diff --git a/.github/workflows/CreateRelease.yml b/.github/workflows/CreateRelease.yml index d6c8d76..a713830 100644 --- a/.github/workflows/CreateRelease.yml +++ b/.github/workflows/CreateRelease.yml @@ -6,9 +6,11 @@ on: workflow_dispatch: push: branches: [main] + tags: + - "v*" permissions: - id-token: write + id-token: write # needed for trusted publishing (OIDC) to npm and crates.io contents: write # needed to create a release jobs: @@ -30,6 +32,7 @@ jobs: runs-on: ubuntu-latest outputs: version: ${{ steps.set-version.outputs.version }} + dry_run: ${{ steps.set-version.outputs.dry_run }} steps: - uses: actions/checkout@v6 @@ -42,67 +45,50 @@ jobs: shell: bash run: | git fetch --tags || true - # Extract the version number from the branch name, which is expected to be in the format 'release/vX.Y.Z' + # Extract the version number from the tag name, which is expected to be in the format 'vX.Y.Z' # if not, default to '0.0.0' to avoid errors in subsequent steps - if [[ "${GITHUB_REF}" =~ refs/heads/release/v([0-9]+\.[0-9]+\.[0-9]+) ]]; then + if [[ "${GITHUB_REF}" =~ refs/tags/v([0-9]+\.[0-9]+\.[0-9]+) ]]; then version="${BASH_REMATCH[1]}" + dry_run=false else version="0.0.0" + dry_run=true fi echo "Setting version to 'v$version'" echo "version=$version" >> $GITHUB_OUTPUT + echo "dry_run=$dry_run" >> $GITHUB_OUTPUT - create-gh-release: + create-release-branch: needs: [build, benchmarks, set-version] - environment: release runs-on: ubuntu-latest - if: ${{ contains(github.ref, 'refs/heads/release/') }} + if: ${{ needs.set-version.outputs.dry_run == 'false' }} steps: - - name: Download benchmarks (Windows) - uses: actions/download-artifact@v8 - with: - name: benchmarks_Windows_whp - path: benchmarks_Windows_whp - - - name: Download benchmarks (Linux kvm) - uses: actions/download-artifact@v8 - with: - name: benchmarks_Linux_kvm - path: benchmarks_Linux_kvm + - uses: actions/checkout@v6 - - name: Download benchmarks (Linux hyperv3) - uses: actions/download-artifact@v8 - with: - name: benchmarks_Linux_hyperv3 - path: benchmarks_Linux_hyperv3 - - - name: Archive benchmarks + - name: Create Release Branch + shell: bash run: | - tar -zcvf benchmarks_Windows_whp.tar.gz benchmarks_Windows_whp - tar -zcvf benchmarks_Linux_kvm.tar.gz benchmarks_Linux_kvm - tar -zcvf benchmarks_Linux_hyperv3.tar.gz benchmarks_Linux_hyperv3 + git checkout -b release/v${{ needs.set-version.outputs.version }} + git push --set-upstream origin release/v${{ needs.set-version.outputs.version }} - - name: Create GH Release - run: | - gh release create ${{ needs.set-version.outputs.version }} \ - --generate-notes \ - benchmarks_Windows_whp.tar.gz \ - benchmarks_Linux_kvm.tar.gz \ - benchmarks_Linux_hyperv3.tar.gz - env: - GH_TOKEN: ${{ github.token }} + publish-gh-release: + needs: [build, benchmarks, set-version] + uses: ./.github/workflows/gh-publish.yml + with: + version: ${{ needs.set-version.outputs.version }} + dry_run: ${{ needs.set-version.outputs.dry_run != 'false' }} publish-npm-packages: needs: [build, benchmarks, set-version] uses: ./.github/workflows/npm-publish.yml with: version: ${{ needs.set-version.outputs.version }} - dry-run: ${{ !contains(github.ref, 'refs/heads/release/') }} + dry_run: ${{ needs.set-version.outputs.dry_run != 'false' }} publish-cargo-crates: needs: [build, benchmarks, set-version] uses: ./.github/workflows/cargo-publish.yml with: version: ${{ needs.set-version.outputs.version }} - dry-run: ${{ !contains(github.ref, 'refs/heads/release/') }} + dry_run: ${{ needs.set-version.outputs.dry_run != 'false' }} diff --git a/.github/workflows/CreateReleaseBranch.yml b/.github/workflows/CreateReleaseBranch.yml deleted file mode 100644 index 7881cc2..0000000 --- a/.github/workflows/CreateReleaseBranch.yml +++ /dev/null @@ -1,30 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -# When a git tag with the prefix 'v' is pushed to the