Release #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| # Manually triggered ("Run workflow"). On trigger it: | |
| # 1. reads the version from package.json, | |
| # 2. promotes `## [Unreleased]` content into `## [<version>]` in | |
| # CHANGELOG.md (and commits + pushes that change back to main), so | |
| # the published release notes are never sparse just because the | |
| # maintainer didn't pre-stage the [<version>] block by hand, | |
| # 3. builds a self-contained bundle for every platform (one runner — there's no | |
| # native compilation, so cross-packaging is fine), | |
| # 4. creates the GitHub Release (tag v<version>) with all archives, using the | |
| # release notes from CHANGELOG.md, | |
| # 5. publishes the npm thin-installer (shim + per-platform packages). | |
| # | |
| # Before triggering: bump package.json. CHANGELOG.md entries can live under | |
| # `## [Unreleased]` — step 2 takes care of moving them. Set the NPM_TOKEN secret. | |
| on: | |
| workflow_dispatch: {} | |
| permissions: | |
| contents: write # create the GitHub Release + tag, push the CHANGELOG promote | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| # Default checkout is detached at a SHA; we need an actual branch | |
| # so the CHANGELOG-promote commit knows where to push. | |
| ref: ${{ github.ref }} | |
| # Authenticate as the maintainer (admin), not as github-actions[bot]. | |
| # The "Require PR approval for main branch" ruleset only lets the | |
| # Admin repo role bypass — and GitHub blocks adding the GitHub | |
| # Actions integration to bypass_actors on user-owned (non-org) | |
| # repos with "Actor GitHub Actions integration must be part of | |
| # the ruleset source or owner organization." So the auto-promote | |
| # and auto-sync `git push origin HEAD:main` steps below both fail | |
| # under the default GITHUB_TOKEN. Using a fine-grained PAT owned | |
| # by the admin makes the push go through cleanly. Set the | |
| # RELEASE_PAT secret with: contents:write on this repo, no other | |
| # scopes. Rotate per your token policy; the workflow only runs | |
| # on manual dispatch so the blast radius is small. | |
| token: ${{ secrets.RELEASE_PAT }} | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: 22 | |
| registry-url: https://registry.npmjs.org | |
| - name: Sync package-lock.json if version drifted | |
| # When the maintainer bumps the version on package.json only — for | |
| # example via a GitHub web-UI edit — `npm ci` would refuse to run | |
| # with `EUSAGE: npm ci can only install packages when your | |
| # package.json and package-lock.json … are in sync`. This step | |
| # rewrites just the lock-file's version fields (top-level + the | |
| # `packages.""` entry) to match package.json, then auto-commits | |
| # and pushes the result so on-disk truth on `main` stays | |
| # consistent. Idempotent: if the lock file already matches, no | |
| # commit is made. | |
| run: | | |
| set -euo pipefail | |
| PKG_V=$(node -p "require('./package.json').version") | |
| LOCK_V=$(node -p "require('./package-lock.json').version") | |
| if [ "$PKG_V" = "$LOCK_V" ]; then | |
| echo "package-lock.json already at $PKG_V — nothing to sync." | |
| exit 0 | |
| fi | |
| echo "Lock-file version drift: lock=$LOCK_V, package=$PKG_V. Syncing." | |
| # `--package-lock-only` rewrites only the lock file, doesn't | |
| # touch node_modules or actually install anything. Cheap. | |
| npm install --package-lock-only --ignore-scripts | |
| # Sanity: lockfile should now report the package version. | |
| NEW_LOCK_V=$(node -p "require('./package-lock.json').version") | |
| if [ "$NEW_LOCK_V" != "$PKG_V" ]; then | |
| echo "::error::lock-file still at $NEW_LOCK_V after sync attempt; expected $PKG_V"; exit 1 | |
| fi | |
| if git diff --quiet -- package-lock.json; then | |
| echo "lock file unchanged after sync? bailing"; exit 1 | |
| fi | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git add package-lock.json | |
| git commit -m "release: sync package-lock.json to ${PKG_V}" -m "[skip ci] Auto-generated by Release workflow." | |
| git push origin "HEAD:${GITHUB_REF#refs/heads/}" | |
| - run: npm ci | |
| - name: Ensure zip/unzip | |
| run: sudo apt-get update -qq && sudo apt-get install -y -qq zip unzip | |
| - name: Resolve version | |
| id: ver | |
| run: echo "version=$(node -p "require('./package.json').version")" >> "$GITHUB_OUTPUT" | |
| - name: Promote [Unreleased] → [<version>] in CHANGELOG.md | |
| # Idempotent: a no-op if [Unreleased] is empty OR if the previous | |
| # run already moved everything. Auto-commit + push the change back | |
