johno/beads
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ba1c9d6b17284647d5d947536bcec2d461151c7f
beads/.github/workflows/release.yml
Steve Yegge 3c786f2333 feat: add Windows code signing infrastructure (bd-14v0) 
Implements Authenticode signing for Windows binaries to reduce AV false positives.

Changes:
- Add scripts/sign-windows.sh for osslsigncode-based signing
- Update .goreleaser.yml with post-build signing hook
- Update release.yml to install osslsigncode and pass secrets
- Update docs/ANTIVIRUS.md with signing verification instructions
- Update scripts/README.md with signing script documentation

The signing is gracefully degraded - releases continue without signing
if the certificate secrets are not configured.

Required secrets for signing:
- WINDOWS_SIGNING_CERT_PFX_BASE64: base64-encoded PFX certificate
- WINDOWS_SIGNING_CERT_PASSWORD: certificate password

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-24 00:07:16 -08:00

189 lines
6.0 KiB
YAML
Raw Blame History

name: Release
on:
push:
tags:
- 'v*'
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false
permissions:
contents: write
jobs:
goreleaser:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.23'
- name: Install cross-compilation toolchains and signing tools
run: |
sudo apt-get update
sudo apt-get install -y gcc-mingw-w64-x86-64 gcc-aarch64-linux-gnu osslsigncode
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: '~> v2'
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Windows code signing (optional - signing is skipped if not set)
WINDOWS_SIGNING_CERT_PFX_BASE64: ${{ secrets.WINDOWS_SIGNING_CERT_PFX_BASE64 }}
WINDOWS_SIGNING_CERT_PASSWORD: ${{ secrets.WINDOWS_SIGNING_CERT_PASSWORD }}
publish-pypi:
runs-on: ubuntu-latest
needs: goreleaser
if: always() # Run even if goreleaser fails
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install uv
run: pip install uv
- name: Build package
run: |
cd integrations/beads-mcp
uv build
- name: Publish to PyPI
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
run: |
cd integrations/beads-mcp
uv tool run twine upload dist/*
publish-npm:
runs-on: ubuntu-latest
needs: goreleaser
permissions:
contents: read
id-token: write # Required for npm provenance/trusted publishing
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version: '22'
registry-url: 'https://registry.npmjs.org'
- name: Update npm for OIDC trusted publishing
run: npm install -g npm@latest # Requires npm >= 11.5.1 for trusted publishing
- name: Publish to npm
run: |
cd npm-package
npm publish --access public
# Uses OIDC trusted publishing - no token needed
# Provenance attestations are automatic with trusted publishing
update-homebrew:
runs-on: ubuntu-latest
needs: goreleaser
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Get release info
id: release
run: |
TAG="${GITHUB_REF#refs/tags/}"
echo "tag=${TAG}" >> $GITHUB_OUTPUT
echo "version=${TAG#v}" >> $GITHUB_OUTPUT
- name: Download checksums
run: |
curl -sL "https://github.com/steveyegge/beads/releases/download/${{ steps.release.outputs.tag }}/checksums.txt" -o checksums.txt
- name: Extract checksums
id: checksums
run: |
echo "darwin_amd64=$(grep 'darwin_amd64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
echo "darwin_arm64=$(grep 'darwin_arm64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
echo "linux_amd64=$(grep 'linux_amd64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
echo "linux_arm64=$(grep 'linux_arm64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
- name: Update Homebrew formula
run: |
mkdir -p Formula
cat > Formula/bd.rb <<'EOF'
class Bd < Formula
desc "AI-supervised issue tracker for coding workflows"
homepage "https://github.com/steveyegge/beads"
version "${{ steps.release.outputs.version }}"
license "MIT"
on_macos do
if Hardware::CPU.arm?
url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_darwin_arm64.tar.gz"
sha256 "${{ steps.checksums.outputs.darwin_arm64 }}"
else
url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_darwin_amd64.tar.gz"
sha256 "${{ steps.checksums.outputs.darwin_amd64 }}"
end
end
on_linux do
if Hardware::CPU.arm? && Hardware::CPU.is_64_bit?
url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_linux_arm64.tar.gz"
sha256 "${{ steps.checksums.outputs.linux_arm64 }}"
else
url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_linux_amd64.tar.gz"
sha256 "${{ steps.checksums.outputs.linux_amd64 }}"
end
end
def install
bin.install "bd"
end
test do
system "#{bin}/bd", "version"
end
end
EOF
- name: Push to homebrew-beads
env:
HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
run: |
if [ -z "$HOMEBREW_TAP_TOKEN" ]; then
echo "::warning::HOMEBREW_TAP_TOKEN not set - skipping Homebrew update"
echo "To enable automatic Homebrew updates:"
echo "1. Create a Personal Access Token with 'repo' scope"
echo "2. Add it as HOMEBREW_TAP_TOKEN in repository secrets"
exit 0
fi
git clone "https://x-access-token:${HOMEBREW_TAP_TOKEN}@github.com/steveyegge/homebrew-beads.git" tap
cp Formula/bd.rb tap/Formula/bd.rb
cd tap
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add Formula/bd.rb
git commit -m "Update bd to ${{ steps.release.outputs.version }}"
git push
Reference in New Issue View Git Blame Copy Permalink