repository, this workflow will create a new release branch called release/. - -name: Create a Release Branch - -on: - push: - tags: - - "v*" - -permissions: - contents: write # needed to push the new branch - -jobs: - create-branch: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v6 - - - uses: extractions/setup-just@v4 - with: - just-version: "1.40" - - - name: Create Release Branch - run: | - git checkout -b release/${GITHUB_REF_NAME} - git push --set-upstream origin release/${GITHUB_REF_NAME} - shell: bash diff --git a/.github/workflows/cargo-publish.yml b/.github/workflows/cargo-publish.yml index 2da9a21..e27b1cd 100644 --- a/.github/workflows/cargo-publish.yml +++ b/.github/workflows/cargo-publish.yml @@ -9,23 +9,23 @@ on: description: 'Version to publish (e.g., 0.2.0)' required: true type: string - dry-run: + dry_run: description: 'Dry run (skip actual publish)' required: false type: boolean default: false - # IMPORTANT: Trusted publishing (OIDC) is configured on npmjs.com with - # workflow filename 'CreateRelease.yml'. npm checks the *calling* workflow - # for workflow_call, not the reusable workflow that runs npm publish. + # IMPORTANT: Trusted publishing (OIDC) is configured on crates.io with + # workflow filename 'CreateRelease.yml'. crates.io checks the *calling* workflow + # for workflow_call, not the reusable workflow that runs cargo publish. # Calling this workflow from a different parent workflow will fail OIDC auth. - # See: https://docs.npmjs.com/trusted-publishers#troubleshooting + # See: https://crates.io/docs/trusted-publishing workflow_call: inputs: version: description: 'Version to publish' required: true type: string - dry-run: + dry_run: description: 'Dry run (skip actual publish)' required: false type: boolean @@ -70,7 +70,7 @@ jobs: return fi - if curl -s "https://crates.io/api/v1/crates/$crate/$VERSION" | jq -e .version > /dev/null; then + if cargo info --locked -q "$crate"@"$VERSION" > /dev/null; then echo "PUBLISH_${crate_env_var}=false" >> "$GITHUB_ENV" echo "✅ $crate@$VERSION already exists." else @@ -102,10 +102,10 @@ jobs: run: cargo publish -p hyperlight-js-runtime env: CARGO_REGISTRY_TOKEN: ${{ steps.crates-io-auth.outputs.token }} - if: ${{ env.PUBLISH_HYPERLIGHT_JS_RUNTIME != 'false' && !inputs['dry-run'] }} + if: ${{ env.PUBLISH_HYPERLIGHT_JS_RUNTIME != 'false' && !inputs.dry_run }} - name: Publish hyperlight-js run: cargo publish -p hyperlight-js env: CARGO_REGISTRY_TOKEN: ${{ steps.crates-io-auth.outputs.token }} - if: ${{ env.PUBLISH_HYPERLIGHT_JS != 'false' && !inputs['dry-run'] }} \ No newline at end of file + if: ${{ env.PUBLISH_HYPERLIGHT_JS != 'false' && !inputs.dry_run }} diff --git a/.github/workflows/gh-publish.yml b/.github/workflows/gh-publish.yml new file mode 100644 index 0000000..23f4cd0 --- /dev/null +++ b/.github/workflows/gh-publish.yml @@ -0,0 +1,71 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: Publish npm packages + +on: + workflow_dispatch: + inputs: + version: + description: 'Version to publish (e.g., 0.2.0)' + required: true + type: string + dry_run: + description: 'Dry run (skip actual publish)' + required: false + type: boolean + default: false + workflow_call: + inputs: + version: + description: 'Version to publish' + required: true + type: string + dry_run: + description: 'Dry run (skip actual publish)' + required: false + type: boolean + default: true + +permissions: + contents: write + +jobs: + create-gh-release: + environment: release + runs-on: ubuntu-latest + + steps: + - name: Download benchmarks (Windows) + uses: actions/download-artifact@v8 + with: + name: benchmarks_Windows_whp + path: benchmarks_Windows_whp + + - name: Download benchmarks (Linux kvm) + uses: actions/download-artifact@v8 + with: + name: benchmarks_Linux_kvm + path: benchmarks_Linux_kvm + + - name: Download benchmarks (Linux hyperv3) + uses: actions/download-artifact@v8 + with: + name: benchmarks_Linux_hyperv3 + path: benchmarks_Linux_hyperv3 + + - name: Archive benchmarks + run: | + tar -zcvf benchmarks_Windows_whp.tar.gz benchmarks_Windows_whp + tar -zcvf benchmarks_Linux_kvm.tar.gz benchmarks_Linux_kvm + tar -zcvf benchmarks_Linux_hyperv3.tar.gz benchmarks_Linux_hyperv3 + + - name: Create GH Release + if: ${{ inputs.dry_run == 'false' }} + run: | + gh release create ${{ inputs.version }} \ + --generate-notes \ + benchmarks_Windows_whp.tar.gz \ + benchmarks_Linux_kvm.tar.gz \ + benchmarks_Linux_hyperv3.tar.gz + env: + GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 22062d3..121a959 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -9,7 +9,7 @@ on: description: 'Version to publish (e.g., 0.2.0)' required: true type: string - dry-run: + dry_run: description: 'Dry run (skip actual publish)' required: false type: boolean @@ -25,7 +25,7 @@ on: description: 'Version to publish' required: true type: string - dry-run: + dry_run: description: 'Dry run (skip actual publish)' required: false type: boolean @@ -251,7 +251,7 @@ jobs: # You should almost never need to publish manually — if you do, # see docs/release.md for the full (deliberately painful) steps. - name: Validate NPM_TOKEN for manual dispatch - if: ${{ github.event_name == 'workflow_dispatch' && !inputs['dry-run'] }} + if: ${{ github.event_name == 'workflow_dispatch' && !inputs.dry_run }} run: | if [ -z "$NPM_TOKEN" ]; then echo "::error::NPM_TOKEN repo secret is required for manual workflow_dispatch publishing." @@ -273,35 +273,35 @@ jobs: fi - name: Publish Linux GNU package - if: ${{ !inputs['dry-run'] }} + if: ${{ !inputs.dry_run }} working-directory: ${{ env.WORKING_DIR }}/npm/linux-x64-gnu run: npm publish --access public --ignore-scripts ${{ steps.publish-flags.outputs.provenance }} env: NODE_AUTH_TOKEN: ${{ github.event_name == 'workflow_dispatch' && secrets.NPM_TOKEN || '' }} - name: Publish Linux musl package - if: ${{ !inputs['dry-run'] }} + if: ${{ !inputs.dry_run }} working-directory: ${{ env.WORKING_DIR }}/npm/linux-x64-musl run: npm publish --access public --ignore-scripts ${{ steps.publish-flags.outputs.provenance }} env: NODE_AUTH_TOKEN: ${{ github.event_name == 'workflow_dispatch' && secrets.NPM_TOKEN || '' }} - name: Publish Windows package - if: ${{ !inputs['dry-run'] }} + if: ${{ !inputs.dry_run }} working-directory: ${{ env.WORKING_DIR }}/npm/win32-x64-msvc run: npm publish --access public --ignore-scripts ${{ steps.publish-flags.outputs.provenance }} env: NODE_AUTH_TOKEN: ${{ github.event_name == 'workflow_dispatch' && secrets.NPM_TOKEN || '' }} - name: Publish main package - if: ${{ !inputs['dry-run'] }} + if: ${{ !inputs.dry_run }} working-directory: ${{ env.WORKING_DIR }} run: npm publish --access public --ignore-scripts ${{ steps.publish-flags.outputs.provenance }} env: NODE_AUTH_TOKEN: ${{ github.event_name == 'workflow_dispatch' && secrets.NPM_TOKEN || '' }} - name: Verify all packages published - if: ${{ !inputs['dry-run'] }} + if: ${{ !inputs.dry_run }} run: | echo "Waiting for registry propagation..." sleep 15 @@ -325,7 +325,7 @@ jobs: VERSION: ${{ inputs.version }} - name: Dry run - show what would be published - if: ${{ inputs['dry-run'] }} + if: ${{ inputs.dry_run }} working-directory: ${{ env.WORKING_DIR }} run: | echo "=== DRY RUN - Would publish the following packages ===" diff --git a/docs/release.md b/docs/release.md index d9af7fa..fa20969 100644 --- a/docs/release.md +++ b/docs/release.md @@ -110,7 +110,7 @@ If you need to publish npm packages manually via `workflow_dispatch`, you'll nee - Go to Actions → "Publish npm packages" → Run workflow - Select the correct branch - Enter the version (e.g. `0.2.1`) - - Set `dry-run` to `false` + - Set `dry_run` to `false` 5. **Clean up immediately after publishing** - Delete the `NPM_TOKEN` repo secret on GitHub → Settings → Secrets and variables → Actions