a7-py/.github/workflows/release.yml at master · code5717/a7-py · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
name: Release

on:
  push:
    tags:
      - "v*"
  workflow_dispatch:

permissions:
  contents: read

concurrency:
  group: release-${{ github.ref }}
  cancel-in-progress: false

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
  ZIG_VERSION: "0.16.0"
  ZIG_URL: https://ziglang.org/download/0.16.0/zig-x86_64-linux-0.16.0.tar.xz
  ZIG_SHA256: 70e49664a74374b48b51e6f3fdfbf437f6395d42509050588bd49abe52ba3d00

jobs:
  build-release:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      attestations: write
      artifact-metadata: write
    steps:
      - name: Checkout
        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd

      - name: Setup Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
        with:
          python-version: "3.13"

      - name: Install uv
        run: python -m pip install uv

      - name: Install Zig
        run: |
          curl -fsSL "$ZIG_URL" -o "$RUNNER_TEMP/zig.tar.xz"
          echo "$ZIG_SHA256  $RUNNER_TEMP/zig.tar.xz" | sha256sum -c -
          mkdir -p "$RUNNER_TEMP/zig"
          tar -xJf "$RUNNER_TEMP/zig.tar.xz" -C "$RUNNER_TEMP/zig" --strip-components=1
          echo "$RUNNER_TEMP/zig" >> "$GITHUB_PATH"
          "$RUNNER_TEMP/zig/zig" version

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: "1.3.11"

      - name: Install dependencies
        run: uv sync --locked --all-groups

      - name: Install docs dependencies
        working-directory: site
        run: bun install --frozen-lockfile

      - name: Run release gate
        run: ./run_all_tests.sh

      - name: Audit Python dependencies
        run: uvx --from pip-audit==2.10.0 pip-audit --strict

      - name: Static security scan
        # B404/B603 are expected for trusted verifier scripts that run generated artifacts.
        run: uvx --from bandit==1.9.4 bandit -r a7 scripts main.py -q --skip B404,B603

      - name: Audit docs runtime dependencies
        working-directory: site
        run: bun audit --audit-level=moderate

      - name: Clean package output
        run: rm -rf dist

      - name: Build Python package
        run: uv build

      - name: Verify Python wheel install
        run: uv run python scripts/verify_wheel_install.py --skip-build

      - name: Upload Python package distributions
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
        with:
          name: python-package-distributions
          path: |
            dist/a7_py-*.tar.gz
            dist/a7_py-*.whl
          if-no-files-found: error
          retention-days: 7

      - name: Build docs site
        working-directory: site
        run: bun run build

      - name: Build release example artifacts
        run: uv run python scripts/build_examples.py --profile release --backend zig --clean

      - name: Archive docs site
        run: tar -czf dist/a7-docs-site.tar.gz -C site dist

      - name: Archive release example artifacts
        run: tar -czf dist/a7-example-artifacts-linux-x86_64-zig0.16.0-release.tar.gz -C build release

      - name: Verify release archive contents
        run: |
          example_count="$(uv run python scripts/project_status.py --field example_count)"
          uv run python scripts/verify_archive_contents.py dist/a7-docs-site.tar.gz \
            --require dist/llms.txt \
            --require dist/llms-full.txt \
            --require dist/docs/index.md \
            --require dist/docs/agent-usage.md \
            --require dist/docs/release.md \
            --require dist/docs/status.md
          uv run python scripts/verify_archive_contents.py dist/a7-example-artifacts-linux-x86_64-zig0.16.0-release.tar.gz \
            --require release/zig/src/001_hello.zig \
            --require release/zig/bin/001_hello \
            --require-glob-count "release/zig/src/*.zig=${example_count}" \
            --require-glob-count "release/zig/bin/*=${example_count}"

      - name: Generate release checksums
        run: |
          sdist="$(ls dist/a7_py-*.tar.gz)"
          wheel="$(ls dist/a7_py-*.whl)"
          uv run python scripts/generate_release_manifest.py dist \
            --output dist/SHA256SUMS \
            --require "$sdist" \
            --require "$wheel" \
            --require dist/a7-docs-site.tar.gz \
            --require dist/a7-example-artifacts-linux-x86_64-zig0.16.0-release.tar.gz
          uv run python scripts/verify_release_manifest.py dist/SHA256SUMS

      - name: Generate release artifact attestations
        uses: actions/attest@281a49d4cbb0a72c9575a50d18f6deb515a11deb
        with:
          subject-path: |
            dist/SHA256SUMS
            dist/a7_py-*.tar.gz
            dist/a7_py-*.whl
            dist/a7-docs-site.tar.gz
            dist/a7-example-artifacts-linux-x86_64-zig0.16.0-release.tar.gz

      - name: Upload release bundles
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
        with:
          name: release-bundles
          path: |
            dist/SHA256SUMS
            dist/a7-docs-site.tar.gz
            dist/a7-example-artifacts-linux-x86_64-zig0.16.0-release.tar.gz
          if-no-files-found: error
          retention-days: 7

  create-github-release:
    runs-on: ubuntu-latest
    needs: build-release
    if: startsWith(github.ref, 'refs/tags/v')
    permissions:
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd

      - name: Setup Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
        with:
          python-version: "3.13"

      - name: Download Python package distributions
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
        with:
          name: python-package-distributions
          path: dist

      - name: Download release bundles
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
        with:
          name: release-bundles
          path: dist

      - name: Verify downloaded release checksums
        run: python scripts/verify_release_manifest.py dist/SHA256SUMS

      - name: Create GitHub release
        # softprops/action-gh-release@v3 resolved on 2026-05-08.
        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda
        with:
          draft: true
          files: |
            dist/SHA256SUMS
            dist/a7_py-*.tar.gz
            dist/a7_py-*.whl
            dist/a7-docs-site.tar.gz
            dist/a7-example-artifacts-linux-x86_64-zig0.16.0-release.tar.gz