podkit/.github/workflows/release.yml at main · jvgomg/podkit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
name: Release

on:
  push:
    branches:
      - main
  workflow_dispatch:

concurrency:
  group: release
  cancel-in-progress: false

permissions:
  contents: write
  pull-requests: write
  packages: write

jobs:
  # Step 1: Detect changesets and either create a version PR or flag for release
  changesets:
    runs-on: ubuntu-latest
    outputs:
      should_release: ${{ steps.detect.outputs.should_release }}
      has_cli_release: ${{ steps.detect.outputs.has_cli_release }}
      has_docker_release: ${{ steps.detect.outputs.has_docker_release }}
      cli_version: ${{ steps.detect.outputs.cli_version }}
      docker_version: ${{ steps.detect.outputs.docker_version }}
      hasChangesets: ${{ steps.changesets.outputs.hasChangesets }}

    steps:
      - name: Generate app token
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}

      - uses: actions/checkout@v4
        with:
          token: ${{ steps.app-token.outputs.token }}

      - uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: Install dependencies
        run: bun install --frozen-lockfile --ignore-scripts

      - name: Create release Pull Request or detect release merge
        id: changesets
        uses: changesets/action@v1
        with:
          version: bun run version
          publish: echo "publish-placeholder"
          title: 'Version Packages'
        env:
          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

      - name: Detect if this is a release merge
        id: detect
        run: |
          CLI_VERSION=$(jq -r '.version' packages/podkit-cli/package.json)
          CLI_TAG="podkit@$CLI_VERSION"
          DOCKER_VERSION=$(jq -r '.version' packages/podkit-docker/package.json)
          DOCKER_TAG="docker@$DOCKER_VERSION"

          echo "cli_version=$CLI_VERSION" >> "$GITHUB_OUTPUT"
          echo "docker_version=$DOCKER_VERSION" >> "$GITHUB_OUTPUT"

          if [ "${{ steps.changesets.outputs.hasChangesets }}" = "false" ]; then
            # No pending changesets — check if this is a release-worthy commit
            COMMIT_MSG=$(git log -1 --format="%s")
            echo "Commit message: $COMMIT_MSG"

            IS_RELEASE=false

            # Release if: Version Packages merge OR manual dispatch with unreleased version
            if echo "$COMMIT_MSG" | grep -q "Version Packages"; then
              IS_RELEASE=true
              echo "Release detected — Version Packages merge"
            elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
              IS_RELEASE=true
              echo "Manual dispatch — checking for unreleased versions"
            fi

            if [ "$IS_RELEASE" = "true" ]; then
              git fetch --tags

              if git rev-parse "$CLI_TAG" >/dev/null 2>&1; then
                echo "has_cli_release=false" >> "$GITHUB_OUTPUT"
                echo "CLI version $CLI_VERSION already released"
              else
                echo "has_cli_release=true" >> "$GITHUB_OUTPUT"
                echo "CLI version $CLI_VERSION is new — will release"
              fi

              if git rev-parse "$DOCKER_TAG" >/dev/null 2>&1; then
                echo "has_docker_release=false" >> "$GITHUB_OUTPUT"
                echo "Docker version $DOCKER_VERSION already released"
              else
                echo "has_docker_release=true" >> "$GITHUB_OUTPUT"
                echo "Docker version $DOCKER_VERSION is new — will release"
              fi

            else
              echo "has_cli_release=false" >> "$GITHUB_OUTPUT"
              echo "has_docker_release=false" >> "$GITHUB_OUTPUT"
              echo "No changesets and not a version merge — nothing to do"
            fi
          else
            echo "has_cli_release=false" >> "$GITHUB_OUTPUT"
            echo "has_docker_release=false" >> "$GITHUB_OUTPUT"
            echo "Pending changesets found — version PR will be created/updated"
          fi

          # Set should_release based on whether either component needs releasing.
          # Re-read the outputs file since they were just written above.
          if grep -q "has_cli_release=true" "$GITHUB_OUTPUT" || grep -q "has_docker_release=true" "$GITHUB_OUTPUT"; then
            echo "should_release=true" >> "$GITHUB_OUTPUT"
          else
            echo "should_release=false" >> "$GITHUB_OUTPUT"
          fi

  # Step 2: Build native prebuilds + compile CLI binaries for each platform
  # Prebuild cache is shared with verify-release.yml — on typical version
  # merges (no native code changes), prebuilds hit cache and only TypeScript
  # build + Bun compile runs.
  build:
    needs: changesets
    if: needs.changesets.outputs.should_release == 'true'
    uses: ./.github/workflows/build-platform.yml
    with:
      upload-artifacts: true

  # Step 3: Create GitHub Release with all platform tarballs (CLI releases only)
  release:
    needs: [changesets, build]
    if: needs.build.result == 'success' && needs.changesets.outputs.has_cli_release == 'true'
    runs-on: ubuntu-latest
    name: Create GitHub Release
    outputs:
      version: ${{ needs.changesets.outputs.cli_version }}
      tag: ${{ steps.tag.outputs.tag }}

    steps:
      - uses: actions/checkout@v4

      - name: Set tag
        id: tag
        run: |
          echo "tag=podkit@${{ needs.changesets.outputs.cli_version }}" >> "$GITHUB_OUTPUT"

      - name: Download all tarballs
        uses: actions/download-artifact@v4
        with:
          pattern: podkit-*
          path: release-assets/
          merge-multiple: true

      - name: List release assets
        run: ls -la release-assets/

      - name: Generate SHA256 checksums
        working-directory: release-assets
        run: |
          sha256sum podkit-*.tar.gz > SHA256SUMS.txt
          cat SHA256SUMS.txt

