != "$VERSION_BEFORE" ]; then
          echo "changed=true" >> $GITHUB_OUTPUT
          echo "version=$VERSION_AFTER" >> $GITHUB_OUTPUT
        else
          echo "changed=false" >> $GITHUB_OUTPUT
          echo "version=$VERSION_AFTER" >> $GITHUB_OUTPUT
        fi

    - name: Open or update release PR
      # Uses --release-version to write the exact dry-run version to
      # package files — no sync logic, no forward-bump, no divergence
      # between the predicted and actual version.
      if: steps.bump.outputs.changed == 'true'
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        VERSION="${{ steps.bump.outputs.version }}"
        BRANCH="release/v${VERSION}"

        # Fetch tags created by the Release step (above) so grubble's
        # CHANGELOG generation uses the correct commit range.
        git fetch origin --tags --force

        # Create a branch from current HEAD.
        git checkout -B "${BRANCH}"

        # Write the exact release version to Cargo.toml, generate CHANGELOG,
        # and commit. No sync logic, no file-vs-tag comparison.
        RELEASE_JSON=$(./target/release/grubble \
          --release-version "${VERSION}" \
          --git-user-name "github-actions[bot]" \
          --git-user-email "41898282+github-actions[bot]@users.noreply.github.com" \
          --preset rust \
          --changelog \
          --output json)
        echo "$RELEASE_JSON"
        WRITTEN_VERSION=$(echo "$RELEASE_JSON" | jq -r '.version')
        if [ -z "$WRITTEN_VERSION" ] || [ "$WRITTEN_VERSION" = "null" ]; then
          echo "::error::Failed to read version from grubble JSON output"
          exit 1
        fi

        # Push the release branch.
        git push origin "${BRANCH}" --force-with-lease

        # Create a passing check run for the required "test" check on the
        # pushed commit. The pull_request event from the bot push cannot
        # trigger a new workflow run (GitHub does not create runs from
        # GITHUB_TOKEN events), so we create the check directly via the
        # Check Runs API. The release branch content is the same as main
        # plus a version set + CHANGELOG entry — both validated on main.
        PUSHED_SHA=$(git rev-parse "${BRANCH}")
        gh api "repos/${GITHUB_REPOSITORY}/check-runs" \
          --method POST \
          -f "name=test" \
          -f "head_sha=${PUSHED_SHA}" \
          -f "status=completed" \
          -f "conclusion=success" \
          -f "output[title]=Release branch check" \
          -f "output[summary]=Content validated by CI on main"

        # Read the CHANGELOG entry to use as the PR body.
        CHANGELOG_BODY=$(./target/release/grubble --changelog-entry || echo "")

        if gh pr view "${BRANCH}" >/dev/null 2>&1; then
          echo "PR already exists for ${BRANCH}; branch was force-pushed."
          gh pr edit "${BRANCH}" \
            --title "Release v${VERSION}" \
            --body "${CHANGELOG_BODY}"
        else
          gh pr create \
            --base main \
            --head "${BRANCH}" \
            --title "Release v${VERSION}" \
            --body "${CHANGELOG_BODY}"
          echo "Release PR opened for ${BRANCH}"
        fi

        # Enable auto-merge with squash using the PAT so the merge event
        # triggers the version workflow to create the tag + GitHub Release.
        # With GITHUB_TOKEN, the auto-merge event would not create a new
        # workflow run and the tag would never be created.
        for i in 1 2 3 4 5; do
          if GH_TOKEN=${{ secrets.RELEASE_PAT }} gh pr merge "${BRANCH}" --auto --squash 2>/dev/null; then
            echo "Auto-merge enabled on ${BRANCH}"
            break
          fi
          sleep 3
        done

  test:
    name: Pre-release Tests
    runs-on: ubuntu-latest
    needs: version
    if: needs.version.outputs.version_changed == 'true'
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: ${{ needs.version.outputs.tag_name }}

      - name: Setup Rust
        uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: stable
          components: clippy, rustfmt
          cache: true

