codewhale/.github/workflows/release.yml

name: Release

on:
  push:
    tags: ['v*']
  workflow_dispatch:
    inputs:
      version:
        description: 'Package/release version to publish to npm, without the leading v'
        required: true
        type: string

env:
  CARGO_TERM_COLOR: always
  RUSTFLAGS: -Dwarnings

jobs:
  parity:
    if: github.event_name == 'push'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
        with:
          components: clippy, rustfmt
      - uses: Swatinem/rust-cache@v2
      - name: Format check
        run: cargo fmt --all -- --check
      - name: Compile check
        run: cargo check --workspace --all-targets --locked
      - name: Clippy
        run: cargo clippy --workspace --all-targets --all-features --locked -- -D warnings
      - name: Workspace tests
        run: cargo test --workspace --all-features --locked
      - name: TUI snapshot parity
        run: cargo test -p deepseek-tui-core --test snapshot --locked
      - name: Protocol schema parity
        run: cargo test -p deepseek-protocol --test parity_protocol --locked
      - name: State persistence parity
        run: cargo test -p deepseek-state --test parity_state --locked
      - name: Lockfile drift guard
        run: git diff --exit-code -- Cargo.lock

  build:
    needs: parity
    strategy:
      matrix:
        include:
          # --- deepseek (cli) ---
          - os: ubuntu-latest
            target: x86_64-unknown-linux-gnu
            binary: deepseek
            artifact_name: deepseek-linux-x64
          - os: macos-latest
            target: x86_64-apple-darwin
            binary: deepseek
            artifact_name: deepseek-macos-x64
          - os: macos-latest
            target: aarch64-apple-darwin
            binary: deepseek
            artifact_name: deepseek-macos-arm64
          - os: windows-latest
            target: x86_64-pc-windows-msvc
            binary: deepseek.exe
            artifact_name: deepseek-windows-x64.exe
          # --- deepseek-tui (TUI) ---
          - os: ubuntu-latest
            target: x86_64-unknown-linux-gnu
            binary: deepseek-tui
            artifact_name: deepseek-tui-linux-x64
          - os: macos-latest
            target: x86_64-apple-darwin
            binary: deepseek-tui
            artifact_name: deepseek-tui-macos-x64
          - os: macos-latest
            target: aarch64-apple-darwin
            binary: deepseek-tui
            artifact_name: deepseek-tui-macos-arm64
          - os: windows-latest
            target: x86_64-pc-windows-msvc
            binary: deepseek-tui.exe
            artifact_name: deepseek-tui-windows-x64.exe
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.target }}
      - run: cargo build --release --locked --target ${{ matrix.target }}
      - name: Rename binary
        shell: bash
        run: |
          cp target/${{ matrix.target }}/release/${{ matrix.binary }} ${{ matrix.artifact_name }}
      - uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.artifact_name }}
          path: ${{ matrix.artifact_name }}
  release:
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/download-artifact@v4
        with:
          path: artifacts
      - name: List artifacts
        run: find artifacts -type f
      - name: Generate checksum manifest
        shell: bash
        run: |
          mkdir -p artifacts/checksums
          manifest="artifacts/checksums/deepseek-artifacts-sha256.txt"
          : > "${manifest}"
          while IFS= read -r -d '' file; do
            hash="$(sha256sum "${file}" | awk '{print $1}')"
            base="$(basename "${file}")"
            printf '%s  %s\n' "${hash}" "${base}" >> "${manifest}"
          done < <(find artifacts -type f ! -path 'artifacts/checksums/*' -print0 | sort -z)
          cat "${manifest}"
      - uses: softprops/action-gh-release@v1
        with:
          files: artifacts/*/*
          prerelease: false

  publish-npm:
    needs: release
    runs-on: ubuntu-latest
    # Trusted Publishing via OIDC. Configure npm to trust this workflow
    # filename (`release.yml`) for Hmbown/DeepSeek-TUI.
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '24'
          registry-url: 'https://registry.npmjs.org'
      - name: Verify package version
        working-directory: npm/deepseek-tui
        run: |
          actual="$(node -p "require('./package.json').version")"
          expected="${GITHUB_REF_NAME#v}"
          if [ "${actual}" != "${expected}" ]; then
            echo "package.json version ${actual} does not match tag ${expected}" >&2
            exit 1
          fi
      - name: Publish wrapper to npm
        working-directory: npm/deepseek-tui
        run: npm publish --access public

  publish-npm-manual:
    if: github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    # npm can trust only one workflow filename; keep npm-only retries here so
    # the trusted publisher can remain `release.yml`.
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '24'
          registry-url: 'https://registry.npmjs.org'
      - name: Verify package version
        working-directory: npm/deepseek-tui
        run: |
          actual="$(node -p "require('./package.json').version")"
          expected="${{ inputs.version }}"
          if [ "${actual}" != "${expected}" ]; then
            echo "package.json version ${actual} does not match requested ${expected}" >&2
            exit 1
          fi
      - name: Publish wrapper to npm
        working-directory: npm/deepseek-tui
        run: npm publish --access public