-
Notifications
You must be signed in to change notification settings - Fork 1
341 lines (308 loc) · 14.1 KB
/
Copy pathrelease.yml
File metadata and controls
341 lines (308 loc) · 14.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
name: Release
on:
push:
branches: [main]
workflow_dispatch:
inputs:
publish_only:
description: 'Skip release-please and publish current packages/cli version to npm'
type: boolean
default: false
permissions:
contents: write
pull-requests: write
id-token: write
concurrency:
group: release
cancel-in-progress: false
jobs:
release-please:
name: Release Please
if: github.event_name == 'push' || inputs.publish_only != true
runs-on: ubuntu-latest
outputs:
cli_release_created: ${{ steps.release.outputs['packages/cli--release_created'] }}
cli_tag_name: ${{ steps.release.outputs['packages/cli--tag_name'] }}
schema_release_created: ${{ steps.release.outputs['packages/schema--release_created'] }}
schema_tag_name: ${{ steps.release.outputs['packages/schema--tag_name'] }}
steps:
- uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
id: release
with:
config-file: release-please-config.json
manifest-file: .release-please-manifest.json
# ---------------------------------------------------------------------------
# Rust binary build. Cross-compiles the `ask` binary from crates/ask for every
# supported target and, because a tag is passed, uploads the assets (+.sha256)
# to the CLI GitHub release. These assets are the source of truth for BOTH the
# npm platform packages and the Homebrew formula — the unix asset names are
# identical to what the old Bun pipeline emitted, so the tap keeps working.
# ---------------------------------------------------------------------------
build-binaries:
name: Build Rust binaries
needs: release-please
if: needs.release-please.outputs.cli_release_created == 'true'
uses: ./.github/workflows/release-rust.yml
with:
tag: ${{ needs.release-please.outputs.cli_tag_name }}
npm-publish:
name: Publish to npm
needs: [release-please, build-binaries]
if: |
always() &&
(
(github.event_name == 'workflow_dispatch' && inputs.publish_only == true) ||
(needs.release-please.result == 'success' &&
(needs.release-please.outputs.cli_release_created == 'true' ||
needs.release-please.outputs.schema_release_created == 'true'))
)
runs-on: ubuntu-latest
environment: npm
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
with:
bun-version: 1.3.14
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: .nvmrc
registry-url: https://registry.npmjs.org
- uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
with:
path: |
~/.bun/install/cache
key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lock') }}
restore-keys: ${{ runner.os }}-bun-
- name: Install dependencies
run: bun install --frozen-lockfile
# Only the schema package is still published from TypeScript; build just it.
- name: Build schema
run: bun run --cwd packages/schema build
# Workaround: bun pm pack resolves workspace:* from bun.lock, not
# package.json (oven-sh/bun#20477). release-please bumps versions in
# package.json but bun install won't propagate them to the lockfile
# (oven-sh/bun#18906). Patch only the workspace package versions in
# the lockfile — avoids a full re-resolve that could drift third-party
# dependencies.
- name: Sync lockfile with workspace versions
run: |
node -e "
const fs = require('fs');
const lock = fs.readFileSync('bun.lock', 'utf8');
const pkgs = ['packages/cli', 'packages/schema'];
let patched = lock;
for (const dir of pkgs) {
const { name, version } = JSON.parse(fs.readFileSync(dir + '/package.json', 'utf8'));
// Match: \"name\": \"<name>\",\n \"version\": \"<old>\",
const re = new RegExp('(\"name\":\\s*\"' + name.replace(/[/]/g, '\\\\/') + '\",\\n\\s*\"version\":\\s*\")([^\"]+)(\")');
patched = patched.replace(re, '$1' + version + '$3');
}
fs.writeFileSync('bun.lock', patched);
"
- name: Publish @pleaseai/ask-schema
if: |
github.event_name == 'workflow_dispatch' ||
needs.release-please.outputs.schema_release_created == 'true'
working-directory: packages/schema
run: |
VERSION=$(node -p "require('./package.json').version")
if npm view "@pleaseai/ask-schema@$VERSION" version 2>/dev/null; then
echo "⚠ @pleaseai/ask-schema@$VERSION already published, skipping"