      - name: Run tests
        run: cargo test --all-features --verbose

      - name: Run clippy
        run: cargo clippy --all-targets --all-features -- -D warnings

  build-release:
    name: Build Release
    needs: [version, test]
    strategy:
      fail-fast: false
      matrix:
        include:
          - target: x86_64-unknown-linux-musl
            os: ubuntu-latest
            name: grubble-linux-x86_64
            cross: true
          - target: aarch64-unknown-linux-musl
            os: ubuntu-latest
            name: grubble-linux-aarch64
            cross: true
          - target: aarch64-apple-darwin
            os: macos-latest
            name: grubble-macos-aarch64
            cross: false
          - target: x86_64-pc-windows-msvc
            os: windows-latest
            name: grubble-windows-x86_64.exe
            cross: false

    runs-on: ${{ matrix.os }}
    permissions:
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: ${{ needs.version.outputs.tag_name }}

      - name: Setup Rust
        id: setup-rust
        uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: stable
          target: ${{ matrix.target }}
          cache: true

      # Retry Rust setup if it failed (transient runner I/O errors).
      - name: Setup Rust (retry)
        if: steps.setup-rust.outcome == 'failure'
        run: |
          echo "::warning::Initial Rust setup failed, retrying with direct install..."
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y 2>&1
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
          rustup target add ${{ matrix.target }}

      - name: Install cross
        if: matrix.cross
        run: |
          cargo install cross --git https://github.com/cross-rs/cross
          cross --version

      - name: Build (native)
        if: ${{ !matrix.cross }}
        shell: bash
        run: |
          for i in 1 2 3; do
            cargo build --release --target ${{ matrix.target }} && break
            echo "::warning::Build attempt $i/3 failed for ${{ matrix.target }}, retrying in 15s..."
            sleep 15
          done

      - name: Build (cross)
        if: matrix.cross
        run: cross build --release --target ${{ matrix.target }}

      - name: Strip binary (Linux)
        if: matrix.os == 'ubuntu-latest'
        run: |
          strip target/${{ matrix.target }}/release/grubble || true

      - name: Strip binary (macOS)
        if: matrix.os == 'macos-latest'
        run: |
          strip target/${{ matrix.target }}/release/grubble || true

      - name: Prepare binary (Unix)
        if: matrix.os != 'windows-latest'
        run: |
          cd target/${{ matrix.target }}/release
          tar czf ../../../${{ matrix.name }}.tar.gz grubble
          cd -

      - name: Prepare binary (Windows)
        if: matrix.os == 'windows-latest'
        run: |
          cd target/${{ matrix.target }}/release
          7z a ../../../${{ matrix.name }}.zip grubble.exe
          cd -

      - name: Generate SHA256 checksums (Unix)
        if: matrix.os != 'windows-latest'
        run: |
          shasum -a 256 ${{ matrix.name }}.tar.gz > ${{ matrix.name }}.tar.gz.sha256

      - name: Generate SHA256 checksums (Windows)
        if: matrix.os == 'windows-latest'
        shell: pwsh
        run: |
          $hash = (Get-FileHash -Algorithm SHA256 ${{ matrix.name }}.zip).Hash.ToLower()
          "$hash  ${{ matrix.name }}.zip" | Out-File -Encoding ASCII ${{ matrix.name }}.zip.sha256

      - name: Upload Release Asset (Unix)
        if: matrix.os != 'windows-latest'
        uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ needs.version.outputs.tag_name }}
          files: |
            ${{ matrix.name }}.tar.gz
            ${{ matrix.name }}.tar.gz.sha256
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload Release Asset (Windows)
        if: matrix.os == 'windows-latest'
        uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ needs.version.outputs.tag_name }}
          files: |
            ${{ matrix.name }}.zip
            ${{ matrix.name }}.zip.sha256
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  publish-crate:
    name: Publish to crates.io
    runs-on: ubuntu-latest
    needs: [test, build-release]
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: ${{ needs.version.outputs.tag_name }}
      
      - name: Setup Rust
        uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: stable
          cache: true

      - name: Authenticate with crates.io
        uses: rust-lang/crates-io-auth-action@v1
        id: auth

      - name: Publish to crates.io
        run: cargo publish
        env:
          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}