name: release-publish
on:
workflow_dispatch:
inputs:
build_run_id:
description: "Successful release build workflow run ID to publish from (optional if release_tag is set)."
required: false
default: ""
type: string
release_tag:
description: "Release tag to resolve to a successful release build run (format: vX.Y.Z)."
required: false
default: ""
type: string
rehearsal:
description: "Run full preflight/provenance/tap checks without publishing to registries or GitHub Releases."
type: boolean
default: false
permissions:
contents: write
actions: read
env:
RELEASE_RUST_TOOLCHAIN: "1.88.0"
HOMEBREW_TAP_REPO: "sandover/homebrew-tap"
jobs:
resolve-build-run:
runs-on: ubuntu-latest
outputs:
build_run_id: ${{ steps.resolve.outputs.build_run_id }}
tag: ${{ steps.resolve.outputs.tag }}
version: ${{ steps.resolve.outputs.version }}
rehearsal: ${{ steps.resolve.outputs.rehearsal }}
steps:
- id: resolve
shell: bash
env:
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
requested_build_run_id="${{ inputs.build_run_id }}"
requested_release_tag="${{ inputs.release_tag }}"
rehearsal="${{ inputs.rehearsal }}"
tmp_dir="$(mktemp -d)"
trap 'rm -rf "$tmp_dir"' EXIT
resolve_build_run_by_tag() {
local expected_tag="$1"
local search_dir="$2"
local run_id candidate_dir metadata_file candidate_tag
mapfile -t successful_runs < <(
gh run list \
--repo "$GITHUB_REPOSITORY" \
--workflow release.yml \
--limit 40 \
--json databaseId,conclusion \
--jq '.[] | select(.conclusion=="success") | .databaseId'
)
for run_id in "${successful_runs[@]}"; do
candidate_dir="${search_dir}/${run_id}"
mkdir -p "$candidate_dir"
if ! gh run download "$run_id" --repo "$GITHUB_REPOSITORY" --name release-metadata --dir "$candidate_dir" >/dev/null 2>&1; then
continue
fi
metadata_file="$(find "$candidate_dir" -name metadata.json | head -n 1)"
if [[ -z "$metadata_file" ]]; then
continue
fi
candidate_tag="$(jq -r '.tag // ""' "$metadata_file")"
if [[ "$candidate_tag" == "$expected_tag" ]]; then
echo "$run_id"
return 0
fi
done
return 1
}
if [[ -n "$requested_build_run_id" && -n "$requested_release_tag" ]]; then
echo "error: provide only one of build_run_id or release_tag." >&2
exit 1
fi
if [[ -z "$requested_build_run_id" && -z "$requested_release_tag" ]]; then
echo "error: provide build_run_id or release_tag." >&2
exit 1
fi
if [[ -n "$requested_release_tag" ]]; then
if [[ "$requested_release_tag" != v* ]]; then
echo "error: release_tag must use vX.Y.Z format (got '$requested_release_tag')." >&2
exit 1
fi
if ! build_run_id="$(resolve_build_run_by_tag "$requested_release_tag" "$tmp_dir/tag-lookup")"; then
echo "error: no successful release workflow run found for tag '$requested_release_tag'." >&2
echo "hint: run release.yml for that tag, or pass build_run_id explicitly." >&2
exit 1
fi
else
build_run_id="$requested_build_run_id"
fi
run_json="$(gh run view "$build_run_id" --repo "$GITHUB_REPOSITORY" --json workflowName,conclusion,url)"
workflow_name="$(jq -r '.workflowName' <<<"$run_json")"
run_conclusion="$(jq -r '.conclusion' <<<"$run_json")"
if [[ "$workflow_name" != "release" ]]; then
echo "error: build_run_id=$build_run_id belongs to workflow '$workflow_name', expected 'release'." >&2
exit 1
fi
if [[ "$run_conclusion" != "success" ]]; then
echo "error: build_run_id=$build_run_id is not successful (conclusion=$run_conclusion)." >&2