else
bun pm pack
npm publish pleaseai-ask-schema-*.tgz --provenance --access public
fi
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
# ---------------------------------------------------------------------
# @pleaseai/ask is now the Rust binary, shipped as a wrapper package with
# per-platform optionalDependencies (the copy-over shim). We download the
# binaries built above from the GitHub release, generate the platform
# packages, publish each platform package FIRST, then the wrapper LAST —
# the wrapper pins exact optionalDependency versions, so publishing it
# before its platform deps exist would make `npm i @pleaseai/ask` resolve
# to missing binaries.
# ---------------------------------------------------------------------
- name: Publish @pleaseai/ask (Rust binary shim)
if: |
github.event_name == 'workflow_dispatch' ||
needs.release-please.outputs.cli_release_created == 'true'
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
GH_TOKEN: ${{ github.token }}
# Pass the tag through env rather than interpolating the expression
# directly into the script body — the same safe pattern used by
# update-homebrew-formula — so static analysis doesn't flag it as a
# script-injection sink.
CLI_TAG_NAME: ${{ needs.release-please.outputs.cli_tag_name }}
run: |
set -euo pipefail
# Resolve the release tag: the release path passes it through from
# release-please; publish_only re-derives it from the current version.
TAG="$CLI_TAG_NAME"
if [ -z "$TAG" ]; then
TAG="ask-v$(node -p "require('./packages/cli/package.json').version")"
fi
VERSION_NO_V="${TAG#ask-v}"
echo "publishing @pleaseai/ask shim for $TAG (version $VERSION_NO_V)"
# Pull the built binaries (and their .sha256, which the generator
# ignores) from the release into a flat directory.
mkdir -p assets-bin
gh release download "$TAG" \
--repo "${{ github.repository }}" \
--pattern 'ask-*' \
--dir assets-bin \
--clobber
# Require ALL platform binaries before publishing. The wrapper pins
# optionalDependencies for every platform; a partial build (release-rust
# uses fail-fast:false, so one target can fail while others upload) would
# otherwise publish a wrapper missing a platform — npm does NOT error on
# a missing optional dep, so that platform silently gets a broken install,
# and the version number is burned permanently. Partial *release assets*
# are fine (some binaries beat none); a partial *npm wrapper* is not.
missing=()
for a in ask-darwin-arm64 ask-darwin-x64 ask-linux-x64 ask-linux-arm64 ask-linux-x64-musl ask-windows-x64.exe; do
[ -f "assets-bin/$a" ] || missing+=("$a")
done
if [ ${#missing[@]} -ne 0 ]; then
echo "::error::Refusing to publish an incomplete @pleaseai/ask wrapper — missing platform binaries: ${missing[*]}. Re-run the failed release-rust build legs, then re-run this publish." >&2
exit 1
fi
# Generate npm/dist/<platform pkgs> + npm/dist/ask (the wrapper).
node npm/scripts/generate-platform-packages.mjs "$VERSION_NO_V" "$PWD/assets-bin"
# Publish every platform package first (idempotent skip-guard), then
# the wrapper last.
publish_dir() {
local dir="$1"
local name ver
name=$(node -p "require('$PWD/${dir}/package.json').name")
ver=$(node -p "require('$PWD/${dir}/package.json').version")
if npm view "$name@$ver" version 2>/dev/null; then
echo "⚠ $name@$ver already published, skipping"
else
npm publish "$dir" --provenance --access public
fi
}
for dir in npm/dist/*/; do
dir="${dir%/}"
name=$(node -p "require('$PWD/${dir}/package.json').name")
[ "$name" = "@pleaseai/ask" ] && continue
publish_dir "$dir"
done
# Wrapper LAST — its optionalDependencies now all exist on npm.
publish_dir "npm/dist/ask"
cargo-publish:
name: Publish to crates.io
needs: release-please
if: needs.release-please.outputs.cli_release_created == 'true'
uses: ./.github/workflows/release-cargo.yml
with:
