dgf1988/codewhale
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
9bc8eee92765abdb2891932bb8e2bbb37015f0b3
codewhale/.github/workflows/release.yml
T
Hunter Bown e9970fcad3 ci: switch npm publish to NPM_TOKEN + add auto-tag workflow 
The OIDC Trusted Publisher path for npm has 404'd on PUT for v0.5.1,
v0.5.2, and v0.6.1, even with valid OIDC tokens. Switch publish-npm and
publish-npm-manual to a classic NPM_TOKEN automation token (set the
NPM_TOKEN repo secret to a granular access token scoped to deepseek-tui
with publish permission) so future releases ship reliably.

Also add .github/workflows/auto-tag.yml: when the workspace version on
main changes, push the matching v$VERSION tag automatically so release.yml
fires without a manual tag push. Requires a RELEASE_TAG_PAT secret to
trigger downstream workflows (GITHUB_TOKEN tag pushes don't trigger
on: push: tags by design).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 12:22:15 -05:00

182 lines
6.0 KiB
YAML
Raw Blame History

name: Release
on:
push:
tags: ['v*']
workflow_dispatch:
inputs:
version:
description: 'Package/release version to publish to npm, without the leading v'
required: true
type: string
env:
CARGO_TERM_COLOR: always
RUSTFLAGS: -Dwarnings
jobs:
parity:
if: github.event_name == 'push'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy, rustfmt
- uses: Swatinem/rust-cache@v2
- name: Format check
run: cargo fmt --all -- --check
- name: Compile check
run: cargo check --workspace --all-targets --locked
- name: Clippy
run: cargo clippy --workspace --all-targets --all-features --locked -- -D warnings
- name: Workspace tests
run: cargo test --workspace --all-features --locked
- name: TUI snapshot parity
run: cargo test -p deepseek-tui-core --test snapshot --locked
- name: Protocol schema parity
run: cargo test -p deepseek-protocol --test parity_protocol --locked
- name: State persistence parity
run: cargo test -p deepseek-state --test parity_state --locked
- name: Lockfile drift guard
run: git diff --exit-code -- Cargo.lock
build:
needs: parity
strategy:
matrix:
include:
# --- deepseek (cli) ---
- os: ubuntu-latest
target: x86_64-unknown-linux-gnu
binary: deepseek
artifact_name: deepseek-linux-x64
- os: macos-latest
target: x86_64-apple-darwin
binary: deepseek
artifact_name: deepseek-macos-x64
- os: macos-latest
target: aarch64-apple-darwin
binary: deepseek
artifact_name: deepseek-macos-arm64
- os: windows-latest
target: x86_64-pc-windows-msvc
binary: deepseek.exe
artifact_name: deepseek-windows-x64.exe
# --- deepseek-tui (TUI) ---
- os: ubuntu-latest
target: x86_64-unknown-linux-gnu
binary: deepseek-tui
artifact_name: deepseek-tui-linux-x64
- os: macos-latest
target: x86_64-apple-darwin
binary: deepseek-tui
artifact_name: deepseek-tui-macos-x64
- os: macos-latest
target: aarch64-apple-darwin
binary: deepseek-tui
artifact_name: deepseek-tui-macos-arm64
- os: windows-latest
target: x86_64-pc-windows-msvc
binary: deepseek-tui.exe
artifact_name: deepseek-tui-windows-x64.exe
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
- run: cargo build --release --locked --target ${{ matrix.target }}
- name: Rename binary
shell: bash
run: |
cp target/${{ matrix.target }}/release/${{ matrix.binary }} ${{ matrix.artifact_name }}
- uses: actions/upload-artifact@v4
with:
name: ${{ matrix.artifact_name }}
path: ${{ matrix.artifact_name }}
release:
needs: build
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/download-artifact@v4
with:
path: artifacts
- name: List artifacts
run: find artifacts -type f
- name: Generate checksum manifest
shell: bash
run: |
mkdir -p artifacts/checksums
manifest="artifacts/checksums/deepseek-artifacts-sha256.txt"
: > "${manifest}"
while IFS= read -r -d '' file; do
hash="$(sha256sum "${file}" | awk '{print $1}')"
base="$(basename "${file}")"
printf '%s %s\n' "${hash}" "${base}" >> "${manifest}"
done < <(find artifacts -type f ! -path 'artifacts/checksums/*' -print0 | sort -z)
cat "${manifest}"
- uses: softprops/action-gh-release@v1
with:
files: artifacts/*/*
prerelease: false
publish-npm:
needs: release
runs-on: ubuntu-latest
# Token-based publish (npm classic automation token). The OIDC
# Trusted Publisher path was unreliable across v0.5.1/v0.5.2/v0.6.1
# (npm returned 404 on PUT despite valid OIDC). Set the `NPM_TOKEN`
# repo secret to a granular access token scoped to `deepseek-tui`
# with publish permission.
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '24'
registry-url: 'https://registry.npmjs.org'
- name: Verify package version
working-directory: npm/deepseek-tui
run: |
actual="$(node -p "require('./package.json').version")"
expected="${GITHUB_REF_NAME#v}"
if [ "${actual}" != "${expected}" ]; then
echo "package.json version ${actual} does not match tag ${expected}" >&2
exit 1
fi
- name: Publish wrapper to npm
working-directory: npm/deepseek-tui
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm publish --access public
publish-npm-manual:
if: github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '24'
registry-url: 'https://registry.npmjs.org'
- name: Verify package version
working-directory: npm/deepseek-tui
run: |
actual="$(node -p "require('./package.json').version")"
expected="${{ inputs.version }}"
if [ "${actual}" != "${expected}" ]; then
echo "package.json version ${actual} does not match requested ${expected}" >&2
exit 1
fi
- name: Publish wrapper to npm
working-directory: npm/deepseek-tui
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm publish --access public
Reference in New Issue View Git Blame Copy Permalink