exit 1
fi
# Extract tag/version from build run metadata.
gh run download "$build_run_id" --repo "$GITHUB_REPOSITORY" --name release-metadata --dir "$tmp_dir"
metadata_file="$(find "$tmp_dir" -name metadata.json | head -n 1)"
if [[ -z "$metadata_file" ]]; then
echo "error: release-metadata artifact missing metadata.json for run $build_run_id." >&2
exit 1
fi
tag="$(jq -r '.tag' "$metadata_file")"
version="$(jq -r '.version' "$metadata_file")"
if [[ -z "$tag" || "$tag" == "null" || "$tag" != v* ]]; then
echo "error: invalid tag in release metadata: '$tag'." >&2
exit 1
fi
echo "build_run_id=$build_run_id" >> "$GITHUB_OUTPUT"
echo "tag=$tag" >> "$GITHUB_OUTPUT"
echo "version=$version" >> "$GITHUB_OUTPUT"
echo "rehearsal=$rehearsal" >> "$GITHUB_OUTPUT"
publish-preflight:
runs-on: ubuntu-latest
needs: [resolve-build-run]
steps:
- uses: actions/setup-node@v4
with:
node-version: "20"
- name: Validate registry readiness
shell: bash
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
run: |
set -euo pipefail
preflight_fail() {
echo "error: $1" >&2
echo "hint: $2" >&2
exit 1
}
if [[ -z "${NPM_TOKEN:-}" ]]; then
preflight_fail "NPM_TOKEN not set for publish-preflight." "Set NPM_TOKEN in repository secrets before running release-publish."
fi
if [[ "${NPM_TOKEN}" != npm_* ]]; then
preflight_fail "NPM_TOKEN format does not match npm access token expectations." "Use an npm automation/granular publish token (commonly starts with 'npm_') and ensure bypass-2FA publishing is enabled."
fi
if ! NPM_CONFIG_TOKEN="$NPM_TOKEN" npm whoami >/tmp/npm-whoami.out 2>/tmp/npm-whoami.err; then
npm_err="$(cat /tmp/npm-whoami.err)"
if grep -qi "EOTP\\|one-time pass\\|otp" <<<"$npm_err"; then
preflight_fail "npm token requires OTP interaction and is not CI-publish-ready." "Create/use an automation token with bypass-2FA publishing permissions."
fi
echo "warning: npm whoami failed during publish-preflight; continuing to publish stage for final token validation." >&2
echo "warning: npm whoami stderr: ${npm_err}" >&2
fi
if [[ -z "${PYPI_API_TOKEN:-}" ]]; then
preflight_fail "PYPI_API_TOKEN not set for publish-preflight." "Set PYPI_API_TOKEN in repository secrets before running release-publish."
fi
if [[ "${PYPI_API_TOKEN}" != pypi-* ]]; then
preflight_fail "PYPI_API_TOKEN format is unexpected." "Use a PyPI API token from PyPI account settings (token value begins with 'pypi-')."
fi
if [[ -z "${CARGO_REGISTRY_TOKEN:-}" ]]; then
preflight_fail "CARGO_REGISTRY_TOKEN not set for publish-preflight." "Set CARGO_REGISTRY_TOKEN in repository secrets before running release-publish."
fi
crates_status="$(curl -sS -o /dev/null -w "%{http_code}" -H "Authorization: ${CARGO_REGISTRY_TOKEN}" https://crates.io/api/v1/me)"
if [[ "$crates_status" == "401" ]]; then
preflight_fail "crates.io authentication check failed with HTTP ${crates_status}." "Use a valid crates.io API token with publish rights and verify the token value is complete."
fi
if [[ "$crates_status" != "200" ]]; then
echo "warning: crates.io /me probe returned HTTP ${crates_status}; continuing to publish stage for final token validation." >&2
fi
echo "publish-preflight: all registry checks passed."
