johno/beads
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d9bf159af1492c54de3e541b95d292a4e48a67aa
beads/.github/workflows/release.yml
matt wilkie 625ac5dff2 Add repository guards to deployment workflows (#877) 
- Guard deploy-docs job to only run in canonical repository
- Guard goreleaser job to only run in canonical repository
- Guard update-homebrew job to only run in canonical repository
- Guard test-pypi job to only run in canonical repository

Prevents fork workflows from attempting to deploy, release, or publish to external services.
2026-01-03 21:16:09 -08:00

196 lines
6.4 KiB
YAML
Raw Blame History

name: Release
on:
push:
tags:
- 'v*'
workflow_dispatch:
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false
permissions:
contents: write
jobs:
goreleaser:
# Guard: only run goreleaser in the canonical repository (not in forks)
if: ${{ github.repository == 'steveyegge/beads' }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.23'
- name: Install cross-compilation toolchains and signing tools
run: |
sudo apt-get update
sudo apt-get install -y gcc-mingw-w64-x86-64 gcc-aarch64-linux-gnu osslsigncode
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: '~> v2'
args: >
release --clean
${{ github.repository != 'steveyegge/beads' && '--skip=publish --skip=announce' || '' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Windows code signing (optional - signing is skipped if not set)
WINDOWS_SIGNING_CERT_PFX_BASE64: ${{ secrets.WINDOWS_SIGNING_CERT_PFX_BASE64 }}
WINDOWS_SIGNING_CERT_PASSWORD: ${{ secrets.WINDOWS_SIGNING_CERT_PASSWORD }}
publish-pypi:
runs-on: ubuntu-latest
needs: goreleaser
if: ${{ always() && github.repository == 'steveyegge/beads' }}
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install uv
run: pip install uv
- name: Build package
run: |
cd integrations/beads-mcp
uv build
- name: Publish to PyPI
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
run: |
cd integrations/beads-mcp
uv tool run twine upload dist/*
publish-npm:
runs-on: ubuntu-latest
needs: goreleaser
if: ${{ github.repository == 'steveyegge/beads' }}
permissions:
contents: read
id-token: write # Required for npm provenance/trusted publishing
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version: '22'
registry-url: 'https://registry.npmjs.org'
- name: Update npm for OIDC trusted publishing
run: npm install -g npm@latest # Requires npm >= 11.5.1 for trusted publishing
- name: Publish to npm
run: |
cd npm-package
npm publish --access public
# Uses OIDC trusted publishing - no token needed
# Provenance attestations are automatic with trusted publishing
update-homebrew:
runs-on: ubuntu-latest
needs: goreleaser
if: ${{ github.repository == 'steveyegge/beads' }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Get release info
id: release
run: |
TAG="${GITHUB_REF#refs/tags/}"
echo "tag=${TAG}" >> $GITHUB_OUTPUT
echo "version=${TAG#v}" >> $GITHUB_OUTPUT
- name: Download checksums
run: |
curl -sL "https://github.com/steveyegge/beads/releases/download/${{ steps.release.outputs.tag }}/checksums.txt" -o checksums.txt
- name: Extract checksums
id: checksums
run: |
echo "darwin_amd64=$(grep 'darwin_amd64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
echo "darwin_arm64=$(grep 'darwin_arm64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
echo "linux_amd64=$(grep 'linux_amd64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
echo "linux_arm64=$(grep 'linux_arm64.tar.gz' checksums.txt | awk '{print $1}')" >> $GITHUB_OUTPUT
- name: Update Homebrew formula
run: |
mkdir -p Formula
cat > Formula/bd.rb <<'EOF'
class Bd < Formula
desc "AI-supervised issue tracker for coding workflows"
homepage "https://github.com/steveyegge/beads"
version "${{ steps.release.outputs.version }}"
license "MIT"
on_macos do
if Hardware::CPU.arm?
url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_darwin_arm64.tar.gz"
sha256 "${{ steps.checksums.outputs.darwin_arm64 }}"
else
url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_darwin_amd64.tar.gz"
sha256 "${{ steps.checksums.outputs.darwin_amd64 }}"
end
end
on_linux do
if Hardware::CPU.arm? && Hardware::CPU.is_64_bit?
url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_linux_arm64.tar.gz"
sha256 "${{ steps.checksums.outputs.linux_arm64 }}"
else
url "https://github.com/steveyegge/beads/releases/download/v#{version}/beads_#{version}_linux_amd64.tar.gz"
sha256 "${{ steps.checksums.outputs.linux_amd64 }}"
end
end
def install
bin.install "bd"
end
test do
system "#{bin}/bd", "version"
end
end
EOF
- name: Push to homebrew-beads
env:
HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
run: |
if [ -z "$HOMEBREW_TAP_TOKEN" ]; then
echo "::warning::HOMEBREW_TAP_TOKEN not set - skipping Homebrew update"
echo "To enable automatic Homebrew updates:"
echo "1. Create a Personal Access Token with 'repo' scope"
echo "2. Add it as HOMEBREW_TAP_TOKEN in repository secrets"
exit 0
fi
git clone "https://x-access-token:${HOMEBREW_TAP_TOKEN}@github.com/steveyegge/homebrew-beads.git" tap
cp Formula/bd.rb tap/Formula/bd.rb
cd tap
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add Formula/bd.rb
git commit -m "Update bd to ${{ steps.release.outputs.version }}"
git push
Reference in New Issue View Git Blame Copy Permalink