      - name: Build release notes
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          NOTES_FILE="release-notes.md"
          VERSION="${{ needs.changesets.outputs.cli_version }}"
          : > "$NOTES_FILE"

          # Add version PR description at the top if available
          PR_BODY=$(gh pr list --state merged --search "\"Version Packages\" in:title" --limit 1 --json body --jq '.[0].body // empty')
          if [ -n "$PR_BODY" ]; then
            echo "$PR_BODY" >> "$NOTES_FILE"
            echo "" >> "$NOTES_FILE"
            echo "---" >> "$NOTES_FILE"
            echo "" >> "$NOTES_FILE"
          fi

          # Add changelog from CHANGELOG.md
          echo "## Changelog" >> "$NOTES_FILE"
          echo "" >> "$NOTES_FILE"
          CHANGELOG_FILE="packages/podkit-cli/CHANGELOG.md"
          if [ -f "$CHANGELOG_FILE" ]; then
            # Extract the latest version section (from first ## to the next ##)
            awk '/^## [0-9]/{if(found) exit; found=1; next} found{print}' "$CHANGELOG_FILE" >> "$NOTES_FILE"
          else
            echo "Release $VERSION" >> "$NOTES_FILE"
          fi
          echo "" >> "$NOTES_FILE"

          # Add checksums
          echo "## Checksums (SHA256)" >> "$NOTES_FILE"
          echo "" >> "$NOTES_FILE"
          echo '```' >> "$NOTES_FILE"
          cat release-assets/SHA256SUMS.txt >> "$NOTES_FILE"
          echo '```' >> "$NOTES_FILE"

          echo "--- Release notes ---"
          cat "$NOTES_FILE"

      - name: Create tag and GitHub Release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          TAG="${{ steps.tag.outputs.tag }}"
          VERSION="${{ needs.changesets.outputs.cli_version }}"

          if git rev-parse "$TAG" >/dev/null 2>&1; then
            echo "Tag $TAG already exists — skipping release"
            exit 0
          fi

          git tag "$TAG"
          git push origin "$TAG"

          gh release create "$TAG" \
            --title "podkit $VERSION" \
            --notes-file release-notes.md \
            release-assets/podkit-*.tar.gz \
            release-assets/SHA256SUMS.txt

  # Step 4: Build and push Docker image to GHCR (Docker releases only)
  docker:
    needs: [changesets, build]
    if: needs.build.result == 'success' && needs.changesets.outputs.has_docker_release == 'true'
    uses: ./.github/workflows/docker.yml
    with:
      version: ${{ needs.changesets.outputs.docker_version }}
      push: true
    permissions:
      contents: read
      packages: write

  # Step 4b: Tag Docker release after successful push
  docker-tag:
    needs: [changesets, docker]
    if: needs.docker.result == 'success'
    runs-on: ubuntu-latest
    name: Tag Docker Release

    steps:
      - uses: actions/checkout@v4

      - name: Create Docker release tag
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          TAG="docker@${{ needs.changesets.outputs.docker_version }}"
          if git rev-parse "$TAG" >/dev/null 2>&1; then
            echo "Tag $TAG already exists"
          else
            git tag "$TAG"
            git push origin "$TAG"
            echo "Created tag $TAG"
          fi

  # Step 5: Sync docs-live branch to the release commit so the docs site deploys.
  # docs-live is a deployment branch — only updated by this job (on release) or
  # by manual cherry-pick (for docs-only tweaks). Pushing to docs-live triggers
  # deploy-docs.yml.
  #
  # Force-with-lease is safe here: any commits on docs-live (from docs-only
  # cherry-picks) must already exist on main, since cherry-picks always
  # originate from main. Resetting docs-live to the release commit realigns
  # the branch without losing content.
  sync-docs-live:
    needs: [changesets, release, docker-tag]
    # Run only if every component that was supposed to release did release.
    # always() is required because some needs may be skipped (CLI-only or
    # Docker-only releases). For each component: if it wasn't being released,
    # we don't care about its result; if it was, it must have succeeded.
    if: |
      always() &&
      needs.changesets.outputs.should_release == 'true' &&
      (needs.changesets.outputs.has_cli_release != 'true' || needs.release.result == 'success') &&
      (needs.changesets.outputs.has_docker_release != 'true' || needs.docker-tag.result == 'success')
    runs-on: ubuntu-latest
    name: Sync docs-live to release
    permissions:
      contents: write

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Reset docs-live to release commit
        run: |
          git fetch origin docs-live
          git push origin HEAD:docs-live --force-with-lease

  # Step 6: Update the Homebrew formula in the tap repository (CLI releases only)
  update-homebrew:
    needs: [changesets, release]
    if: needs.release.result == 'success'
    runs-on: ubuntu-latest
    continue-on-error: true
    name: Update Homebrew Formula

    steps:
      - uses: actions/checkout@v4

      - name: Download checksums from release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          TAG="${{ needs.release.outputs.tag }}"
          mkdir -p checksums
          gh release download "$TAG" --pattern "SHA256SUMS.txt" --dir checksums

      - name: Checkout homebrew-podkit
        uses: actions/checkout@v4
        with:
          repository: jvgomg/homebrew-podkit
          path: homebrew-tap
          ssh-key: ${{ secrets.HOMEBREW_TAP_DEPLOY_KEY }}

      - name: Update formula
        run: |
          VERSION="${{ needs.release.outputs.version }}"
          ./tools/update-homebrew-formula.sh "$VERSION" homebrew-tap/Formula/podkit.rb checksums/SHA256SUMS.txt

      - name: Commit and push
        working-directory: homebrew-tap
        run: |
          VERSION="${{ needs.release.outputs.version }}"
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git add Formula/podkit.rb
          git diff --cached --quiet && echo "No changes to commit" && exit 0
          git commit -m "Update podkit to $VERSION"
          git push