collect-build-artifacts:
runs-on: ubuntu-latest
needs: [resolve-build-run, publish-preflight]
steps:
- name: Download and verify artifacts from release build run
env:
GH_TOKEN: ${{ github.token }}
BUILD_RUN_ID: ${{ needs.resolve-build-run.outputs.build_run_id }}
VERSION: ${{ needs.resolve-build-run.outputs.version }}
shell: bash
run: |
set -euo pipefail
mkdir -p release-inputs/raw
gh run download "$BUILD_RUN_ID" --repo "$GITHUB_REPOSITORY" --dir release-inputs/raw
dist_count="$(find release-inputs/raw -name "plasmite_${VERSION}_*.tar.gz" | wc -l | tr -d ' ')"
node_count="$(find release-inputs/raw -name "plasmite-${VERSION}.tgz" | wc -l | tr -d ' ')"
wheel_count="$(find release-inputs/raw -name "*${VERSION}*.whl" | wc -l | tr -d ' ')"
sdist_count="$(find release-inputs/raw -name "plasmite-${VERSION}.tar.gz" | wc -l | tr -d ' ')"
if [[ "$dist_count" -lt 1 ]]; then
echo "error: no SDK dist tarballs found for version ${VERSION}." >&2
exit 1
fi
if [[ "$node_count" -ne 1 ]]; then
echo "error: expected exactly one npm tarball for version ${VERSION}, found ${node_count}." >&2
exit 1
fi
if [[ "$wheel_count" -lt 1 ]]; then
echo "error: no Python wheels found for version ${VERSION}." >&2
exit 1
fi
if [[ "$sdist_count" -lt 1 ]]; then
echo "error: no Python sdist found for version ${VERSION}." >&2
exit 1
fi
mkdir -p release-inputs/dist release-inputs/node-dist release-inputs/py-dist
find release-inputs/raw -name "plasmite_${VERSION}_*.tar.gz" -exec cp {} release-inputs/dist/ \;
find release-inputs/raw -name "plasmite-${VERSION}.tgz" -exec cp {} release-inputs/node-dist/ \;
find release-inputs/raw -name "*${VERSION}*.whl" -exec cp {} release-inputs/py-dist/ \;
find release-inputs/raw -name "plasmite-${VERSION}.tar.gz" -exec cp {} release-inputs/py-dist/ \;
- uses: actions/upload-artifact@v4
with:
name: release-inputs
path: release-inputs
if-no-files-found: error
sync-homebrew-tap:
runs-on: ubuntu-latest
needs: [resolve-build-run, collect-build-artifacts]
steps:
- uses: actions/checkout@v4
with:
ref: ${{ needs.resolve-build-run.outputs.tag }}
- uses: actions/download-artifact@v4
with:
name: release-inputs
path: release-inputs
- name: Compute release checksums
shell: bash
run: |
set -euo pipefail
shasum -a 256 release-inputs/dist/*.tar.gz > release-inputs/dist/sha256sums.txt
- uses: actions/checkout@v4
with:
repository: ${{ env.HOMEBREW_TAP_REPO }}
path: homebrew-tap
token: ${{ github.token }}
- id: sync
name: Compute expected Homebrew tap formula delta
shell: bash
env:
TAG: ${{ needs.resolve-build-run.outputs.tag }}
BUILD_RUN_ID: ${{ needs.resolve-build-run.outputs.build_run_id }}
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
./scripts/update_homebrew_formula.sh "$TAG" homebrew-tap --build-run-id "$BUILD_RUN_ID"
if git -C homebrew-tap diff --quiet -- Formula/plasmite.rb; then
echo "changed=false" >> "$GITHUB_OUTPUT"
echo "homebrew formula already aligned."
else
echo "changed=true" >> "$GITHUB_OUTPUT"
git -C homebrew-tap --no-pager diff -- Formula/plasmite.rb
fi
- name: Rehearsal mode
if: needs.resolve-build-run.outputs.rehearsal == 'true' && steps.sync.outputs.changed == 'true'
run: 'echo "sync-homebrew-tap rehearsal: local formula differs from expected release state; update ../homebrew-tap manually when promoting."'
