omk 0.5.0

A Rust runtime for Kimi CLI. Turns prompts into proof-backed engineering runs with gates, worktrees, and replay.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191

name: Release

on:
  push:
    tags:
      - 'v*'

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: false

env:
  CARGO_TERM_COLOR: always

permissions:
  contents: read

jobs:
  build:
    name: Build ${{ matrix.target }}
    runs-on: ${{ matrix.os }}
    permissions:
      contents: read
      # Needed for the build-provenance attestation step.
      id-token: write
      attestations: write
    strategy:
      fail-fast: false
      matrix:
        include:
          - target: x86_64-unknown-linux-gnu
            os: ubuntu-latest
          - target: x86_64-apple-darwin
            os: macos-latest
          - target: aarch64-apple-darwin
            os: macos-latest

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install Rust
        # SHA-pinned third-party action (v1 tag at time of pin).
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
        with:
          toolchain: stable
          targets: ${{ matrix.target }}

      - name: Cache Rust dependencies
        uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
        with:
          key: ${{ matrix.target }}

      - name: Build release binary
        run: cargo build --release --target ${{ matrix.target }} --locked

      - name: Smoke test release binary
        run: ./target/${{ matrix.target }}/release/omk --version

      - name: Package
        shell: bash
        run: |
          set -euo pipefail
          bin_name=omk
          target=${{ matrix.target }}
          version=${GITHUB_REF_NAME#v}
          dist_dir="${bin_name}-${version}-${target}"
          mkdir -p "$dist_dir"
          cp "target/${target}/release/${bin_name}" "$dist_dir/"
          cp README.md LICENSE "$dist_dir/" 2>/dev/null || true
          # Flat tarball: archive members live at the root, not under a
          # versioned subdirectory. install.sh and other consumers therefore
          # find `omk` at the top level after `tar -xzf`.
          tar czf "${dist_dir}.tar.gz" -C "$dist_dir" .
          # Publish SHA256 alongside the archive so install.sh and `omk
          # update` can verify integrity before installing.
          if command -v sha256sum >/dev/null 2>&1; then
            sha256sum "${dist_dir}.tar.gz" > "${dist_dir}.tar.gz.sha256"
          else
            shasum -a 256 "${dist_dir}.tar.gz" > "${dist_dir}.tar.gz.sha256"
          fi
          echo "ASSET=${dist_dir}.tar.gz" >> "$GITHUB_ENV"
          echo "ASSET_SHA=${dist_dir}.tar.gz.sha256" >> "$GITHUB_ENV"

      - name: Attest build provenance
        # SLSA-style attestation, keyless via the runner's GitHub OIDC token.
        # The signing root is GitHub's; no private key to manage.
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          subject-path: ${{ env.ASSET }}

      - name: Upload artifact
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: ${{ matrix.target }}
          path: |
            ${{ env.ASSET }}
            ${{ env.ASSET_SHA }}

  release:
    name: Create GitHub Release
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Download all artifacts
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          path: artifacts

      - name: Create Release
        # SHA-pinned third-party action (v3.0.0 at time of pin). Resolving by
        # SHA prevents a compromised tag from injecting malicious release
        # logic into a build that has write access to releases.
        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda
        with:
          files: |
            artifacts/**/*.tar.gz
            artifacts/**/*.tar.gz.sha256
          draft: false
          prerelease: ${{ contains(github.ref_name, '-') }}
          generate_release_notes: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  update-packaging:
    name: Sync packaging channels
    needs: release
    # Serializes packaging-sync runs across overlapping release tags so two
    # concurrent jobs do not race on the same branch.
    concurrency:
      group: packaging-sync
      cancel-in-progress: false
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          # peter-evans/create-pull-request needs to push a branch; the
          # workflow-issued token's contents:write scope is enough for that
          # because we never push directly to a protected branch.
          token: ${{ secrets.GITHUB_TOKEN }}
          ref: master

      - name: Download artifact checksums
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          path: artifacts

      - name: Sync version + checksums into Homebrew / AUR / flake.nix
        shell: bash
        run: |
          set -euo pipefail
          version=${GITHUB_REF_NAME#v}
          ./scripts/sync-packaging-versions.sh "$version" artifacts

      - name: Open packaging-sync PR
        # SHA-pinned third-party action (v8.1.1 at time of pin). This opens a
        # PR against master instead of pushing directly so branch-protection
        # rules (required reviews, signed commits, status checks) cannot
        # break the release pipeline.
        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          branch: chore/packaging-sync-${{ github.ref_name }}
          base: master
          commit-message: "chore(packaging): sync versions to ${{ github.ref_name }}"
          title: "chore(packaging): sync versions to ${{ github.ref_name }}"
          body: |
            Auto-generated by the release pipeline after publishing
            `${{ github.ref_name }}`. Bumps version + SHA256 placeholders
            in Homebrew / AUR / flake.nix to match the just-released
            binaries.

            Generated by `.github/workflows/release.yml::update-packaging`.
          labels: |
            packaging
            automated
          add-paths: |
            homebrew
            aur
            flake.nix
          delete-branch: true