dry_run: false
secrets:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
# ---------------------------------------------------------------------------
# Homebrew distribution: the binaries + checksums are already attached to the
# release by build-binaries; this job reads the published checksums and
# updates the formula in pleaseai/homebrew-tap. Asset names are unchanged.
# ---------------------------------------------------------------------------
update-homebrew-formula:
name: Update Homebrew formula
needs: [release-please, build-binaries]
if: needs.release-please.outputs.cli_release_created == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: pleaseai
repositories: |
ask
homebrew-tap
- name: Checkout homebrew-tap
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: pleaseai/homebrew-tap
token: ${{ steps.app-token.outputs.token }}
path: homebrew-tap
- name: Update formula
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
TAG: ${{ needs.release-please.outputs.cli_tag_name }}
run: |
set -euo pipefail
VERSION_NO_V="${TAG#ask-v}"
# Pull the published checksums straight from the release assets.
gh release download "$TAG" \
--repo "${{ github.repository }}" \
--pattern 'ask-*.sha256' \
--dir checksums \
--clobber
sha() { awk '{print $1}' "checksums/ask-$1.sha256"; }
DARWIN_X64_SHA256="$(sha darwin-x64)"
DARWIN_ARM64_SHA256="$(sha darwin-arm64)"
LINUX_X64_SHA256="$(sha linux-x64)"
LINUX_ARM64_SHA256="$(sha linux-arm64)"
cat > homebrew-tap/ask.rb << 'FORMULA_EOF'
class Ask < Formula
desc "Agent Skills Kit - Download version-specific library docs for AI coding agents"
homepage "https://github.com/pleaseai/ask"
version "VERSION_PLACEHOLDER"
license "MIT"
on_macos do
if Hardware::CPU.arm?
url "https://github.com/pleaseai/ask/releases/download/ask-vVERSION_PLACEHOLDER/ask-darwin-arm64"
sha256 "SHA256_DARWIN_ARM64_PLACEHOLDER"
else
url "https://github.com/pleaseai/ask/releases/download/ask-vVERSION_PLACEHOLDER/ask-darwin-x64"
sha256 "SHA256_DARWIN_X64_PLACEHOLDER"
end
end
on_linux do
if Hardware::CPU.arm?
url "https://github.com/pleaseai/ask/releases/download/ask-vVERSION_PLACEHOLDER/ask-linux-arm64"
sha256 "SHA256_LINUX_ARM64_PLACEHOLDER"
else
url "https://github.com/pleaseai/ask/releases/download/ask-vVERSION_PLACEHOLDER/ask-linux-x64"
sha256 "SHA256_LINUX_X64_PLACEHOLDER"
end
end
def install
if OS.mac?
if Hardware::CPU.arm?
bin.install "ask-darwin-arm64" => "ask"
else
bin.install "ask-darwin-x64" => "ask"
end
else
if Hardware::CPU.arm?
bin.install "ask-linux-arm64" => "ask"
else
bin.install "ask-linux-x64" => "ask"
end
end
end
test do
assert_match version.to_s, shell_output("#{bin}/ask --version")
end
end
FORMULA_EOF
sed -i "s/VERSION_PLACEHOLDER/${VERSION_NO_V}/g" homebrew-tap/ask.rb
sed -i "s/SHA256_DARWIN_X64_PLACEHOLDER/${DARWIN_X64_SHA256}/" homebrew-tap/ask.rb
sed -i "s/SHA256_DARWIN_ARM64_PLACEHOLDER/${DARWIN_ARM64_SHA256}/" homebrew-tap/ask.rb
sed -i "s/SHA256_LINUX_X64_PLACEHOLDER/${LINUX_X64_SHA256}/" homebrew-tap/ask.rb
sed -i "s/SHA256_LINUX_ARM64_PLACEHOLDER/${LINUX_ARM64_SHA256}/" homebrew-tap/ask.rb
cd homebrew-tap
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
if git diff --quiet -- ask.rb && git ls-files --error-unmatch ask.rb >/dev/null 2>&1; then
echo "No changes to ask.rb"
exit 0
fi
git add ask.rb
git commit -m "chore: update ask to ${TAG}"
git push origin HEAD