- name: Fail live run when tap is stale
if: needs.resolve-build-run.outputs.rehearsal != 'true' && steps.sync.outputs.changed == 'true'
shell: bash
env:
VERSION: ${{ needs.resolve-build-run.outputs.version }}
run: |
set -euo pipefail
echo "error: ${HOMEBREW_TAP_REPO} is not aligned with v${VERSION}; CI will not push tap changes." >&2
echo "hint: update and push ../homebrew-tap locally, then rerun release-publish." >&2
exit 1
- name: Verify Homebrew formula alignment (rehearsal/local)
if: needs.resolve-build-run.outputs.rehearsal == 'true'
shell: bash
env:
VERSION: ${{ needs.resolve-build-run.outputs.version }}
run: |
set -euo pipefail
./scripts/verify_homebrew_formula_alignment.sh \
--version "$VERSION" \
--sha256sums release-inputs/dist/sha256sums.txt \
--formula-file homebrew-tap/Formula/plasmite.rb
- name: Verify Homebrew tap alignment (live/remote)
if: needs.resolve-build-run.outputs.rehearsal != 'true'
shell: bash
env:
VERSION: ${{ needs.resolve-build-run.outputs.version }}
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
./scripts/verify_homebrew_formula_alignment.sh \
--version "$VERSION" \
--sha256sums release-inputs/dist/sha256sums.txt \
--tap-repo "$HOMEBREW_TAP_REPO"
publish-crates-io:
runs-on: ubuntu-latest
needs: [resolve-build-run, publish-preflight, collect-build-artifacts]
steps:
- uses: actions/checkout@v4
with:
ref: ${{ needs.resolve-build-run.outputs.tag }}
- uses: dtolnay/rust-toolchain@stable
with:
toolchain: ${{ env.RELEASE_RUST_TOOLCHAIN }}
- name: Rehearsal mode
if: needs.resolve-build-run.outputs.rehearsal == 'true'
run: 'echo "publish-crates-io rehearsal: skipping cargo publish."'
- name: Publish to crates.io
if: needs.resolve-build-run.outputs.rehearsal != 'true'
shell: bash
run: |
if [ -z "${{ secrets.CARGO_REGISTRY_TOKEN }}" ]; then
echo "CARGO_REGISTRY_TOKEN not set; cannot publish crates.io package."
exit 1
fi
if cargo publish --locked --token "${{ secrets.CARGO_REGISTRY_TOKEN }}" 2>&1 | tee /tmp/cargo-publish.log; then
echo "publish-crates-io: published successfully."
elif grep -q "already exists on crates.io" /tmp/cargo-publish.log; then
echo "publish-crates-io: version already published (idempotent success)."
else
cat /tmp/cargo-publish.log
exit 1
fi
publish-npm:
runs-on: ubuntu-latest
needs: [resolve-build-run, publish-preflight, collect-build-artifacts]
steps:
- uses: actions/download-artifact@v4
with:
name: release-inputs
path: release-inputs
- uses: actions/setup-node@v4
with:
node-version: "20"
registry-url: "https://registry.npmjs.org"
- name: Rehearsal mode
if: needs.resolve-build-run.outputs.rehearsal == 'true'
run: 'echo "publish-npm rehearsal: skipping npm publish."'
