feat(v0.1.1-PR-C): release-publish workflow with pre-publish assertions#58
Open
BitCrafts wants to merge 1 commit into
Open
feat(v0.1.1-PR-C): release-publish workflow with pre-publish assertions#58BitCrafts wants to merge 1 commit into
BitCrafts wants to merge 1 commit into
Conversation
Add `.github/workflows/release-publish.yml`, a `workflow_dispatch` gate between a draft GitHub Release (created by release.yml on tag push) and its publication. The maintainer triggers it from the Actions UI with the tag as input; the workflow runs every check that caught a v0.1.0 regression, then flips `gh release edit <tag> --draft=false` if and only if every assertion holds. release.yml keeps `--draft` as the safety net. This workflow is the audit step that says "yes, ship it". Assertions encoded (each its own named step so the UI shows which one failed): 1. The tag exists and the Release for that tag is currently a draft — refuses to "publish" an already-published Release or one that was deleted. 2. `sha256sum -c SHA256SUMS` validates every asset checksum. 3. Every `.tar.zst` ships a top-level `LICENSE.*` or `COPYING` file — would have caught the v0.1.0 bc-tools / bc-libs GPL §3 / LGPL §4 non-compliance (#53). 4. `ldd` on each `bc-tools-*/bin/*` binary refuses any reference to `liburing`, `libblake3`, or `libxxhash` — would have caught the v0.1.0 dynamic-link regression (#54). Mirror of the new in-build assertion in scripts/lib/bx-package.sh. 5. The Vigil source tarball is at least 100 KiB — would have caught the v0.1.0 13-byte zstd-of-empty regression (PR #44), defence in depth alongside release.yml's own size check. Each `run:` block uses `set -euo pipefail`. All eight embedded scripts are shellcheck-clean. Triggering: GitHub → Actions → release-publish → Run workflow → tag=vX.Y.Z Closes #57. Signed-off-by: Younes Benmoussa <younes.benmoussa@pm.me>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PR C of three for v0.1.1. Closes #57.
Adds a manual
workflow_dispatchgate that codifies every check we ran by hand against v0.1.0 to find its regressions:sha256sum -c SHA256SUMS.tar.zstships aLICENSE.*/COPYINGfile at root (would have caught package: bc-tools + bc-libs tarballs ship without their LICENSE files (GPL/LGPL non-compliance) #53)bc-tools-*/bin/*doesn't dynamically linkliburing/libblake3/libxxhash(would have caught package(bc-tools): binaries dynamically link liburing despite README promising static #54)If every assertion holds, the workflow runs
gh release edit <tag> --draft=falseand emits the published URL as a GH Actions notice.release.ymlkeeps--draft. This is the audit that says "ship it" — one click, with the gates running automatically.Usage
Local verification
python3 -c "yaml.safe_load(...)"run:scripts are shellcheck-clean (severity=warning)contents: write(needed to edit the Release)GITHUB_TOKENTest plan
tag=v0.1.1and confirm it publishes the Release cleanly