| # so the version block on main is the source of truth going | |
| # forward (and so subsequent extract-release-notes.mjs calls | |
| # surface the full content even if this run is re-triggered). | |
| run: | | |
| set -euo pipefail | |
| V="${{ steps.ver.outputs.version }}" | |
| before=$(git rev-parse HEAD) | |
| node scripts/prepare-release.mjs "$V" | |
| if git diff --quiet -- CHANGELOG.md; then | |
| echo "CHANGELOG.md unchanged — nothing to commit." | |
| else | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git add CHANGELOG.md | |
| git commit -m "docs(changelog): promote [Unreleased] into [${V}]" -m "[skip ci] Auto-generated by Release workflow." | |
| # Push to the branch the workflow was triggered on (main). | |
| git push origin "HEAD:${GITHUB_REF#refs/heads/}" | |
| fi | |
| - name: Build all platform bundles | |
| run: | | |
| for t in darwin-arm64 darwin-x64 linux-x64 linux-arm64 win32-x64 win32-arm64; do | |
| bash scripts/build-bundle.sh "$t" | |
| done | |
| ls -lh release | |
| - name: Generate SHA256SUMS | |
| # Published as a release asset; the npm launcher verifies downloaded | |
| # bundles against it (basenames only, so its path.basename match works). | |
| run: | | |
| ( cd release && sha256sum codegraph-* > SHA256SUMS ) | |
| cat release/SHA256SUMS | |
| - name: Release notes from CHANGELOG.md | |
| # The [<version>] block was guaranteed-populated by the | |
| # "Promote" step above, so the [Unreleased] fallback should | |
| # never be needed in practice. Kept for defense-in-depth. | |
| run: | | |
| V="${{ steps.ver.outputs.version }}" | |
| node scripts/extract-release-notes.mjs "$V" > notes.md 2>/dev/null \ | |
| || node scripts/extract-release-notes.mjs Unreleased > notes.md 2>/dev/null || true | |
| if [ ! -s notes.md ]; then | |
| echo "::error::No release notes in CHANGELOG.md for [$V] or [Unreleased]." | |
| exit 1 | |
| fi | |
| echo "----- release notes -----"; cat notes.md | |
| - name: Create GitHub Release | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| TAG="v${{ steps.ver.outputs.version }}" | |
| # Idempotent: create the release once, otherwise (re-run) refresh assets. | |
| if gh release view "$TAG" >/dev/null 2>&1; then | |
| gh release upload "$TAG" release/codegraph-* release/SHA256SUMS --clobber | |
| else | |
| gh release create "$TAG" release/codegraph-* release/SHA256SUMS --title "$TAG" --notes-file notes.md | |
| fi | |
| - name: Publish to npm | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| run: | | |
| V="${{ steps.ver.outputs.version }}" | |
| bash scripts/pack-npm.sh "$V" | |
| # Platform packages first, then the main shim (which depends on them). | |
| # Skip any already on the registry so a re-run only fills in gaps. | |
| for dir in release/npm/codegraph-* release/npm/main; do | |
| name=$(node -p "require('./$dir/package.json').name") | |
| if npm view "$name@$V" version >/dev/null 2>&1; then | |
| echo "skip $name@$V (already published)" | |
| else | |
| echo "publishing $name@$V" | |
| ( cd "$dir" && npm publish --access public ) | |
| fi | |
| done | |
| - name: Verify every package is actually on the registry | |
| run: | | |
| V="${{ steps.ver.outputs.version }}" | |
| # npm publish can print success without persisting; confirm against the | |
| # registry (with retries for propagation) so green means really shipped. | |
| for dir in release/npm/codegraph-* release/npm/main; do | |
| name=$(node -p "require('./$dir/package.json').name") | |
| ok= | |
| for i in 1 2 3 4 5 6; do | |
| if npm view "$name@$V" version >/dev/null 2>&1; then ok=1; break; fi | |
| echo "waiting for $name@$V to appear ($i)…"; sleep 10 | |
| done | |
| [ -n "$ok" ] || { echo "::error::$name@$V never appeared on the registry"; exit 1; } | |
| echo "verified $name@$V" | |
| done | |
| - name: Sync packages to npmmirror | |
| # npmmirror/cnpm mirror lazily and frequently never pull the per-platform | |
| # optionalDependencies on their own, so `npm i` there fails with | |
| # "no prebuilt bundle" (issue #303). Nudge a sync now so mirror users get | |
| # the bundle without waiting. Best-effort — the launcher also self-heals | |
| # from GitHub Releases — so a mirror hiccup never fails the release. | |
| continue-on-error: true | |
| run: | | |
| for dir in release/npm/codegraph-* release/npm/main; do | |
| name=$(node -p "require('./$dir/package.json').name") | |
| enc=$(node -p "encodeURIComponent(require('./$dir/package.json').name)") | |
| echo "sync $name" | |
| curl -s -X PUT "https://registry.npmmirror.com/-/package/$enc/syncs" || true | |
| echo | |
| done |