b10d800e40
npm deprecated classic tokens and now requires either granular tokens with 2FA or OIDC trusted publishing. This updates the workflow to use the latter, which is npm recommended approach for CI/CD. Requires configuring trusted publisher on npmjs.com: - Organization: steveyegge - Repository: beads - Workflow: release.yml Generated with Claude Code Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
186 lines
5.7 KiB
YAML
186 lines
5.7 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
|
|
concurrency:
|
|
group: release-${{ github.ref }}
|
|
cancel-in-progress: false
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
goreleaser:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v6
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v5
|
|
with:
|
|
go-version: '1.23'
|
|
|
|
- name: Install cross-compilation toolchains
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y gcc-mingw-w64-x86-64 gcc-aarch64-linux-gnu
|
|
|
|
- name: Run GoReleaser
|
|
uses: goreleaser/goreleaser-action@v6
|
|
with:
|
|
distribution: goreleaser
|
|
version: '~> v2'
|
|
args: release --clean
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
publish-pypi:
|
|
runs-on: ubuntu-latest
|
|
needs: goreleaser
|
|
if: always() # Run even if goreleaser fails
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v6
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: '3.11'
|
|
|
|
- name: Install uv
|
|
run: pip install uv
|
|
|
|
- name: Build package
|
|
run: |
|
|
cd integrations/beads-mcp
|
|
uv build
|
|
|
|
- name: Publish to PyPI
|
|
env:
|
|
TWINE_USERNAME: __token__
|
|
TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
|
|
run: |
|
|
cd integrations/beads-mcp
|
|
uv tool run twine upload dist/*
|
|
|
|
publish-npm:
|
|
runs-on: ubuntu-latest
|
|
needs: goreleaser
|
|
permissions:
|
|
contents: read
|
|
id-token: write # Required for npm provenance/trusted publishing
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v6
|
|
|
|
- name: Set up Node.js
|
|
uses: actions/setup-node@v6
|
|
with:
|
|
node-version: '22'
|
|
registry-url: 'https://registry.npmjs.org'
|
|
|
|
- name: Update npm for OIDC trusted publishing
|
|
run: npm install -g npm@latest # Requires npm >= 11.5.1 for trusted publishing
|
|
|
|
- name: Publish to npm
|
|
run: |
|
|
cd npm-package
|
|
npm publish --access public
|
|
# Uses OIDC trusted publishing - no token needed
|
|
# Provenance attestations are automatic with trusted publishing
|
|
|
|
update-homebrew:
|
|
runs-on: ubuntu-latest
|
|
needs: goreleaser
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v6
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Get release info
|
|
id: release
|
|
run: |
|
|
TAG="${GITHUB_REF#refs/tags/}"
|
|
echo "tag=${TAG}" >> $GITHUB_OUTPUT
|
|
echo "version=${TAG#v}" >> $GITHUB_OUTPUT
|
|
|
|
- name: Download checksums
|
|
run: |
|
|
curl -sL "https://github.com/steveyegge/beads/releases/download/${{ steps.release.outputs.tag }}/checksums.txt" -o checksums.txt
|
|
|
|
- name: Extract checksums
|
|
id: checksums
|
|
run: |
|
|
echo "darwin_amd64=$(grep 'darwin_amd64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
|
|
echo "darwin_arm64=$(grep 'darwin_arm64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
|
|
echo "linux_amd64=$(grep 'linux_amd64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
|
|
echo "linux_arm64=$(grep 'linux_arm64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
|
|
|
|
- name: Update Homebrew formula
|
|
run: |
|
|
mkdir -p Formula
|
|
cat > Formula/bd.rb <<'EOF'
|
|
class Bd < Formula
|
|
desc "AI-supervised issue tracker for coding workflows"
|
|
homepage "https://github.com/steveyegge/beads"
|
|
version "${{ steps.release.outputs.version }}"
|
|
license "MIT"
|
|
|
|
on_macos do
|
|
if Hardware::CPU.arm?
|
|
url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_darwin_arm64.tar.gz"
|
|
sha256 "${{ steps.checksums.outputs.darwin_arm64 }}"
|
|
else
|
|
url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_darwin_amd64.tar.gz"
|
|
sha256 "${{ steps.checksums.outputs.darwin_amd64 }}"
|
|
end
|
|
end
|
|
|
|
on_linux do
|
|
if Hardware::CPU.arm? && Hardware::CPU.is_64_bit?
|
|
url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_linux_arm64.tar.gz"
|
|
sha256 "${{ steps.checksums.outputs.linux_arm64 }}"
|
|
else
|
|
url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_linux_amd64.tar.gz"
|
|
sha256 "${{ steps.checksums.outputs.linux_amd64 }}"
|
|
end
|
|
end
|
|
|
|
def install
|
|
bin.install "bd"
|
|
end
|
|
|
|
test do
|
|
system "#{bin}/bd", "version"
|
|
end
|
|
end
|
|
EOF
|
|
|
|
- name: Push to homebrew-beads
|
|
env:
|
|
HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
|
|
run: |
|
|
if [ -z "$HOMEBREW_TAP_TOKEN" ]; then
|
|
echo "::warning::HOMEBREW_TAP_TOKEN not set - skipping Homebrew update"
|
|
echo "To enable automatic Homebrew updates:"
|
|
echo "1. Create a Personal Access Token with 'repo' scope"
|
|
echo "2. Add it as HOMEBREW_TAP_TOKEN in repository secrets"
|
|
exit 0
|
|
fi
|
|
|
|
git clone "https://x-access-token:${HOMEBREW_TAP_TOKEN}@github.com/steveyegge/homebrew-beads.git" tap
|
|
cp Formula/bd.rb tap/Formula/bd.rb
|
|
cd tap
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "github-actions[bot]@users.noreply.github.com"
|
|
git add Formula/bd.rb
|
|
git commit -m "Update bd to ${{ steps.release.outputs.version }}"
|
|
git push
|