openlogi 0.4.0

OpenLogi command-line interface — a local-first companion for Logitech HID++ peripherals.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202

name: Release PR

on:
  push:
    branches: [master]

env:
  CARGO_TERM_COLOR: always
  CARGO_INCREMENTAL: 0

jobs:
  # Opens/updates a release PR that bumps the shared workspace version and writes
  # changelogs from the conventional commits since the last release. Merging that
  # PR is what triggers the actual release in the job below.
  release-pr:
    name: release-plz PR
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    concurrency:
      group: release-plz-pr-${{ github.ref }}
      cancel-in-progress: false
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
          persist-credentials: false
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
      - name: Install Linux build deps
        run: |
          sudo apt-get update
          sudo apt-get install -y \
            libudev-dev pkg-config gcc g++ clang libssl-dev libzstd-dev
      # GitHub App token (not a PAT) so the release PR / tag trigger CI and the
      # DMG release workflow — the default GITHUB_TOKEN cannot trigger workflows.
      # App credentials come from the same 1Password item as release.yml.
      - name: Load GitHub App credentials from 1Password
        id: load_secrets
        uses: 1password/load-secrets-action@v4
        with:
          export-env: false
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
          GITHUB_APP_ID: ${{ secrets.OP_GITHUB_APP_ITEM }}/GITHUB_APP_ID
          GITHUB_APP_PRIVATE_KEY: ${{ secrets.OP_GITHUB_APP_ITEM }}/GITHUB_APP_PRIVATE_KEY
          CARGO_REGISTRY_TOKEN: ${{ secrets.OP_GITHUB_APP_ITEM }}/CARGO_REGISTRY_TOKEN
      # App key is stored base64-encoded in 1Password (raw PEM newlines get
      # mangled to spaces on paste); decode it (base64 ignores whitespace).
      - name: Decode GitHub App private key
        id: app_key
        env:
          APP_KEY_B64: ${{ steps.load_secrets.outputs.GITHUB_APP_PRIVATE_KEY }}
        run: |
          key="$(printf '%s' "$APP_KEY_B64" | tr -d '[:space:]' | base64 -d)"
          {
            echo 'pem<<__PEM__'
            printf '%s\n' "$key"
            echo '__PEM__'
          } >> "$GITHUB_OUTPUT"