- name: Publish to npm
if: needs.resolve-build-run.outputs.rehearsal != 'true'
shell: bash
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
set -euo pipefail
shopt -s nullglob
files=(release-inputs/node-dist/plasmite-*.tgz)
if [ "${#files[@]}" -ne 1 ]; then
echo "expected one npm tarball, found ${#files[@]}"
ls -la release-inputs/node-dist || true
exit 1
fi
if npm publish "${files[0]}" --access public 2>&1 | tee /tmp/npm-publish.log; then
echo "publish-npm: published successfully."
elif grep -q "cannot publish over the previously published" /tmp/npm-publish.log; then
echo "publish-npm: version already published (idempotent success)."
else
cat /tmp/npm-publish.log
exit 1
fi
publish-pypi:
runs-on: ubuntu-latest
needs: [resolve-build-run, publish-preflight, collect-build-artifacts]
steps:
- uses: actions/download-artifact@v4
with:
name: release-inputs
path: release-inputs
- name: Rehearsal mode
if: needs.resolve-build-run.outputs.rehearsal == 'true'
run: 'echo "publish-pypi rehearsal: skipping PyPI publish."'
- name: Check PyPI token
if: needs.resolve-build-run.outputs.rehearsal != 'true'
shell: bash
run: |
if [ -z "${{ secrets.PYPI_API_TOKEN }}" ]; then
echo "PYPI_API_TOKEN not set; cannot publish PyPI package."
exit 1
fi
- uses: pypa/gh-action-pypi-publish@release/v1
if: needs.resolve-build-run.outputs.rehearsal != 'true'
with:
user: __token__
password: ${{ secrets.PYPI_API_TOKEN }}
packages-dir: release-inputs/py-dist
skip-existing: true
record-pypi:
if: needs.resolve-build-run.outputs.rehearsal != 'true' && always()
runs-on: ubuntu-latest
needs: [resolve-build-run, publish-pypi]
environment:
name: pypi
url: "https://pypi.org/project/plasmite/${{ needs.resolve-build-run.outputs.version }}/"
steps:
- name: Assert PyPI publish succeeded
shell: bash
run: |
set -euo pipefail
if [[ "${{ needs.publish-pypi.result }}" != "success" ]]; then
echo "PyPI publish failed (job result=${{ needs.publish-pypi.result }})." >&2
exit 1
fi
echo "PyPI publish succeeded."
record-npm:
if: needs.resolve-build-run.outputs.rehearsal != 'true' && always()
runs-on: ubuntu-latest
needs: [resolve-build-run, publish-npm]
environment:
name: npm
url: "https://www.npmjs.com/package/plasmite/v/${{ needs.resolve-build-run.outputs.version }}"
steps:
- name: Assert npm publish succeeded
shell: bash
run: |
set -euo pipefail
if [[ "${{ needs.publish-npm.result }}" != "success" ]]; then
echo "npm publish failed (job result=${{ needs.publish-npm.result }})." >&2
exit 1
fi
echo "npm publish succeeded."
record-crates-io:
if: needs.resolve-build-run.outputs.rehearsal != 'true' && always()
runs-on: ubuntu-latest
needs: [resolve-build-run, publish-crates-io]
environment:
name: crates-io
url: "https://crates.io/crates/plasmite/${{ needs.resolve-build-run.outputs.version }}"
steps:
- name: Assert crates.io publish succeeded
shell: bash
run: |
set -euo pipefail
if [[ "${{ needs.publish-crates-io.result }}" != "success" ]]; then
echo "crates.io publish failed (job result=${{ needs.publish-crates-io.result }})." >&2
exit 1
fi
echo "crates.io publish succeeded."
record-homebrew:
if: needs.resolve-build-run.outputs.rehearsal != 'true' && always()
runs-on: ubuntu-latest
needs: [resolve-build-run, sync-homebrew-tap]
environment:
name: homebrew
url: "https://github.com/${{ env.HOMEBREW_TAP_REPO }}/blob/HEAD/Formula/plasmite.rb"
steps:
- name: Assert Homebrew tap sync succeeded
shell: bash
run: |
set -euo pipefail
if [[ "${{ needs.sync-homebrew-tap.result }}" != "success" ]]; then
echo "Homebrew tap sync failed (job result=${{ needs.sync-homebrew-tap.result }})." >&2
exit 1
fi
echo "Homebrew tap sync succeeded."
