Skip to content

feat(release): automate OSS release pipeline with just release #757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wpfleger96 merged 8 commits into from
May 27, 2026
Merged

feat(release): automate OSS release pipeline with just release #757

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
bfe1b38
feat(release): automate OSS release pipeline with just release
wpfleger96 May 27, 2026
9adf86a
fix: resolve Semgrep shell injection findings and correct RELEASING.md
wpfleger96 May 27, 2026
2bc7d38
fix: move remaining step output interpolations to env blocks in relea…
wpfleger96 May 27, 2026
a7469ef
fix: address crossfire code review findings
wpfleger96 May 27, 2026
b02e415
docs: add RELEASING.md to AGENTS.md See Also and fix Buildkite URL
wpfleger96 May 27, 2026
5e48618
docs(agents): add sprout ecosystem overview to AGENTS.md
wpfleger96 May 27, 2026
05aff01
fix: make auto-tag step idempotent for retry safety
wpfleger96 May 27, 2026
104171d
Merge branch 'main' into wpfleger/release-automation
wpfleger96 May 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions .github/workflows/auto-tag-on-release-pr-merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
name: Auto-tag on Release PR Merge

on:
pull_request:
types: [closed]
branches: [main]

permissions:
contents: write
actions: write

jobs:
auto-tag:
if: >
github.event.pull_request.merged == true &&
startsWith(github.event.pull_request.head.ref, 'version-bump/')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ github.event.pull_request.merge_commit_sha }}
fetch-depth: 0

- name: Extract version from branch name
env:
BRANCH: ${{ github.event.pull_request.head.ref }}
run: |
VERSION="${BRANCH#version-bump/}"
if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?$'; then
echo "::error::Invalid version in branch name: '$VERSION'"
exit 1
fi
echo "version=$VERSION" >> "$GITHUB_ENV"
echo "Tagging v${VERSION}"

- name: Create and push tag
env:
VERSION: ${{ env.version }}
run: |
EXISTING_SHA="$(git ls-remote --tags origin "refs/tags/v$VERSION" | awk '{print $1}')"
if [ -n "$EXISTING_SHA" ]; then
if [ "$EXISTING_SHA" = "$GITHUB_SHA" ]; then
echo "Tag v$VERSION already exists at $GITHUB_SHA — skipping tag creation"
exit 0
else
echo "::error::Tag v$VERSION already exists at $EXISTING_SHA (expected $GITHUB_SHA)"
exit 1
fi
fi
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
Comment thread
wpfleger96 marked this conversation as resolved.
git config user.name "github-actions[bot]"
git tag "v$VERSION"
git push origin "v$VERSION"

- name: Trigger release build
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VERSION: ${{ env.version }}
run: |
gh workflow run release.yml \
-f version="$VERSION" \
-f ref="v$VERSION"
61 changes: 44 additions & 17 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
name: Release

on:
push:
tags:
- 'v[0-9]*'
workflow_dispatch:
inputs:
version:
description: "Semver version (e.g. 0.4.0)"
description: "Semver version (e.g. 0.4.0) — only for manual runs"
required: true
ref:
description: "Branch, tag, or SHA to build"
description: "Branch, tag, or SHA to build — only for manual runs"
default: main
required: true

Expand All @@ -19,10 +22,25 @@ jobs:
permissions:
contents: write
id-token: write # required by block/apple-codesign-action for OIDC
env:
VERSION: ${{ inputs.version }}
outputs:
version: ${{ steps.version.outputs.version }}
steps:
- name: Determine version
id: version
env:
EVENT_NAME: ${{ github.event_name }}
INPUT_VERSION: ${{ inputs.version }}
run: |
if [[ "$EVENT_NAME" == "push" ]]; then
VERSION="${GITHUB_REF_NAME#v}"
else
VERSION="$INPUT_VERSION"
fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT"

Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
- name: Validate version
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?$'; then
echo "::error::Invalid version '$VERSION'. Expected semver (e.g. 0.4.0 or 1.0.0-beta.1)"
Expand All @@ -31,7 +49,7 @@ jobs:

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ inputs.ref }}
ref: ${{ github.event_name == 'push' && github.ref || inputs.ref }}
persist-credentials: false

- uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
Expand All @@ -40,6 +58,8 @@ jobs:
run: just desktop-install-ci

- name: Patch version
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
cd desktop && node scripts/set-version-from-tag.mjs "$VERSION"
cd src-tauri && cargo update --workspace
Expand Down Expand Up @@ -153,20 +173,26 @@ jobs:
> latest.json
cat latest.json
env:
VERSION: ${{ steps.version.outputs.version }}
SIG_PATH: ${{ steps.artifacts.outputs.sig }}
ARCHIVE_NAME: ${{ steps.artifacts.outputs.archive_name }}

