Release build

.github/workflows/draft-release.yml → .github/workflows/ci-release.yml

@@ -1,10 +1,11 @@
-name: Release Artifacts
+name: CI & Release
 
 on:
   push:
     branches:
       - main
       - release
+  pull_request:
 
 permissions:
   contents: write
@@ -68,12 +69,16 @@ jobs:
           )"
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
-      - name: Decide release mode by branch and commit message
+      - name: Decide release mode by branch and event
         id: mode
         env:
           BRANCH_NAME: ${{ github.ref_name }}
+          EVENT_NAME: ${{ github.event_name }}
         run: |
-          if [[ "$BRANCH_NAME" == "main" ]]; then
+          # pull_request events only build & test — they never publish a release.
+          if [[ "$EVENT_NAME" == "pull_request" ]]; then
+            echo "mode=none" >> "$GITHUB_OUTPUT"
+          elif [[ "$BRANCH_NAME" == "main" ]]; then
             echo "mode=pre-release" >> "$GITHUB_OUTPUT"
           elif [[ "$BRANCH_NAME" == "release" ]]; then
             echo "mode=release" >> "$GITHUB_OUTPUT"
@@ -84,7 +89,9 @@ jobs:
   build-artifacts:
     runs-on: ubuntu-latest
     needs: meta
-    if: needs.meta.outputs.mode != 'none'
+    # Runs on every trigger (push to main/release AND pull_request). On PRs
+    # the `meta` job sets mode=none so publish-draft is skipped, but we still
+    # want full build + test coverage here to catch regressions pre-merge.
     strategy:
       fail-fast: false
       matrix:
@@ -103,21 +110,14 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Go
-        id: setup-go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-
-      - name: Cache Go modules and build cache
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-          key: ${{ runner.os }}-go-${{ steps.setup-go.outputs.go-version }}-${{ matrix.goos }}-${{ matrix.goarch }}-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-${{ steps.setup-go.outputs.go-version }}-${{ matrix.goos }}-${{ matrix.goarch }}-
-            ${{ runner.os }}-go-${{ steps.setup-go.outputs.go-version }}-
+          # Built-in caching is enabled by default (setup-go@v4+) and keys
+          # on runner.os + go-version + hash(go.sum). Don't layer an extra
+          # actions/cache on top — double-caching the same paths causes
+          # tar "File exists" errors when restoring into a directory
+          # setup-go has already populated.
 
       - name: Install eBPF build dependencies
         run: |
@@ -126,11 +126,17 @@ jobs:
             clang llvm libbpf-dev libelf-dev linux-headers-$(uname -r) \
             make gcc pkg-config
 
+      - name: Validate shell scripts
+        run: bash -n kekkai.sh
+
       - name: Build embedded eBPF object
         run: |
           make bpf
           test -s internal/loader/bpf/xdp_filter.o
 
+      - name: Run tests
+        run: go test ./...
+
       - name: Build binaries
         env:
           GOOS: ${{ matrix.goos }}
@@ -142,6 +148,7 @@ jobs:
           go build -ldflags "-s -w -X main.version=${VERSION}" -o "dist/kekkai-agent-${GOOS}-${GOARCH}" ./cmd/kekkai-agent
 
       - name: Upload artifacts
+        if: needs.meta.outputs.mode != 'none'
         uses: actions/upload-artifact@v4
         with:
           name: bins-${{ matrix.goos }}-${{ matrix.goarch }}
@@ -278,11 +285,19 @@ jobs:
               f.write("\n".join(lines))
           PY
 
+      # `commit: github.sha` pins the release + tag to the exact commit
+      # that triggered this workflow. Without it, ncipollo/release-action
+      # falls back to the repo's default branch HEAD — which made every
+      # pre-release under an old setup end up pointing at the `release`
+      # branch tip instead of the `main` commit that actually built the
+      # binaries. target_commitish and created_at will now reflect the
+      # real source commit.
       - name: Publish / update release
         if: needs.meta.outputs.mode == 'release'
         uses: ncipollo/release-action@v1
         with:
           tag: v${{ needs.meta.outputs.version }}
+          commit: ${{ github.sha }}
           name: v${{ needs.meta.outputs.version }} Release (auto)
           bodyFile: release-notes.md
           draft: false
@@ -298,6 +313,7 @@ jobs:
         uses: ncipollo/release-action@v1
         with:
           tag: v${{ needs.meta.outputs.version }}
+          commit: ${{ github.sha }}
           name: v${{ needs.meta.outputs.version }} Pre-release (auto)
           bodyFile: release-notes.md
           draft: false