release:
runs-on: ubuntu-latest
needs: [resolve-build-run, collect-build-artifacts, sync-homebrew-tap, publish-pypi, publish-crates-io, publish-npm]
steps:
- uses: actions/checkout@v4
with:
ref: ${{ needs.resolve-build-run.outputs.tag }}
sparse-checkout: CHANGELOG.md
- uses: actions/download-artifact@v4
with:
name: release-inputs
path: release-inputs
- name: Checksums
shell: bash
run: |
set -euo pipefail
cd release-inputs/dist
shasum -a 256 *.tar.gz > sha256sums.txt
cat sha256sums.txt
- name: Extract changelog section
id: changelog
shell: bash
env:
VERSION: ${{ needs.resolve-build-run.outputs.version }}
run: |
set -euo pipefail
# Extract the section for this version from CHANGELOG.md.
# Matches from "## [VERSION]" up to the next "## [" heading.
section=$(awk -v ver="$VERSION" '
/^## \[/ { if (found) exit; if (index($0, "[" ver "]")) found=1; next }
found { print }
' CHANGELOG.md)
if [[ -z "$section" ]]; then
section="See [CHANGELOG.md](https://github.com/${{ github.repository }}/blob/${{ needs.resolve-build-run.outputs.tag }}/CHANGELOG.md) for details."
fi
# Write to file to avoid delimiter issues in GITHUB_OUTPUT.
echo "$section" > /tmp/changelog-section.md
- name: Rehearsal mode
if: needs.resolve-build-run.outputs.rehearsal == 'true'
run: 'echo "release rehearsal: skipping GitHub release publish."'
- name: Create GitHub Release
if: needs.resolve-build-run.outputs.rehearsal != 'true'
shell: bash
env:
GH_TOKEN: ${{ github.token }}
TAG: ${{ needs.resolve-build-run.outputs.tag }}
run: |
set -euo pipefail
changelog=$(cat /tmp/changelog-section.md)
cat > /tmp/release-body.md <<BODY
${changelog}
## Install
### Homebrew (macOS and Linux)
\`\`\`bash
brew install sandover/tap/plasmite
\`\`\`
### Manual install
Download the appropriate tarball for your platform, extract it, and install the SDK layout:
\`\`\`bash
tar xzf plasmite_*_<your-platform>.tar.gz
sudo install -d /usr/local/bin /usr/local/lib /usr/local/include /usr/local/lib/pkgconfig
sudo cp -f bin/plasmite bin/pls /usr/local/bin/
sudo cp -f include/plasmite.h /usr/local/include/
sudo cp -f lib/pkgconfig/plasmite.pc /usr/local/lib/pkgconfig/
# macOS
sudo cp -f lib/libplasmite.dylib /usr/local/lib/ 2>/dev/null || true
# Linux
sudo cp -f lib/libplasmite.so /usr/local/lib/ 2>/dev/null || true
\`\`\`
### From source
\`\`\`bash
cargo install --git https://github.com/${{ github.repository }} --tag ${TAG} plasmite
\`\`\`
BODY
# Trim leading whitespace from heredoc indentation.
sed -i 's/^ //' /tmp/release-body.md
gh release create "$TAG" release-inputs/dist/* \
--title "$TAG" \
--notes-file /tmp/release-body.md
record-github-release:
if: needs.resolve-build-run.outputs.rehearsal != 'true' && always()
runs-on: ubuntu-latest
needs: [resolve-build-run, release]
environment:
name: github-release
url: "https://github.com/${{ github.repository }}/releases/tag/${{ needs.resolve-build-run.outputs.tag }}"
steps:
- name: Assert GitHub Release succeeded
shell: bash
run: |
set -euo pipefail
if [[ "${{ needs.release.result }}" != "success" ]]; then
echo "GitHub Release failed (job result=${{ needs.release.result }})." >&2
exit 1
fi
echo "GitHub Release succeeded."