- name: Create versioned GitHub release
env:
VERSION: ${{ steps.version.outputs.version }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DMG_PATH: ${{ steps.artifacts.outputs.dmg }}
run: |
RELEASE_SHA=$(git rev-parse HEAD)
NOTES=$(awk "/^## v${VERSION}$/,/^## v/" CHANGELOG.md | head -n -1)
if [[ -z "$NOTES" ]]; then
NOTES="Sprout Desktop v${VERSION}"
fi
gh release create "v${VERSION}" \
--target "$RELEASE_SHA" \
--title "Sprout Desktop v${VERSION}" \
--notes "Sprout Desktop v${VERSION}" \
--notes "$NOTES" \
"$DMG_PATH"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DMG_PATH: ${{ steps.artifacts.outputs.dmg }}

- name: Update rolling release for auto-updater
run: |
Expand All @@ -192,12 +218,10 @@ jobs:
timeout-minutes: 60
permissions:
contents: write
env:
VERSION: ${{ inputs.version }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ inputs.ref }}
ref: ${{ github.event_name == 'push' && github.ref || inputs.ref }}
persist-credentials: false

- uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
Expand Down Expand Up @@ -237,6 +261,8 @@ jobs:
run: just desktop-install-ci

- name: Patch version
env:
VERSION: ${{ needs.release.outputs.version }}
run: |
cd desktop && node scripts/set-version-from-tag.mjs "$VERSION"
cd src-tauri && cargo update --workspace
Expand Down Expand Up @@ -271,12 +297,13 @@ jobs:
echo "appimage=$APPIMAGE" >> "$GITHUB_OUTPUT"

- name: Upload Linux artifacts to versioned GitHub release
run: |
gh release upload "v${VERSION}" \
"$DEB_PATH" \
"$APPIMAGE_PATH" \
--clobber
env:
VERSION: ${{ needs.release.outputs.version }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DEB_PATH: ${{ steps.linux-artifacts.outputs.deb }}
APPIMAGE_PATH: ${{ steps.linux-artifacts.outputs.appimage }}
run: |
gh release upload "v$VERSION" \
"$DEB_PATH" \
"$APPIMAGE_PATH" \
--clobber
25 changes: 25 additions & 0 deletions AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,30 @@ code style, PR process, architecture), see [CONTRIBUTING.md](CONTRIBUTING.md).

---

## Ecosystem

Sprout spans five repos. This one (`block/sprout`) is the OSS source for the relay, desktop, mobile, and CLI. The others handle internal builds and deployment:

| Repo | Purpose |
|------|---------|
| [block/sprout](https://github.com/block/sprout) | OSS source — relay, desktop app, mobile app, CLI, agent harness |
| [squareup/sprout-releases](https://github.com/squareup/sprout-releases) | Buildkite pipeline producing Block-signed macOS + iOS builds with `-block` version suffix |
| [squareup/sprout-oss](https://github.com/squareup/sprout-oss) | CI pipeline building the relay Docker image and pushing to internal ECR |
| [squareup/block-coder-tf-stacks](https://github.com/squareup/block-coder-tf-stacks) | Terraform + ArgoCD deploying the relay to the staging Kubernetes cluster |
| [squareup/sprout-backend-blox](https://github.com/squareup/sprout-backend-blox) | Desktop backend provider script connecting Blox workstation agents to the relay |

```
block/sprout (source)
├─► sprout-releases (desktop + mobile builds → Artifactory, GitHub, Mobile Releases)
├─► sprout-oss (relay Docker image → ECR)
│ └─► block-coder-tf-stacks (Helm chart → ArgoCD → staging cluster)
└─── sprout-backend-blox (Blox compute provider for Desktop agent launch)
```

See [RELEASING.md](RELEASING.md) for the desktop release flow across `block/sprout` and `sprout-releases`.

---

## Repo Structure

```
Expand Down Expand Up @@ -281,4 +305,5 @@ Or from repo root: `just mobile-fmt` (auto-fix), `just mobile-check` (lint + fmt
- [CONTRIBUTING.md](CONTRIBUTING.md) — setup, code style, PR process, how to add event kinds / CLI subcommands / API endpoints
- [TESTING.md](TESTING.md) — multi-agent E2E test guide
- [ARCHITECTURE.md](ARCHITECTURE.md) — system design and component relationships
- [RELEASING.md](RELEASING.md) — release process: `just release`, auto-tag, internal builds
- [README.md](README.md) — project overview and quick start
Loading