      - name: Mint GitHub App token
        id: app-token
        uses: actions/create-github-app-token@v3
        with:
          client-id: ${{ steps.load_secrets.outputs.GITHUB_APP_ID }}
          private-key: ${{ steps.app_key.outputs.pem }}
      # release-plz leaves its release branch behind after a release PR merges,
      # and a leftover ref then makes the next `release-pr` fail with HTTP 422
      # (so no PR is created). Prune any `release-plz-*` branch that no longer
      # has an open PR — never the active release PR's branch — before running.
      - name: Prune stale release-plz branches
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
          REPO: ${{ github.repository }}
        run: |
          for branch in $(gh api "repos/$REPO/branches" --paginate --jq '.[].name' \
            | grep '^release-plz-' || true); do
            open=$(gh pr list --repo "$REPO" --head "$branch" --state open --json number --jq 'length')
            if [ "$open" = "0" ]; then
              echo "Pruning stale release branch: $branch"
              gh api -X DELETE "repos/$REPO/git/refs/heads/$branch" \
                || echo "::warning::could not delete $branch"
            else
              echo "Keeping $branch (open PR exists)"
            fi
          done
      - name: Run release-plz (release-pr)
        id: release_pr
        uses: release-plz/action@v0.5
        with:
          command: release-pr
        env:
          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
          CARGO_REGISTRY_TOKEN: ${{ steps.load_secrets.outputs.CARGO_REGISTRY_TOKEN }}
      # `release-plz/action` swallows a release-pr HTTP 422 as a warning and
      # reports no PR, which silently stalls releases (it looks identical to a
      # quiet week of commits). Fail loudly when release-plz opened/updated no
      # release PR, none is already open, yet release-worthy commits exist since
      # the last tag — that combination means a swallowed failure, not a no-op.
      - name: Guard against a silently stalled release
        if: steps.release_pr.outputs.prs_created == 'false'
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
          REPO: ${{ github.repository }}
        run: |
          # An already-open release PR is the normal "updated, not created" path.
          open_release_pr=$(gh pr list --repo "$REPO" --state open --json headRefName \
            --jq '[.[] | select(.headRefName | startswith("release-plz-"))] | length')
          if [ "$open_release_pr" != "0" ]; then
            echo "A release PR is already open — nothing to flag."
            exit 0
          fi
          last_tag=$(git describe --tags --abbrev=0 --match 'v*' 2>/dev/null || true)
          # The release job runs in parallel and cuts the `v{version}` tag only
          # after publishing, so that tag is usually absent from this job's
          # checkout — never trust the local tag list to decide "did a release
          # just happen". Read the manifest instead: merging a release PR bumps
          # the workspace version, so a manifest version ahead of the last tag
          # means the release already landed (the parallel job is tagging it),
          # not a stall. Only when the manifest still sits at the last released
          # tag can leftover release-worthy commits mean a swallowed release-pr.
          manifest_version=$(awk '
            /^\[workspace\.package\]/ { in_section = 1; next }
            /^\[/ { in_section = 0 }
            in_section && /^version[[:space:]]*=/ {
              gsub(/.*=[[:space:]]*"|".*/, ""); print; exit
            }
          ' Cargo.toml)
          if [ -n "$last_tag" ] && [ -n "$manifest_version" ] \
            && [ "v$manifest_version" != "$last_tag" ]; then
            echo "Workspace version $manifest_version is ahead of $last_tag — a release PR already merged; the release job cuts the tag. Nothing to flag."
            exit 0
          fi
          range="${last_tag:+$last_tag..}HEAD"
          worthy=$(git log "$range" --format='%s' \
            | grep -cE '^(feat|fix|perf)(\(.+\))?!?:|^[a-z]+(\(.+\))?!:' || true)
          if [ "$worthy" != "0" ]; then
            echo "::error::release-plz opened no release PR, but $worthy release-worthy commit(s) exist since ${last_tag:-repo start} and none is open — likely a swallowed release-plz failure (see the release-pr step)."
            exit 1
          fi
          echo "No release PR and no release-worthy commits since ${last_tag:-repo start}; nothing to release."

  # On every push to master, publishes any crate whose manifest version is not yet
  # on crates.io — i.e. a no-op until the release PR is merged, at which point it
  # publishes the whole workspace and cuts one `v{version}` tag + GitHub Release.
  release:
    name: release-plz release
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: read
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
          persist-credentials: false
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
      - name: Install Linux build deps
        run: |
          sudo apt-get update
          sudo apt-get install -y \
            libudev-dev pkg-config gcc g++ clang libssl-dev libzstd-dev
      - name: Load GitHub App credentials from 1Password
        id: load_secrets
        uses: 1password/load-secrets-action@v4
        with:
          export-env: false
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
          GITHUB_APP_ID: ${{ secrets.OP_GITHUB_APP_ITEM }}/GITHUB_APP_ID
          GITHUB_APP_PRIVATE_KEY: ${{ secrets.OP_GITHUB_APP_ITEM }}/GITHUB_APP_PRIVATE_KEY
          CARGO_REGISTRY_TOKEN: ${{ secrets.OP_GITHUB_APP_ITEM }}/CARGO_REGISTRY_TOKEN
      # App key is stored base64-encoded in 1Password (raw PEM newlines get
      # mangled to spaces on paste); decode it (base64 ignores whitespace).
      - name: Decode GitHub App private key
        id: app_key
        env:
          APP_KEY_B64: ${{ steps.load_secrets.outputs.GITHUB_APP_PRIVATE_KEY }}
        run: |
          key="$(printf '%s' "$APP_KEY_B64" | tr -d '[:space:]' | base64 -d)"
          {
            echo 'pem<<__PEM__'
            printf '%s\n' "$key"
            echo '__PEM__'
          } >> "$GITHUB_OUTPUT"

      - name: Mint GitHub App token
        id: app-token
        uses: actions/create-github-app-token@v3
        with:
          client-id: ${{ steps.load_secrets.outputs.GITHUB_APP_ID }}
          private-key: ${{ steps.app_key.outputs.pem }}
      - name: Run release-plz (release)
        uses: release-plz/action@v0.5
        with:
          command: release
        env:
          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
          CARGO_REGISTRY_TOKEN: ${{ steps.load_secrets.outputs.CARGO_REGISTRY_TOKEN }}